Hi William,
Thank you for the feedback! About the second point - while VIP doesn't do
this, two of our other products (SiteMinder and Identity Security Platform)
do. I don't think VIP will get an enhancement to cover this.
*Maren Peasley*
Solutions Engineer
IMS Division | *Broadcom*
*Maren.Peasley*@broadcom.com
*LinkedIn* <https:
www.linkedin.com in marenpeasley>
On Wed, Dec 17, 2025 at 3:10 PM William Cheang via Broadcom <
Mail@broadcom.com> wrote:
> Hi Maren, Thanks for your advice on the VIP(Saas) Login SAML Idp only work
> on VIP username & VIP Pin. I would like to provide my feedback on...
> [image: Broadcom] <https: community.broadcom.com>
> VIP (Validation ID Protection)
> <https: community.broadcom.com communities community-home digestviewer?communitykey=1189cd24-7494-4e46-ae0b-081300410e03>
> Post New Message
> <
broadcom-vipvalidationidprotection@connectedcommunity.org>
> Re: Does ShareID works in VIP ?
> <https: community.broadcom.com discussion does-shareid-works-in-vip#bm146540f3-eb71-45c8-91da-019b2e874973>
> Reply to Group
> <
broadcom_vipvalidationidprotection_146540f3-eb71-45c8-91da-019b2e874973@connectedcommunity.org?subject=re:+does+shareid+works+in+vip> Reply
> to Sender
> <https: community.broadcom.com communities all-discussions postreply?messagekey=146540f3-eb71-45c8-91da-019b2e874973&ListKey=08211a05-a13c-4716-886a-acd4fe9434db&SenderKey=e3ef286f-300f-42a9-94ca-d100ad9ee8a7>
> [image: William Cheang]
> <https: community.broadcom.com network members profile?userkey=e3ef286f-300f-42a9-94ca-d100ad9ee8a7>
> Dec 17, 2025 6:08 PM
> William Cheang
> <https: community.broadcom.com network members profile?userkey=e3ef286f-300f-42a9-94ca-d100ad9ee8a7>
>
> Hi Maren,
>
> Thanks for your advice on the VIP(Saas) Login SAML Idp only work on VIP
> username & VIP Pin.
>
> I would like to provide my feedback on this:
>
> - where "VIP(Saas) Login SAML Idp only work on VIP username & VIP Pin
> and does not support LDAP auth" it should be listed in VIP Techdoc as
> limitation(If Product team does not have plan to enhance).
> - It is common for other IAM product, where SAML Idp able to support
> LDAP Auth as 1st factor. The VIP(Saas) Login Idp should be enhance to
> support LDAP Authentication. Since the MyVIP Idp(on EG) & Self Service
> Idp(on EG) is able to support LDAP authentication.
> - With the above enhancement(VIP Login SAML-Idp support LDAP auth), If
> customer is looking for simple IAM solution with SAML Idp, then VIP(Saas)
> is a good fit else if customer want a more complex IAM then we can suggest
> the VIP AuthHub.
>
> just my 2 cents...
>
> regards,
>
> William
>
>
> -------------------------------------------
> *Reply to Group Online
> <https: community.broadcom.com communities all-discussions postreply?messagekey=146540f3-eb71-45c8-91da-019b2e874973&ListKey=08211a05-a13c-4716-886a-acd4fe9434db>*
> *Reply to Group via Email
> <
broadcom_vipvalidationidprotection_146540f3-eb71-45c8-91da-019b2e874973@connectedcommunity.org?subject=re:+does+shareid+works+in+vip>*
> *View Thread
> <https: community.broadcom.com discussion does-shareid-works-in-vip#bm146540f3-eb71-45c8-91da-019b2e874973>*
> *Recommend
> <https: community.broadcom.com:443 discussion does-shareid-works-in-vip?messagekey=146540f3-eb71-45c8-91da-019b2e874973&cmd=rate&cmdarg=add#bm146540f3-eb71-45c8-91da-019b2e874973>*
> *Forward
> <https: community.broadcom.com communities all-discussions forwardmessages?messagekey=146540f3-eb71-45c8-91da-019b2e874973&ListKey=08211a05-a13c-4716-886a-acd4fe9434db>*
> *Flag as Inappropriate
> <https: community.broadcom.com discussion does-shareid-works-in-vip?markappropriate=146540f3-eb71-45c8-91da-019b2e874973#bm146540f3-eb71-45c8-91da-019b2e874973>*
>
> -------------------------------------------
> Original Message:
> Sent: Dec 15, 2025 08:20 AM
> From: Maren Peasley
> Subject: Does ShareID works in VIP ?
