URL for Broadcom authentication change for Identity Providers (IdP) - Okta SSO

book

Article ID: 208340

calendar_today

Updated On:

Products

Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) Endpoint Security Complete Endpoint Security Email Security.cloud Support Portal CA Agile Central SaaS (Rally) Rally Perpetual Hosted Rally Saas Cloud Workload Assurance Cloud Workload Protection Cloud Workload Protection for Storage Cloud Workload Protection for Storage DLP

Issue/Introduction

**For Clarity SaaS please click here for specific guidance**

Broadcom will be standardizing the authentication URL for all Broadcom platforms as part of operational and business opportunities that enables us to sharpen our focus on delivering industry-leading security software for our customers.

If you do not make the changes in your Identity Provider (IdP) configuration as per these instructions, you may experience authentication issues when trying to access Broadcom resources such as the Support Portal and product applications (e.g. Clarity PPM, Rally, SEP Mobile, etc.).

This knowledge article provides generic guidelines on changing the Assertion Consumer Service (ACS) URL. Please consult your Identity Provider (IdP) vendor documentation or Single-Sign On (SS)/IT team for detailed steps needed to modify the ACS URL.

Cause

Broadcom’s authentication service provider URL is changing from March 14, 2021, as follows:

Current URL: avagoext.okta.com
New URL: login.broadcom.com

Maintenance schedule is:

Start Date: March 13, 2021, at 09:00 UTC
End Date: March 14, 2021, at 09:00 UTC

Click here to keep up-to-date during the maintenance, including when maintenance has successfully completed.

Resolution

Below you will find instructions on how to update your configuration with the new URL, login.broadcom.com. You must make your changes AFTER 09:00 UTC on 14th March 2021.

NOTE: Depending on your version of the platform, the instructions below may not match up exactly with what you see. It is critical that all instances of avagoext.okta.com in your configuration are updated to login.broadcom.com to avoid authentication issues.

Platforms:

 

SiteMinder

  1. Log on to the Siteminder Administrative UI and Expand the Federation menu.
  2. Expand the Partnership Federation menu and select Entities
  3. Locate the Remote SAML2 SP Entity for the Broadcom integration and select Modify from the Action menu
  4. On the Configure Entity page, find the  Remote Assertion Consumer Service URLs section and update the existing ACS URL with the new one: login.broadcom.com
  5. Click Next, and then Finish to save this change.
  6. Next, click on Partnerships from the Partnership Federation menu
  7. Locate the Local SAML2 IDP->Remote SAML2 SP Partnership for the Broadcom integration and select Deactivate from the Action menu.
  8. Next, select Modify from the Action menu
  9. On the Configure Partnership page, locate the Remote SP entity and click the Get Updates button next to it.  This will update the Partnership with the new ACS URL
  10. Skip to the SSO and SLO page of the Partnership and verify the ACS URL has been updated.
  11. Skip to the Confirm page of the Partnership and click finish.
  12. Select Activate from the Action menu next to the Partnership.

Okta

  1. Log in to the Okta admin console.
  2. Locate the application or Identity Provider that is integrated with Broadcom.
               If possible, search for avagoext.okta.com.
  3. Update the Identity Provider Single Sign-On URL / Single Sign On URL / Assertion Consumer Service (ACS) URL by replacing https://avagoext.okta.com/… with https://login.broadcom.com/…
    NOTE: Only the portions of the URL that have avagoext.okta.com need to be updated. This may include the ?RelayState= or ?FromURI= values in the URL.
  4. Depending on your configuration, the Default Relay State may need to be updated also.
  5. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com.
  6. Save the configuration.

