Microsoft Entra ID (Azure) SAML Setup for Carbon Black Cloud / Authhub
Article ID: 389598
Updated On:
Products
Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Managed Detection and Response
Carbon Black Cloud Managed Detection (formerly Cb Threatsight)
Carbon Black Cloud Managed Threat Hunting
Carbon Black Cloud Prevention
Carbon Black Cloud Workload
Issue/Introduction
- This document provides the steps needed to setup Microsoft Entra ID (Azure) SAML with Carbon Black Cloud.
- For the time being this process requires the help of Support. In the future this will be available via self service.
- This article previously provided steps for customers to migrate to Authhub. Now that all customers have been migrated, this article is for initial SAML setup.
Environment
- Carbon Black Cloud
- Microsoft Entra (Formerly Azure)
Resolution
Step 1 - Create a new Enterprise Application in Azure.
- Within Microsoft Azure navigate to > Entra ID / Enterprise Applications and click "New Application"
- Click "Create your own application" > Integrate any other application you don't find in the gallery (non-gallery)
- Select the newly created enterprise application and select "Users and Groups".
- Configure the desired users and groups for access.
- Click "Single sign-on" > SAML
- Under "Basic SAML Configuration" set both the "Identifier (Entity ID)" and "Reply URL" to https://access.broadcom.com/default/saml/v1/sp/acs and then click Save. Note that you will need to come back to modify the "Identifier" once the real Identifier (Entity ID) has been provided by Support (Step 3).
Step 2: Provide the Attributes and Metadata XML to Support
- Click "Edit" under the Attributes & Claims section.
- Copy the user.mail, user.givenname, and user.surname attribute claim names
- By default these are:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- By default these are:
- Verify the certificate is valid and then copy the XML Metadata under "SAML Certificates". This can be accomplished by either:
- Copying the App Federation Metadata URL
OR - Clicking "Download" next to Federation Metadata XML
- Copying the App Federation Metadata URL
- Open a Technical Support Case and provide the attribute claim names and Metadata URL (or .XML file).
Step 3: Enter the "Identifier (Entity ID)"
- Support will provide you with an Identifier (Entity ID)
- Back in Microsoft Entra under Basic SAML Configuration set the Identifier (Entity ID) to the provided URL. The URL will start with "https://access.broadcom.com/default/idp/"
Step 4: Confirm With Support When you're Ready
- Once you're ready to utilize SAML, confirm with Support.
- Support will activate the SAML, at which point you can confirm the login is working as expected.
Additional Information
- Do not enable the "Verification certificates (optional) setting.This will break the SAML login and is not required.
- IDP initiated login is not supported. Login must be initiated via the Carbon Black Cloud console URL.
- Carbon Black Cloud AuthHub Migration FAQ
- Login fails using SAML Tile
- Redirected Back to Console
- Account has been suspended message after login
Feedback
Yes
No
Powered by
