Federate Broadcom login with an IDP for CASB
search cancel

Federate Broadcom login with an IDP for CASB

book

Article ID: 271283

calendar_today

Updated On:

Products

CASB Gateway Advanced CASB Advanced Threat Protection CASB Gateway CASB Security Advanced CASB Security Advanced IAAS CASB Audit CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Broadcom is implementing security features that will require all Broadcom cloud products to authenticate using Broadcom's SSO login with Okta as the IDP.

Customer's can federate their SAML based IDP into Broadcom's okta login insuring that only one set of credentials is required for all of the following products.

  • AppNeta
  • Broadcom Support Portal
  • Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
  • Cloud Workload Assurance (CWA)
  • Cloud Workload Protection (CWP)
  • CloudSOC Cloud Access Security Broker (CASB)
  • Cloud Management Portal (CMP)
  • Email Security.cloud
  • Integrated Cyber Defense Manager (ICDm) 

 

Resolution

Methods to Federate your IDP with the Broadcom Login:

 

The BCP (Broadcom Cloud Portal) The Identity Provider can be added in order to federate the Broadcom login.

See the Identity Providers Page  BCP Technote.

 

CMP users can be created automatically during the first Broadcom login attempt for CloudSOC.  CMP Admins are created using the CMP Portal.

    • Steps to create a NON CMP admin account for each CloudSOC Sysadmin\Admin\DPO user.
      • Initiate a Broadcom login from the CloudSOC login page.
      • A CMP activation email will be sent to the email provided during the login attempt.
      • User must click the link to activate from the activation email [email protected].
    • Steps to create a CMP admin for each Cloud Administrator.
      • Have an existing CMP admin login and go to the administrators section and choose Add Administrator.
      • The user will recieve an activate link in the activation email, (similar to a non CMP admin.)

 

Support Can Manually Federate when Necessary

      • Raise a support ticket to request federation with your IDP. Provide support the following:
        • The email domain(s) of your Administrators requiring the federated login. (An separate federation entry is required for each email domain.)
        • Your IDP's metadata XML file (this is exported from the customer's IDP).
        • Your IDP attribute mappings MUST match the standard attributes within Broadcom’s IDP:
          • FirstName
          • LastName
          • Email
          • UserId
        • OKTA IDP attributes are mapped to the IDP. Example for Azure.
        • Okta Attribute Name IDP Attribute Name
          Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
          FirstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
          LastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
          Groups http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
          UserId http://schemas.microsoft.com/identity/claims/objectidentifier
        • CASB currently requires all users to have a unique email address across all tenants.
        • Support will provide you 2 URL's that need to updated on the customer's IDP.
          • ACS URL (Single sign on URL)
          • Audience URI (Identifier Entity ID)

Other Options to federate:

If you have access to the ICDm Portal, you can configure federation without support interaction. See Configure federated SSO with Broadcom Okta for multiple services.

 

Note:

  • Federating one service will federate all services that are set to force the Broadcom login.
  • Currently there is in no JIT (Just in Time) provisioning to add users to either CMP or CloudSOC. In the future this maybe supported.
  • IDP initiated logins are not supported.
  • Any CloudSOC administrator using the federated email domain will be redirected to the Broadcom login.
  • Existing CloudSOC SAML-based SSO login will still function while transitioning to the Broadcom OIDC login.
  • November 1, 2024 existing SAML based SSO login will be deprecated.

 

Additional Information

CASB 3.161 Release Notes

CASB tenants are being migrated now that 3.161 has been released. Specific dates are not given.  The users of migrated tenants will notice an additional prompt to consent to sharing their name and user profile (email address) with Broadcom. Nothing else changes at this stage, the back button on the login page is still present and the traditional Native SSO still works form CloudSOC authentication.

At a future undetermined date the back button will be removed and the traditional CASB SSO login will be discontinued. We encourage customers to start using Broadcom Login at their earliest convenience to begin taking advantage of its benefits.

 

Example Azure SSO configuration to federate the Broadcom Login: Configure CASB with Azure SSO for Broadcom OIDC SSO Federation

 

Powered by Wolken Software