>
> Hi William,
>
> If BeyondTrust (BT) can establish the user via LDAP: BT has a login screen
> that asks the user for their username and password and then checks this
> against LDAP, then SAML integration with Symantec VIP might work. That
> would mean that the user is established and then BT can form a SAML
> AuthNRequest with the username inside it. We would receive that and handle
> the MFA part and redirect back to BT for the user's access. That looks
> like this: User visits BT page, gets login page, user provides LDAP user +
> LDAP pass, BT checks these via LDAP, (on success) BT redirects to VIP where
> user completes MFA, VIP redirects user back to BT.
>
> If BT doesn't have a login screen, but redirects the *initial* user
> experience to VIP (before a user has been established), then it likely
> won't work - the SAML AuthNRequest won't have an established username
> (anyone could ... and probably would claim to be that user if there was a
> way to inject that into a form at BT). The difference depends on the UI
> and who handles the password. While this won't work, that would look like:
>
> User browses to BT, gets redirected to VIP, user types LDAP user + LDAP
> pass in -> VIP can't do anything with these.
>
> It sounds like BT has a SAML configuration...but does it have one that
> handles just the MFA part (and it handles LDAP for the user + password
> part)?
> I hope this helps!
>
> *Maren Peasley*
> Solutions Engineer
> IMS Division | *Broadcom*
> *Maren.Peasley*@broadcom.com
> *LinkedIn* <https:
www.linkedin.com in marenpeasley>
>
>
> Original Message:
> Sent: 12/14/2025 8:17:00 PM
> From: William Cheang
> Subject: RE: Does ShareID works in VIP ?
>
> Hi Maren,
>
> Customer want SAML integration with BeyondTrust. Since using SAML, Idp
> will be VIP(Sp will be BeyondTrust). When access BeyondTrust Portal, click
> on Login button, it will redirect to VIP page to prompt -> AD Username + AD
> Password (1st factor) and 2nd factor to be handle by VIP(Push or OTP).
> Based on what u have explain, this is NOT possible ?
> For VIP, only Radius Auth/integration can handle such flow ?
>
> In techdoc on VIP Login, mentioned authenticate username & password, so
> this VIP username & password,
>
> it is NOT refer to AD username & password ?
>
> regards,
>
> William
>
>
> Original Message:
> Sent: Dec 12, 2025 09:11 AM
> From: Maren Peasley
> Subject: Does ShareID works in VIP ?
>
> Hi William,
>
> There are two technologies at play, here. For VIP Login, that is a SAML
> flow and VIP Enterprise Gateway isn't involved. With VIP Login, it is
> possible to configure VIP to verify VIP PIN (1st factor) and VIP would also
> handle the second factor. With this option, there is no verification that
> the user is an AD user - it just has to be in this VIP tenant already. For
> the integration, BeyondTrust or perhaps an SSO would need to prompt the
> user (paint the UI and ask for username and password), validate the
> username and password and handle this task, and then either the SSO passes
> session to BeyondTrust and BeyondTrust performs step-up authentication with
> SAML (less common) or the SSO is configured for SAML for step-up
> authentication with Symantec VIP (more common).
