Configure federated SSO with Broadcom Login for multiple services

Products

AppNeta Cloud Secure Web Gateway - Cloud SWG Cloud Workload Protection Cloud Workload Assurance CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS Cloud Manager Cloud Manager Email Security.cloud Endpoint Security Complete Support Portal

Issue/Introduction

Configure federated SSO to enable administrators to sign in to multiple Broadcom services with one set of credentials. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.

Environment

The Broadcom Login service and SAML or a SAML-based IdP can be configured for one or more of the following services:

AppNeta
Broadcom Support Portal
Cloud Secure Web Gateway (Cloud SWG)
Cloud Workload Assurance (CWA)
Cloud Workload Protection (CWP)
CloudSOC Cloud Access Security Broker (CASB)
Cloud Management Portal (CMP)
Email Security.cloud
Symantec Endpoint Security (SES)

Resolution

Whether you are configuring Broadcom Login for the first time or you are switching to it from a previous SSO, all services that support SSO through Broadcom Login will use your configured IdP. Before you adopt federated SSO, you must ensure that administrators have valid accounts in the IdP and in the service.

Important: Complete the following steps in the specified order. Otherwise, administrators might encounter the issue described in the following article:

Administrators cannot log in to a Broadcom service after you configure federated SSO with Broadcom Login

Step 1: (If applicable) Migrate Administrators to New Email Addresses

If administrators in your organization are transitioning to new email addresses (for example, through company acquisitions), update the addresses as required. For example, to migrate a group of administrators, update their email addresses from the previous domain to the current domain.

Important: (Not applicable to SES) You must coordinate with Broadcom Support to migrate your administrators’ access to Login, support.broadcom.com, and any other relevant sites. Plan for a few hours of service disruption during the transition and communicate the migration timeline to administrators.

If you do not have to make changes to email addresses, proceed to "Step 2: Add All Administrators to the IdP".

Step 2: Add All Administrators to the IdP

Ensure that your IdP includes all the administrators required for all the Broadcom services that federate to Broadcom Login. Refer to the IdP-specific documentation for instructions.

Important: Use the same email address to define the administrator account in the IdP and in all Broadcom services. For example, use example.user@example.com in both the IdP and in the appropriate services as the username for the administrator Example.user

Step 3: Register the IdP with the Broadcom Self-Service Portal

Add the IdP details for your cloud services in the self-service portal. Complete Steps 1 through 5 in the Identity Provider section in the Account Self-Service documentation.

Step 4: Add Administrators to Broadcom Services

Add all required administrators to the appropriate Broadcom services. Ensure that the administrators have appropriate permissions to access the services. For service-specific instructions, refer to the following table.

Reminder: Define each identity in the IdP and in all Broadcom services using the same email address.

Service	Instructions
AppNeta	Single sign-on (SSO) Users
Broadcom Support Portal	Refer to your Broadcom product representative (for example, your Symantec, Clarity, or Rally point-of-contact) to enable SSO Federation with Broadcom’s customer identity tenant. After federation is set up, the Broadcom product team will reach out to Broadcom’s Identity & Access Management (IAM) team to complete the configuration for federated access to the Broadcom Support Portal.
CloudSOC CASB	Managing users Contact Broadcom Support to configure Broadcom Login. See the Symantec CASB CloudSOC Release Notes for more information.
Cloud SWG (WSS)	Add a Cloud SWG Administrator
CMP	Add or Delete CMP Administrators
CWA	Managing user accounts in Cloud Workload Assurance
CWP	Managing user accounts Configuring SAML 2.0 identity provider for OKTA
Email Security.cloud	Federation and Single Sign-on for the ClientNet Portal Add a new user to the portal in Email Security.cloud
SES	Configure group-based administrative roles and enable the SSO link to Broadcom Login. Caution: If other Broadcom services were configured for Broadom Login previously, be careful not to inadvertently remove user lists when you configure the role mapping in SES. Configuring a SAML 2.0-based identity provider for Symantec Endpoint Security Configuring Microsoft Azure using SAML 2.0 as your identity provider in Symantec Endpoint Security

Step 5: Maintain the Configuration

After you configure the federation, keep the administrator accounts in the Broadcom services and in the IdP in sync. If you add or remove user accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you add administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access.

Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Login and all services. Otherwise, the sync can result in users with multiple identities in Login and mismatched names in services, which will cause access issues.

In the future, your organization might plan rebrands, acquisitions, or other scenarios that require email address changes. To facilitate the transition, refer to “Step 1: Migrate Users to New Email Addresses” and perform the required steps.