Skip to main content
  • EN

This article is going to cover how to leverage PingOne for SCIM Provisioning via PingOne. 

 

SCIM Provisioning

 

 

Netskope supports provisioning of users and user groups authenticated via Ping Identity. The Netskope SCIM app supports the following:

 

Push New Users: New users created through Ping Identity will also be created in Netskope

Push Groups: Groups created through Ping Identity will also be created in Netskope

Push Profile Updates: Updates made to the users profile through Ping Identity will also be pushed to Netskope

Push User Deletion: Deleting a user in Ping Identity will also delete the user in Netskope.

By default a user disabled in Ping Identity will be deleted in Netskope.

 

Configuration Steps

 

Configuration in Netskope

 

  1. Login into your Netskope Admin Console.
  2. Select Settings in the lower left.
  3. Select Tools > REST API v2.
  4. Ensure REST API Status is enabled

AD_4nXfCABhEpGFw0Y5ujYEbiHiALXYjWfD8KrbZ5ZBzFLsc7cGMZBb7vu9TftcszYjOzagpUTXIzCTc10SEX5Cw7grb6jOH2VlNNgNLcDZDQs2SMqr5vei6WHvahq0quDnvwJkYb-izCPhfOZ46VZrWLS4bjRto?key=2mcioa4Q2xpreinG_J20Yw

  1. Select New Token and enter an appropriate name.
  2. Select a token expiry duration (To ensure the security and reliability of your SCIM integration between Ping Identity and Netskope select an appropriate expiration period for your API token)
  3. Click the ADD ENDPOINT option and search for SCIM.

Select /api/v2/scim/Users URL and /api/v2/scim/Groups URLs

Use the principle of least privilege (PoLP) and ensure this token is only scoped to the above SCIM endpoints and not consolidated with other endpoints. 

Modify the permissions of the two endpoints that were just selected to support the Read+Write privilege.

AD_4nXckEj0oIS-A4Kd1hY3uq3sKt7C4tyQcnG_haDrBURZUlSzGRb75LyxwsrDKaOuv5ekoldVgmVuqXbzna5QZY6lM9AsTi49SacupZllqs8NHoASR6iLSbqP6mybkbIdpF1zXN1xkXIU2IUTnXS0UbOmMJ4Nn?key=2mcioa4Q2xpreinG_J20Yw

  1. When the Success window opens, copy the token to a safe place. This token can not be retrieved in the future. If you lose the token, you must reissue the token again.


 

Configure Netskope SCIM Provisioning in Ping Identity


 

  1. Login to the Ping identity Console
  2. Navigate to Integrations > Provisioning
  3. Create a New Connection
  4. Select Identity Store
  5. Select SCIM Outbound and Next
  6. Provide an appropriate name and description and optionally upload a logo image

AD_4nXcJKDXEMslTRYi2Oh58GK-rdFfa4XDa7s741iGwOduV44e15DBA6qkWR4WRCg2XSfNlt8fPOMIseOJqHsK83NdodvA80wvX5cWDTu_9OzPnuVahJ_WVVq8pdrYlZqHmlTTj_RQtj5pO3HWFYDQod8VVh2M?key=2mcioa4Q2xpreinG_J20Yw

  1. Click Next
  2. The SCIM Base URL should be https://<netskopetenantname>/api/v2/scim. For example, if your Netskope tenant is acme.goskope.com, the SCIM Base URL should be: https://acme.goskope.com/api/v2/scim
  3. Authentication Method should be Oauth 2 Bearer Token and paste the token copied from the Netskope tenant
  4. Select Test Authentication and the result should be Connection Successful 
  5. Select Next
  6. Change User Identifier and User Filter Expression to match your desired identifier.

AD_4nXeexG9vumrkBiqLRza9mBhbp9qiDDpgkv9uH_YR0uN0BGtxfQ6EvUar4nOtLnI8MRcZxD2GpPfAr74FgrTHSrzUt0MOltA2L22o0mhEkhWJqtD3YCqVr_TFOsGYZALsd9nW2yvmKBKoJQS9Z5zf_yDVCGEY?key=2mcioa4Q2xpreinG_J20Yw

  1. Select the appropriate option for Group Membership Handling, information on Group Membership Handling can be found here
  2. Enable the appropriate actions the SCIM Connection should perform.By default a user disabled in Ping Identity will be deleted in Netskope. 