>
> With VIP Enterprise Gateway, it can be tied to an LDAP server (AD) to
> verify that the user is in AD, or in a particular group, or even other
> LDAP-queryable configurations as well. VIP Enterprise Gateway will
> dutifully check the AD password before sending the (now verified AD
> username) and the VIP factor up to Symantec VIP for validation (Push, OTP,
> OOB, etc.) For this to work with BeyondTrust, BeyondTrust would need to
> support RADIUS. If they support RADIUS in PAP-mode (one of the most common
> integration methods), then it should work.
>
> Does that help?
>
> - Maren
>
>
> Original Message:
> Sent: Dec 11, 2025 08:27 PM
> From: William Cheang
> Subject: Does ShareID works in VIP ?
>
> Hi Andreas & Maren,
> Thanks for reply on shareID, I have no further questions on shareid.
> .
> Since u mentioned about VIP would provide MFA as 2nd-factor for
> BeyondTrust(via SAML).
> .
> Would like to clarify, we can also configure VIP to be Idp (to handle 1st
> and 2nd factor auth) ?
> for 1st factor(AD username + AD password), then 2nd factor
> VIP Push/OTP. We will have VIP EGW integrate with customer AD servers.
>
> regards,
> William
>
>
> Original Message:
> Sent: Dec 10, 2025 09:21 AM
> From: Andreas Horlacher
> Subject: Does ShareID works in VIP ?
>
> See Maren's response below.
> </https:>
>
>
>
> You are receiving this notification because you followed the 'Does ShareID
> works in VIP ?' message thread. If you do not wish to follow this, please
> click here
> <https: community.broadcom.com higherlogic common unfollow.aspx?userkey=d8c3c7b8-147f-4677-8d53-6e84abd4ddc3&sKey=KeyRemoved&ItemKey=fd91c1d6-b192-414f-9389-019b063a3a64>.
>
>
> Update your email preferences
> <https: community.broadcom.com go.aspx?c=Preferences§ion=email> to
> choose the types of email you receive
>
> Unsubscribe from all participation emails
> <https: community.broadcom.com higherlogic egroups unsubscribe.aspx?userkey=d8c3c7b8-147f-4677-8d53-6e84abd4ddc3&sKey=KeyRemoved&mClass=Social>
>
Original Message:
Sent: 12/17/2025 6:08:00 PM
From: William Cheang
Subject: RE: Does ShareID works in VIP ?
Hi Maren,
Thanks for your advice on the VIP(Saas) Login SAML Idp only work on VIP username & VIP Pin.
I would like to provide my feedback on this:
- where "VIP(Saas) Login SAML Idp only work on VIP username & VIP Pin and does not support LDAP auth" it should be listed in VIP Techdoc as limitation(If Product team does not have plan to enhance).
- It is common for other IAM product, where SAML Idp able to support LDAP Auth as 1st factor. The VIP(Saas) Login Idp should be enhance to support LDAP Authentication. Since the MyVIP Idp(on EG) & Self Service Idp(on EG) is able to support LDAP authentication.
- With the above enhancement(VIP Login SAML-Idp support LDAP auth), If customer is looking for simple IAM solution with SAML Idp, then VIP(Saas) is a good fit else if customer want a more complex IAM then we can suggest the VIP AuthHub.
just my 2 cents...
regards,
William
-------------------------------------------
Original Message:
Sent: Dec 15, 2025 08:20 AM
From: Maren Peasley
Subject: Does ShareID works in VIP ?
Hi William,
If BeyondTrust (BT) can establish the user via LDAP: BT has a login screen
that asks the user for their username and password and then checks this
against LDAP, then SAML integration with Symantec VIP might work. That
would mean that the user is established and then BT can form a SAML
AuthNRequest with the username inside it. We would receive that and handle
the MFA part and redirect back to BT for the user's access. That looks
like this: User visits BT page, gets login page, user provides LDAP user +
LDAP pass, BT checks these via LDAP, (on success) BT redirects to VIP where
user completes MFA, VIP redirects user back to BT.
