CASB login deprecation date announced for all non Broadcom logins
search cancel

CASB login deprecation date announced for all non Broadcom logins

book

Article ID: 367448

calendar_today

Updated On:

Products

CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

Symantec CloudSOC \ CASB offers 3 login types.

  • Broadcom Login: Auth credentials user \ password are stored in a Broadcom IDP used for all Broadcom cloud products.
    • *** Broadcom Login can be federated into a customer's IDP for user validation. SP (Service Provider login only.)
  • Traditional CASB login: Auth credentials user \ password stored in CASB.
    • CASB 2FA: 2nd factor (email) login available for traditional CASB logins.
  • Elastica Single Sign On: Auth provided by the customer's IDP.

CASB Release Notes has mentioned the upcoming deprecation for the last year without time frames.

Resolution

November 1, 2024 both the traditional CloudSOC login and the Elastica Single Sign On methods will be deprecated.

The Broadcom login will be the only supported method for authentication to CloudSOC \ CASB.  This is the same method already used by other Broadcom cloud applications such as ICDm, CWA, CWP, CMP Cloud SWG...  

The Broadcom 2FA (email as 2nd factor) authentication that was only available for the traditional CASB login is not available for the Broadcom login. (It was not available for the Elastica SSO login.)

The Broadcom login is an important requirement for the upcoming multi tenant switching feature.

The Broadcom login can be federated using the customer's IDP in order to validate the user.  An IDP initiated login from the customer's IDP is not supported.

 

Immediate Actions:

Verify CloudSOC SysAdmin \ Admins can perform a Broadcom login for from the CloudSOC\CASB login pages  EU Region US Region

If a federated login is desired, see KB 271283 for step on federating with your IDP.

Federating the Broadcom login can be performed now even while the Elastica SSO is in production. After validation testing we recommend disabling the Elastica SSO.

 

After November 1st.

The CloudSOC login pages will only show the Broadcom login option.

Elastica SSO IDP logins may fail. The admin attempt the login will need to perform a Broadcom login.

 

Additional Information

FAQ:

Q: What happens on November 1st 2024 if I have not done anything?

A: Only the Broadcom login will be supported.  The other login methods will be deprecated without further warning.

A: The old Elastica SSO IDP login may fail. Revert to the Broadcom Login from the CloudSOC login page or other Broadcom cloud landing page.

 

Q: What if I don't have a Broadcom login?

A: The CloudSOC login attempt will create a Broadcom user. A welcome email will be sent to confirm the account and set a password. If you have a Broadcom user but do not know the password use the forgot password link.  

 

Q: Do I have to federate the Broadcom login?

A: No. The federated login gives you one less password to manage since your IDP will perform the validation.

  

Q: Do I have to federate the Broadcom login for each Broadcom cloud product?

A: No. The federated Broadcom login for an email domain will apply to all Broadcom Cloud products using the Broadcom login.

 

Q: How do I federate the Broadcom login?

A:  KB 271283 Create a support ticket with Broadcom providing:

  • Email domain of the user requiring federation. (The Broadcom federation is per domain the xml and attributes should not change.)
  • IDP's metdata XML.
  • Verify the Okta IDP attributes are mapped to the IDP Attributes.
  • Support will provide  2 urls that need to be updated on the customer IDP.
    • ACS URL (SSO URL)
    • Audience URI (IDentifier Entity ID)

 

Q: Do you have a high level example of how to federate the Broadcom login?

A: KB 270310 provides a simple federation with Azure SSO. Consult your IDP vendor for greater detail.

 

Q: Will federating the Broadcom login break the other login methods for CASB?

A: No. Until all other logins are deprecated all logins will work.

 

Q: If the Broadcom login has already been federated do I need to do anything for CASB?

A: No. The Federation will apply to all Broadcom Cloud products using the Broadcom login.

 

Q: Can I perform an IDP initiated login for CASB from my IDP?

A: No. IDP logins are not currently supported. Create a shortcut or link from your SSO landing page.

See KB 279875 for an example on how to create a link or shortcut in okta's portal.  (This is a SP initiated login.)