Configure CASB with Azure SSO for Broadcom OIDC SSO Federation
search cancel

Configure CASB with Azure SSO for Broadcom OIDC SSO Federation

book

Article ID: 270310

calendar_today

Updated On:

Products

CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS

Issue/Introduction

CASB (CloudSOC) customers can now choose to connect their Corporate Azure SSO IdP with Broadcom OIDC SSO Federation for CASB SysAdmin & Admin logins

Broadcom OIDC SSO Federation logins will eventually become mandatory for CASB and all Symantec Enterprise Division (SED) Cloud products

Resolution

Client performs the following steps to ensure that all CASB (CloudSOC) SysAdmins and Admins can login with a minimal amount of downtime.

Configuring federation with your Corporate Azure IdP SSO

1. Create a SSO object for "Broadcom Login" in your Corporate Azure Enterprise Apps

  • https://portal.azure.com
  • Go to Azure AD
  • Navigate to "Enterprise Applications" on the left pane | New Application | Create your own application | Name it something applicable such as "Broadcom Login App" (free text) and select "integrate any other application" | then click "Create"





    Select "Setup Single Sign" (on left pane)

  •  
    • In the BASIC SAML configuration enter temporary values (as shown below) for:
      • Identifier Entity ID (EID) 
      • Reply URL (Assertion Consumer Service URL)



    • Click "Save"
    • Download the "Federation metadata" XML

Note: The Identifier Entity ID and Reply URL you entered above are temporary entries. These will be replaced later with two valid URLs you'll receive from Broadcom Support

2. Add your CASB SysAdmin and Admin users to your "Broadcom Login App" in Azure



Notes: It is Strongly recommended to have a backup CASB (CloudSOC) SysAdmin with an email address in another (secondary) domain in case the IDP server is down. Should SSO be unavailable, the SysAdmin with a non federated secondary domain email address  should still be able to perform a local login to CASB (CloudSOC)

 

Your Azure SSO IdP Broadcom Login App attribute mappings MUST match the standard attributes within Broadcom’s IDP (as shown below):

    • FirstName
    • LastName
    • Email
    • UserId
    • Groups (optional)



3. Customer uploads the Federation Metadata XML file (downloaded on step 1) to a new CASB  Support Case

  • Name your CASB Support case "Request to Configure CASB with Azure SSO for Broadcom OIDC SSO Federation"
  • Include your CASB tenant ID and Azure SSO IdP email domain in this Support Case (<user_id>@<email-domain>)
  • Enable CASB Support Account for a 2-3 days


Broadcom Support will process the XML file, Azure IdP code and provide following for Customer to copy paste back into Azure SSO Broadcom Login App

4. After Broadcom Support responds in your CASB Support Case with custom values for your Broadcom Login App ("REPLY URL/ACS" and "AUDIENCE URL/EID")

Edit your Broadcom Login App in Azure AD Enterprise Apps and insert the Identifier Entity ID and REPLY URL that you receive from Broadcom Support in your Support case.

(CAUTION: Screenshots below are only examples of what you will receive from Broadcom CASB Support - DO NOT USE the values below in your Azure SSO IdP environment!)

5. Test the SSO login.

  • From the SSO configuration page in Azure hit the test button.
  • Test the Broadcom login from app.elastica.net

Troubleshooting

  • If you see an error 400 re-import the metadata from Azure back into Forza using the Edit IDP box.
  • Chrome has an extension for a SAML trace.

CASB (CloudSOC) SysAdmin or Admin using the new Azure Broadcom Login App should get redirected to the Azure IDP SSO server to login, then be connected to CASB