Configure federated SSO with Broadcom Okta for multiple services
Article ID: 257647
Updated On:
Products
Issue/Introduction
Configure federated SSO to enable administrators to sign in to multiple Broadcom services with one set of credentials. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.
Environment
You can configure Broadcom Okta and SAML or a SAML-based IdP for one or more of the following services:
- AppNeta
- Broadcom Support Portal
- Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
- Cloud Workload Assurance (CWA)
- Cloud Workload Protection (CWP)
- CloudSOC Cloud Access Security Broker (CASB)
- Cloud Management Portal (CMP)
- Email Security.cloud
- Integrated Cyber Defense Manager (ICDm)
Resolution
Whether you are configuring Broadcom Okta for the first time or you are switching to it from a previous SSO, all services that support SSO through Broadcom Okta will use your configured IdP. Before you adopt federated SSO, you must ensure that administrators have valid accounts in the IdP and in the service.
Important: Complete the following steps in the specified order. Otherwise, administrators might encounter the issue described in KB 256545.
Step 1: (If applicable) Migrate Administrators to New Email Addresses
If administrators in your organization are transitioning to new email addresses (for example, through company acquisitions), update the addresses as required. For example, to migrate a group of administrators, update their email addresses from the previous domain to the current domain.
Important: (Not applicable to ICDm) You must coordinate with Broadcom Support to migrate your administrators’ access to Okta, support.broadcom.com, and any other relevant sites. In addition, plan for a few hours of service disruption during the transition and communicate the information to administrators.
If you do not have to make changes to email addresses, proceed to "Step 2: Add All Administrators to the IdP".
Step 2: Add All Administrators to the IdP
Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Okta. Refer to the IdP-specific documentation for instructions.
Important: Use the same email address to define the administrator account in the IdP and in all Broadcom services. For example, use [email protected] in both the IdP and in the appropriate services as the username for the administrator H. A. Bullock.
Step 3: Add Administrators to Broadcom Services
Add all required administrators to the appropriate Broadcom services. Ensure that the administrators have appropriate permissions to access the services. For service-specific instructions, refer to the following table.
Reminder: Define each identity in the IdP and in all Broadcom services using the same email address.
| Service | Instructions |
| AppNeta | |
| Broadcom Support Portal |
Refer to your Broadcom product representative (for example, your Symantec, Clarity, or Rally point-of-contact) or Broadcom Global Customer Care (GCA) to enable SSO Federation with Broadcom’s customer identity tenant. After federation is set up, the Broadcom product team or Broadcom GCA will reach out to Broadcom’s Identity & Access Management (IAM) team to complete the configuration for federated access to the Broadcom Support Portal. |
| Cloud SWG (WSS) |
Add a Cloud SWG Administrator |
| CWA | Managing user accounts in Cloud Workload Assurance |
| CWP | |
| CloudSOC CASB |
Contact Broadcom Support to use the Broadcom Login feature. See the Symantec CASB CloudSOC 3.159 Release Notes for more information. |
| CMP | Add or Delete CMP Administrators |
| Email Security.cloud |
|
| ICDm |
Configure group-based administrative roles. Caution: If other Broadcom services were configured for Okta IdP previously, be careful not to inadvertently remove user lists when you configure the role mapping in ICDm. Configuring a SAML 2.0-based identity provider for Integrated Cyber Defense Manager |
Step 4: Enable SSO
Enable SSO to federate identities with Broadcom Okta:
- For the ICDm portal only, enable the SSO link to Broadcom Okta. Refer to the links for ICDm in the preceding table.
- For all other supported services, contact Broadcom Support to enable SSO with Broadcom Okta.
If you scheduled a time with Broadcom Support to make changes to email addresses (described in “Step 1: Migrate Users to New Email Addresses”), enabling SSO consists of the following steps:- Broadcom updates the names in Okta and other required services/sites.
- You grant SAML access to new services and disable SAML access to previous services.
- Broadcom disables SSO access to previous services.
Step 5: Maintain the Configuration
After you configure the federation, keep the administrator accounts in the Broadcom services and in the IdP in sync. If you add or remove user accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you add administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access.
Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Okta and all services. Otherwise, the sync can result in users with multiple identities in Okta and mismatched names in services, which will cause access issues.
In the future, your organization might plan rebrands, acquisitions, or other scenarios that require email address changes. To facilitate the transition, refer to “Step 1: Migrate Users to New Email Addresses” and perform the required steps.
Feedback
