CASB login deprecation date announced for all non Broadcom logins
Article ID: 367448
Updated On:
Products
Issue/Introduction
Symantec CloudSOC \ CASB offers 3 login types.
- Broadcom Login: Auth credentials user \ password are stored in a Broadcom IDP used for all Broadcom cloud products.
- *** Broadcom Login can be federated into a customer's IDP for user validation. SP (Service Provider login only.)
- Traditional CASB login: Auth credentials user \ password stored in CASB.
- CASB 2FA: 2nd factor (email) login available for traditional CASB logins.
- Elastica Single Sign On: Auth provided by the customer's IDP.
CASB Release Notes has mentioned the upcoming deprecation for the last year without time frames.
Resolution
Symantec Cloud Services, which is integrated with Broadcom Login, will start switching to new infrastructure in late November 2024.
The Broadcom login will be the only supported method for authentication to CloudSOC \ CASB. This is the same method already used by other Broadcom cloud applications such as ICDm, CWA, CWP, CMP Cloud SWG...
The Broadcom 2FA (email as 2nd factor) authentication that was only available for the traditional CASB login is not available for the Broadcom login. (It was not available for the Elastica SSO login.)
The Broadcom login is an important requirement for the upcoming multi tenant switching feature.
The Broadcom login can be federated using the customer's IDP in order to validate the user. An IDP initiated login from the customer's IDP is not supported.
Immediate Actions:
Verify CloudSOC SysAdmin \ Admins can perform a Broadcom login for from the CloudSOC\CASB login pages EU Region US Region
If a federated login is desired, see KB 271283 for step on federating with your IDP.
Federating the Broadcom login can be performed now even while the Elastica SSO is in production. After validation testing we recommend disabling the Elastica SSO.
When this migration is completed
The CloudSOC login pages will only show the Broadcom login option.
Elastica SSO IDP logins may fail. The admin attempt the login will need to perform a Broadcom login.
Additional Information
FAQ:
Q: What if I don't have a Broadcom login?
A: The CloudSOC login attempt will create a Broadcom user. A welcome email will be sent to confirm the account and set a password. If you have a Broadcom user but do not know the password use the forgot password link.
Q: Do I have to federate the Broadcom login?
A: No. The federated login gives you one less password to manage since your IDP will perform the validation.
Q: Do I have to federate the Broadcom login for each Broadcom cloud product?
A: No. The federated Broadcom login for an email domain will apply to all Broadcom Cloud products using the Broadcom login.
Q: How do I federate the Broadcom login?
A: KB 271283 Create a support ticket with Broadcom providing:
- Email domain of the user requiring federation. (The Broadcom federation is per domain the xml and attributes should not change.)
- IDP's metdata XML.
- Verify the Okta IDP attributes are mapped to the IDP Attributes.
- Support will provide 2 urls that need to be updated on the customer IDP.
- ACS URL (SSO URL)
- Audience URI (IDentifier Entity ID)
Q: Do you have a high level example of how to federate the Broadcom login?
A: KB 270310 provides a simple federation with Azure SSO. Consult your IDP vendor for greater detail.
Q: Will federating the Broadcom login break the other login methods for CASB?
A: No. Until all other logins are deprecated all logins will work.
Q: If the Broadcom login has already been federated do I need to do anything for CASB?
A: No. The Federation will apply to all Broadcom Cloud products using the Broadcom login.
Q: Can I perform an IDP initiated login for CASB from my IDP?
A: No. IDP logins are not currently supported. Create a shortcut or link from your SSO landing page.
See KB 279875 for an example on how to create a link or shortcut in okta's portal. (This is a SP initiated login.)
Feedback
