Federate Broadcom login with an IDP for CASB
search cancel

Federate Broadcom login with an IDP for CASB

book

Article ID: 271283

calendar_today

Updated On:

Products

CASB Gateway Advanced CASB Advanced Threat Protection CASB Gateway CASB Security Advanced CASB Security Advanced IAAS CASB Audit CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Broadcom is implementing security features that will require all Broadcom cloud products to authenticate using Broadcom's SSO login with Okta as the IDP.

Customer's can federate their SAML based IDP into Broadcom's okta login insuring that only one set of credentials is required for all of the following products.

  • AppNeta
  • Broadcom Support Portal
  • Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
  • Cloud Workload Assurance (CWA)
  • Cloud Workload Protection (CWP)
  • CloudSOC Cloud Access Security Broker (CASB)
  • Cloud Management Portal (CMP)
  • Email Security.cloud
  • Integrated Cyber Defense Manager (ICDm) 

 

Resolution

Federate your IDP with the Broadcom Login:

If you have access to the ICDm Portal, you can configure federation without support interaction. See Configure federated SSO with Broadcom Okta for multiple services.

If you do not have access to ICDm Portal. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.

  • Register the Cloud Administrators for your Broadcom cloud apps in the CMP (Cloud Management Portal).
  • Raise a support ticket to request federation with your IDP. Provide support the following:
    • The email domain(s) of your Administrators requiring the federated login. (An separate federation entry is required for each email domain.)
    • Your IDP's metadata XML file (this is exported from the customer's IDP).
    • Your IDP attribute mappings MUST match the standard attributes within Broadcom’s IDP:
      • FirstName
      • LastName
      • Email
      • UserId
    • OKTA IDP attributes are mapped to the IDP. Example for Azure.
    • Okta Attribute Name IDP Attribute Name
      Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      FirstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
      LastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
      Groups http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
      UserId http://schemas.microsoft.com/identity/claims/objectidentifier
    • CASB currently requires all users to have a unique email address across all tenants.
    • Support will provide you 2 URL's that need to updated on the customer's IDP.
      • ACS URL (Single sign on URL)
      • Audience URI (Identifier Entity ID)

Note:

  • It is important that all Administrators are added into CMP first.
  • Federating one service will federate all services that are set to force the Broadcom login.
  • Currently there is in no JIT (Just in Time) provisioning to add users to either CMP or CloudSOC. In the future this maybe supported.
  • IDP initiated logins are not supported.
  • Any CloudSOC administrator using the federated email domain will be redirected to the Broadcom login.
  • Existing CloudSOC SAML-based SSO login will still function while transitioning to the Broadcom OIDC login.
  • At a future undetermined time the existing SAML based SSO login will be deprecated.

Additional Information

CASB 3.161 Release Notes

CASB tenants are being migrated now that 3.161 has been released. Specific dates are not given.  The users of migrated tenants will notice an additional prompt to consent to sharing their name and user profile (email address) with Broadcom. Nothing else changes at this stage, the back button on the login page is still present and the traditional Native SSO still works form CloudSOC authentication.

At a future undetermined date the back button will be removed and the traditional CASB SSO login will be discontinued. We encourage customers to start using Broadcom Login at their earliest convenience to begin taking advantage of its benefits.

 

Example Azure SSO configuration to federate the Broadcom Login: Configure CASB with Azure SSO for Broadcom OIDC SSO Federation