If BT doesn't have a login screen, but redirects the *initial* user
experience to VIP (before a user has been established), then it likely
won't work - the SAML AuthNRequest won't have an established username
(anyone could ... and probably would claim to be that user if there was a
way to inject that into a form at BT). The difference depends on the UI
and who handles the password. While this won't work, that would look like:
User browses to BT, gets redirected to VIP, user types LDAP user + LDAP
pass in -> VIP can't do anything with these.
It sounds like BT has a SAML configuration...but does it have one that
handles just the MFA part (and it handles LDAP for the user + password
part)?
I hope this helps!
*Maren Peasley*
Solutions Engineer
IMS Division | *Broadcom*
*Maren.Peasley*@broadcom.com
*LinkedIn* <https: www.linkedin.com in marenpeasley>
Original Message:
Sent: 12/14/2025 8:17:00 PM
From: William Cheang
Subject: RE: Does ShareID works in VIP ?
Hi Maren,
Customer want SAML integration with BeyondTrust. Since using SAML, Idp will be VIP(Sp will be BeyondTrust). When access BeyondTrust Portal, click on Login button, it will redirect to VIP page to prompt -> AD Username + AD Password (1st factor) and 2nd factor to be handle by VIP(Push or OTP). Based on what u have explain, this is NOT possible ?
For VIP, only Radius Auth/integration can handle such flow ?
In techdoc on VIP Login, mentioned authenticate username & password, so this VIP username & password,
it is NOT refer to AD username & password ?
regards,
William
Original Message:
Sent: Dec 12, 2025 09:11 AM
From: Maren Peasley
Subject: Does ShareID works in VIP ?
Hi William,
There are two technologies at play, here. For VIP Login, that is a SAML flow and VIP Enterprise Gateway isn't involved. With VIP Login, it is possible to configure VIP to verify VIP PIN (1st factor) and VIP would also handle the second factor. With this option, there is no verification that the user is an AD user - it just has to be in this VIP tenant already. For the integration, BeyondTrust or perhaps an SSO would need to prompt the user (paint the UI and ask for username and password), validate the username and password and handle this task, and then either the SSO passes session to BeyondTrust and BeyondTrust performs step-up authentication with SAML (less common) or the SSO is configured for SAML for step-up authentication with Symantec VIP (more common).
With VIP Enterprise Gateway, it can be tied to an LDAP server (AD) to verify that the user is in AD, or in a particular group, or even other LDAP-queryable configurations as well. VIP Enterprise Gateway will dutifully check the AD password before sending the (now verified AD username) and the VIP factor up to Symantec VIP for validation (Push, OTP, OOB, etc.) For this to work with BeyondTrust, BeyondTrust would need to support RADIUS. If they support RADIUS in PAP-mode (one of the most common integration methods), then it should work.
Does that help?
- Maren
Original Message:
Sent: Dec 11, 2025 08:27 PM
From: William Cheang
Subject: Does ShareID works in VIP ?
Hi Andreas & Maren,
Thanks for reply on shareID, I have no further questions on shareid.
.
Since u mentioned about VIP would provide MFA as 2nd-factor for BeyondTrust(via SAML).
.
Would like to clarify, we can also configure VIP to be Idp (to handle 1st and 2nd factor auth) ?
for 1st factor(AD username + AD password), then 2nd factor
VIP Push/OTP. We will have VIP EGW integrate with customer AD servers.
regards,
William
Original Message:
Sent: Dec 10, 2025 09:21 AM
From: Andreas Horlacher
Subject: Does ShareID works in VIP ?
See Maren's response below.
</https:></https:></https:></https:></https:></https:></https:></https:></broadcom_vipvalidationidprotection_146540f3-eb71-45c8-91da-019b2e874973@connectedcommunity.org?subject=re:+does+shareid+works+in+vip></https:></https:></https:></https:></broadcom_vipvalidationidprotection_146540f3-eb71-45c8-91da-019b2e874973@connectedcommunity.org?subject=re:+does+shareid+works+in+vip></https:></broadcom-vipvalidationidprotection@connectedcommunity.org></https:></https:></https:>