 

Active Directory Federation Services (ADFS)

  1. Log in to the AD FS management console.
  2. Modify the Relying Party Trust (RPT) that was setup for Rally.
  3. Open the EndPoints tab.
  4. Copy the existing SAML AC URL that starts with https://avagoext.okta.com/sso…
  5. Click Add SAML to add a new SAML ACS end point.
  6. Paste the saved ACS URL from step 4 into Trusted URL.
  7. Set the index to 1.
  8. Set the binding to POST.
  9. Modify the newly added ACS URL by replacing the hostname part of the ACS URL https://avagoext.okta.com with https://login.broadcom.com.
  10. Click OK to see the list of ACS URLs.
    NOTE: There should be two ACS URLs listed, one for avagoext.okta.com and one for login.broadcom.com
  11. Save the configuration.
    NOTE:  If there is a problem accessing Rally, Clarity, etc. after the change, revert the change and contact Broadcom support.

Azure/Active Directory (AD)

  1. Log in to the Azure/AD admin console.
  2. Open App Services
  3. Locate the application that is integrated with Broadcom.
  4. Update the Sign-on URL by replacing https://avagoext.okta.com/… with https://login.broadcom.com/…
    NOTE: Only the portions of the URL that have avagoext.okta.com need to be updated. This may include ?RelayState= or ?FromURI= values in the URL.
  5. Depending on your configuration, Relay State may need to be updated also.
  6. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com.
  7. Save the configuration.

Azure IdP

  1. Log in to the Azure/AD admin console.
  2. Open App Services
  3. Locate the application that is integrated with Broadcom.
  4. Add a new Redirect URI.
          The new Redirect URI is identical to the current Redirect URI, except the base URL is https://login.broadcom.com/... instead of https://avagoext.okta.com/...
    NOTE: This update can and should be done ahead of the March 13 go-live date.
  5. Depending on your configuration, a new Relay State pointing to https://login.broadcom.com/ may need to be added.
  6. Save the configuration.

NOTE: Not updating your configuration will result in authentication failures.

PingFederate

  1. Log in to the PingFederate admin console.
  2. Click on Manage All IdPs under IDP Connections.
  3. Locate and select the connection that is integrated with Broadcom.
  4. Click on General Info under IdP Connection.
  5. Update the Base URL by replacing https://avagoext.okta.com/… with https://login.broadcom.com/…
    NOTE: Only the portions of the URL that have avagoext.okta.com need to be updated. This may include the ?RelayState= or ?FromURI= values in the URL.
  6. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com.
  7. Click Save.
  8. At the Manage All IdP screen, scroll to the bottom of the page and click Save.

Keycloak

  1. Log in to your Keycloak admin console.
  2. Click Clients from the left menu.
  3. Locate the Client ID that is integrated with Broadcom and to the right, click Edit under Actions.
  4. Update the Client SAML Endpoint URL by replacing https://avagoext.okta.com/… with https://login.broadcom.com/…
    NOTE: Only the portions of the URL that have avagoext.okta.com need to be updated. This may include the ?RelayState= or ?FromURI= values in the URL.
  5. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Root URL, Base URL or Master SAML Processing URL).
  6. Save the configuration.

OneLogin

  1. Log in to the OneLogin dashboard
  2. Click Apps
  3. Locate and open the application that is integrated with Broadcom.
  4. Go to the SSO tab.
  5. Update the ACS (Consumer) URL by replacing https://avagoext.okta.com/… with https://login.broadcom.com/…
    NOTE: Only the portions of the URL that have avagoext.okta.com need to be updated. This may include the ?RelayState= or ?FromURI= values in the URL.
  6. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Login URL).
  7. Save the configuration.

Auth0

  1. Log in to your Auth0 management console.
  2. Click on Applications from the left menu.
  3. Locate the application that is integrated with Broadcom and click the gear icon to the right.
  4. Update the Application Callback URL by replacing https://avagoext.okta.com/… with https://login.broadcom.com/…
    NOTE: Only the portions of the URL that have avagoext.okta.com need to be updated. This may include the ?RelayState= or ?FromURI= values in the URL.
  5. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com.
  6. Click Save.