Configure CASB with Entra SSO for Broadcom SSO Federation
search cancel

Configure CASB with Entra SSO for Broadcom SSO Federation

book

Article ID: 270310

calendar_today

Updated On:

Products

CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS

Issue/Introduction

CASB (CloudSOC) customers can connect their Corporate Entra SSO IdP with Broadcom SSO Federation for CASB SysAdmin & Admin logins. Broadcom SSO Federation logins is the only supported SSO for CASB and other Symantec Enterprise Division (SED) Cloud products. Please see the Identify Provider Page techdoc for more information. 

Resolution

Client performs the following steps to ensure that all CASB (CloudSOC) SysAdmins and Admins can login with a minimal amount of downtime.

Verify CloudSOC SuperAdmin is enabled for CloudSOC\DLP\Cloud SWG in the Enterprise Security Console |  Common Settings. Anyone with Account Settings Manager right can add SuperAdmin as needed.

 

Configuring federation with your Corporate Entra IdP SSO

1. Create a SSO object for "Broadcom Login" in your Corporate Entra Enterprise Apps

  • https://entra.microsoft.com
  • Go to Entra ID
  • Navigate to "Enterprise Applications" on the left pane | New Application | Create your own application | Name it something applicable such as "Broadcom Login App" (free text) and select "integrate any other application" | then click "Create"

    Select "Setup Single Sign" (on left pane)

  •  
    • In the BASIC SAML configuration enter temporary values (as shown below) for:
      • Identifier Entity ID (EID) 
      • Reply URL (Assertion Consumer Service URL)



    • Click "Save"
    • Download the "Federation metadata" XML

Note: The Identifier Entity ID and Reply URL you entered above are temporary entries. These will be replaced later with two valid URLs you'll receive from Broadcom Support

2. Add your CASB SysAdmin and Admin users to your "Broadcom Login App" in Entra



3. Continue uploads the Federation Metadata XML file (downloaded on step 1) to Identity Provider Configuration Wizard 

Your Entra SSO IdP Broadcom Login App attribute mappings MUST match the standard attributes within Broadcom’s IDP (as shown below):The default mapping for azure may look like the follow. Customer must verify.

Email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

FirstName

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

LastName

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Groups

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

UserId

http://schemas.microsoft.com/identity/claims/objectidentifier

 

4. Update the Entra SSO Basic SAML Configuration using information provided in Identity Provider Configuration Wizard

Copy AUDIENCE URI to Entity ID

Copy ACS URL to Reply URL

5. Test the SSO login.

  • From the SSO configuration page in Azure hit the test button.
  • Test the Broadcom login from app.elastica.net

Troubleshooting

  • If you see an error 400 re-import the metadata from Entra back into Forza using the Edit IDP box.
  • Chrome has an extension for a SAML trace.

CASB (CloudSOC) SysAdmin or Admin using the new Entra Broadcom Login App should get redirected to Broadcom Login, Microsoft platform, and then redirected back to CASB.

Powered by Wolken Software