I am facing an issue while integrating Netskope application with an Identity Provider.
As I understand correctly, Netskope looks for “admin-role” as a return attribute which must have a role value which is already defined in Netskope Tenant UI.
Scenario 1:
There are 2 groups at IDP end :
Basic Test : Present in IDP but role with the same name is not defined in Netskope
Tenant Admin : Present in IDP and role with same name is defined in Netskope
User is part of both of these groups. Now when user will access the application, he/she will get an error stating :
Error Code: Authorization Error
Error: Invalid role 'Basic Test'
This is because Netskope is checking whatever the first role that is being passed by IDP. It checked that Basic Test is the first role and immediately rejected it without looking further in the roles. But Tenant Admin was being passed
Scenario 2:
There are 2 groups at IDP end :
Yahoo : Present in IDP but role with the same name is not defined in Netskope
Tenant Admin : Present in IDP and role with same name is defined in Netskope
User is part of both of these groups. Now when user will access the application, he/she will not get an error and will be able to get in.
This is because Netskope is checking whatever the first role that is being passed by IDP. It checked that Tenant Admin is the first role and immediately gave access.
The key point here is Netskope only checks first role that is being passed and ignores the rest which is causing issues. In an ideal situation, we cannot control the flow to only pass Netskope’s roles first in order. Roles are only passed in alphabetical order.
Is this already an issue with Netskope ? What can be done to remediate this ?