This knowledge base article is intended for Carbon Black Cloud Super Admin that will perform the user authentication migration to AuthHub.

Non-Federated

• This refers to customers who were not using SAML (used a single set of local Carbon Black Cloud credentials at login) before the migration. Note that after the migration MFA is required for all accounts.

Federated

• This refers to customers who were using SAML before the migration.

Managed Service Provider (MSSP)

• For environments that are configured as an MSSP with Carbon Black Cloud

As we previously announced, Carbon Black Cloud is migrating it's user authentication to AuthHub.

Non-Federated (Not previously using SAML):

Q: When does my migration begin and what migration steps are necessary?

A: The migration process for non-federated accounts is complete.

Users with existing AuthHub accounts, which share the same email address as their Carbon Black Cloud account, have been automatically integrated. These users will not receive activation emails or need to reset their passwords. To access Carbon Black Cloud, users will simply enter their email address in the Carbon Black Cloud console and be redirected to AuthHub, where existing AuthHub credentials are leveraged.

Users without existing AuthHub accounts, will have received an "Account Activation" email from [email protected] to create a new account in the AuthHub system.

For more information on what this looks like see the Broadcom Community Post. 

Q: Now that Multi-Factor Authentication is mandatory and Duo Security is no longer supported, what are my options?

A:

• Email OTP
• Use biometrics
• Use code from mobile app

When choosing a mobile app as an authenticator, you will be prompted to set up Broadcom’s VIP Access app. Using the VIP Access app will now allow you to use push notifications instead of entering the code manually.

However, if you currently use Google Authenticator (or another similar OTP application) and wish to continue using this method please select “Use another app” and scan the QR code with Google Authenticator (or your preferred OTP application)

Q: I haven't been Federated before but I want to set it up, what are my options?

A:. See Enabling SAML Integration (Federation) and then contact Support to help get this setup.

Q: I'm currently using X Carbon Black API, will I need to create new API Keys?

A: No, this migration will not affect API authentication. Impacts to APIs and API Keys can always be found on the Developer Network API Migration Guides page: https://developer.carbonblack.com/reference/carbon-black-cloud/api-migration/

Federated (Previously using SAML integration):

Q: When does my migration begin and what migration steps are necessary?

A: Federated customers will have an in-product banner to begin the migration. This is a phased rollout and we expect all customers to have the banner no later than February 21th. Super Admins will have until June 16th (2025) to complete this process.

For migration steps, see the Broadcom Community Post. 

Q: Can other users be in the console while I am performing the migration?

A: Other users can be logged into the console at the same time the migration is happening. When the other users’ sessions end or they logout, they will have to authenticate with the IdP (same as they did before.)

Q: What happens if I start the AuthHub migration but then have to resume later?

A: If you stop before validating trust configuration by signing back into CBC, you will have to start the migration steps from the beginning. 

A: If you stop the migration steps after you have validated trust configuration by signing back into CBC, you can either authenticate and press “Complete Migration” or start the revert process. If when you login again and you see "Start Migration" instead of "Complete Migration" then this means you are likely using your previous SAML config not the new SAML config. If you try to migrate again during this state again you may get an error "Your request was unsuccessful" during the migration attempt.

Q: In order to verify ownership of a domain, how do I add a new verification record to my domain’s DNS settings at the organization’s domain host?

A:

1. In the wizard your specific domain’s TXT name and TXT value can be found.
2. Log in to your domain registrar and look for sections labeled “DNS,” “Name Servers,” or something similar.
3. Add a new TXT record.
4. Paste the TXT name and value from the Carbon Black wizard in a name=value format.
5. Save the changes. Changes may take up to 24 hours.
6. Return to Carbon Black’s UI wizard to check that your domain now displays as verified. 

Q: Why do I need to create a “recovery local user?”

A: You are strongly urged to create a temporary local user as a recovery mechanism in case an error occurs when you configure your IdP trust to AuthHub. This local user will be deleted after your migration is complete.

Q: I'm currently using X Carbon Black API, will I need to create new API Keys?

A: No, this migration will not affect API authentication. Impacts to APIs and API Keys can always be found on the Developer Network API Migration Guides page: https://developer.carbonblack.com/reference/carbon-black-cloud/api-migration/

SAML Configuration Error Occurs:

Q: After I create a new application entry in my IdP, how will I know if an error has occurred?

A: After you configure your trust within the IdP and sign out of CBC and log back in using your typical super admin credentials, then an error has occurred. Login using your recovery credentials to revert the migration and begin again.  

Q: If I am unable to login to CBC using my super admin credentials, what happens next?

A:

Instead, login to CBC using your local recovery user. Go to Settings > Users > Revert Migration. If a revert is necessary, please check the following before retrying the migration:

• Is the domain correct?
• Does the super admin have the correct domain?
• Copy and paste the trust credentials into the IdP again

If the issue still persists, open a support ticket. 

Q: How do I know if “Revert Migration” was successful?

A: If you are able to login using your super admin credentials, the revert was successful. 

Managed Service Provider (MSSP): 

Q: Will MSSP users be able to login to access their current SSO configuration, or will they need to reconfigure authentication via AuthHub?

A: MSSP orgs are no different than other orgs in this respect.

• If the org is federated, its Super Admin needs to go through the migration wizard.
• If the org is not federated (i.e. local users), each user needs to reset their password.

Post-Migration 

Q: How do I make MFA changes?

Reference Enabling Multi-Factor Authentication in Tech Docs

Q: How do I make Federation / IDP changes?

Reference Enabling SAML Integration (Federation) and then contact Support.

Q: Will my IDP tile continue to work?

No, at the current time IDP initiated logins are not supported. We are working add support for this (SECP-15536). For the time being end users will need to initiate the login from the Carbon Black Cloud console URL.

IDPs should NOT be configured with Certificate Verification. This will break the AuthHub/IDP integration and create and "Invalid Request" error during the redirection.