Configure federated SSO to enable administrators to sign in to multiple Broadcom services with one set of credentials. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.
You can configure Broadcom Okta and SAML or a SAML-based IdP for one or more of the following services:
Whether you are configuring Broadcom Okta for the first time or you are switching to it from a previous SSO, all services that support SSO through Broadcom Okta will use your configured IdP. Before you adopt federated SSO, you must ensure that administrators have valid accounts in the IdP and in the service.
Important: Complete the following steps in the specified order. Otherwise, administrators might encounter the issue described in KB 256545.
If administrators in your organization are transitioning to new email addresses (for example, through company acquisitions), update the addresses as required. For example, to migrate a group of administrators, update their email addresses from the previous domain to the current domain.
Important: (Not applicable to ICDm) You must coordinate with Broadcom Support to migrate your administrators’ access to Okta, support.broadcom.com, and any other relevant sites. In addition, plan for a few hours of service disruption during the transition and communicate the information to administrators.
If you do not have to make changes to email addresses, proceed to "Step 2: Add All Administrators to the IdP".
Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Okta. Refer to the IdP-specific documentation for instructions.
Important: Use the same email address to define the administrator account in the IdP and in all Broadcom services. For example, use [email protected] in both the IdP and in the appropriate services as the username for the administrator H. A. Bullock.
Add all required administrators to the appropriate Broadcom services. Ensure that the administrators have appropriate permissions to access the services. For service-specific instructions, refer to the following table.
Reminder: Define each identity in the IdP and in all Broadcom services using the same email address.
|Broadcom Support Portal||
Refer to your Broadcom product representative (for example, your Symantec, Clarity, or Rally point-of-contact) or Broadcom Global Customer Care (GCA) to enable SSO Federation with Broadcom’s customer identity tenant.
After federation is set up, the Broadcom product team or Broadcom GCA will reach out to Broadcom’s Identity & Access Management (IAM) team to complete the configuration for federated access to the Broadcom Support Portal.
|Cloud SWG (WSS)
||Add a Cloud SWG Administrator|
|CWA||Managing user accounts in Cloud Workload Assurance|
Contact Broadcom Support to use the Broadcom Login feature. See the Symantec CASB CloudSOC 3.159 Release Notes for more information.
|CMP||Add or Delete CMP Administrators|
Enable SSO to federate identities with Broadcom Okta:
After you configure the federation, keep the administrator accounts in the Broadcom services and in the IdP in sync. If you add or remove user accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you add administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access.
Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Okta and all services. Otherwise, the sync can result in users with multiple identities in Okta and mismatched names in services, which will cause access issues.
In the future, your organization might plan rebrands, acquisitions, or other scenarios that require email address changes. To facilitate the transition, refer to “Step 1: Migrate Users to New Email Addresses” and perform the required steps.