AD_4nXfnaDEV-c5scEVG4qVtD4Hj475DvDg1AjFPLg6R5afMXpOYBpS6MoCcQZrJlBs77a3luo7tntZcDa_gRTgWqiku8RhnASShShfvDGWiiCBjtRTTlyyVF8Msus4rHs9owUjnuojhTeChWSFrg2XxN3mNN4gb?key=2mcioa4Q2xpreinG_J20Yw

  1. Enable the SCIM Connection

AD_4nXfvqultcpXpjroMjmEPnejhqUsjA-97F-mjeT63gg5isJt--MI-X2Uwfr-0vl9rYrUKoRulk9KElz6TtbMYkfF9VP90dB04o9BKSzTXMhB9-tjg3aQmajvdXBhfiZJjKJ1MJQvuhjWOlHQ3Mn5Dk0Tqw4Y?key=2mcioa4Q2xpreinG_J20Yw

Configuring Outbound Group Provisioning Rule

  1. Go to Integrations → Provisioning.
  2. On the Rules tab, Add a New Rule.
  3. Add an appropriate name and description and create the rule.
  4. Select the Plus sign next to the Netskope SCIM Provisioning Connection.
  5. Click Save.
  6. On the Configuration tab, click Group Provisioning.
  7. To add groups, click Add Groups.

AD_4nXf1MtsMNBGHHfpEnOS6XMqGtpdu56BJVbTMi8P2q0rA1wTaXfuwczF0w3I48OEO78OkgaoFlzDy1pr47XNbbCa9vGUgi-UdrHkcSiSkGLZejR0RHrZ_I0j8EOpEl-Iug-l64bSy8YixB5mdyIXwJltyW5j7?key=2mcioa4Q2xpreinG_J20Yw

  1. To search groups, enter a group name in the Search Group Name field.
  2. To view provisioned groups, click Selected groups.
  3. Click Save
  4. To accept a merge or overwrite memberships when a group with the same name exists on the target, click the checkbox next to I understand and want to continue, in the Merge Group Memberships or Overwrite Group Memberships modal.
  5. Click User Filter

AD_4nXcJ1vXe7O_kmIi7lGzFyOJyLulhxRopmB1jEME9kKOh7W0LuJGuNT2qsJN0DDoQsDTjVf3BYQWEHul8rjoiqnqi640tKIRwgrDpQaHFiTX3DSfp21I_2Tiwu7D8Kt63AZHnRsfZl3A7pbZWAsAw00Dg2TSn?key=2mcioa4Q2xpreinG_J20Yw

  1. Create an appropriate User Filter. More on User Filtering rules can be found here
  2. Click Attribute Mapping and the pencil icon to edit
  3. If deploying the Netskope Client in IDP Mode, ensure the primary email address is mapped to the workEmail Netskope Attribute. See an example below:

AD_4nXeFseScGyHNuPZeCBMWkz71Kg-w9oWss4QkB8WqzrtHr5CWYD1ketPFWpxo3MF3-0OsfTdAtLZZW46_dxFRE13dUXKGKEuvwYZkivEw9GIsesTf3gickcUbUaUQ2DarKbxfO13A_SlVjTFuGm5xRdp75tfo?key=2mcioa4Q2xpreinG_J20Yw

  1. If deploying the Netskope client in UPN mode (Active Directory Joined Machines) ensure the User Principal Name is mapped to the userName Netskope Attribute.
  2. Enable the Rule

AD_4nXfkUvYUirmklyOXm59x45ZKmc-4huKWV0YLCL9L07ALqRUfnEUD3duE-OfpdGAh1r8dBtFlUet_EO-RqoyNGmDQD8zzmoB_R9YcJ8bBU-jNH1qBbLL_CPQlQtJTZgyW6j7QQOeYtvjqvWfTCJocj1Bsew1j?key=2mcioa4Q2xpreinG_J20Yw

  1. Ensure Users and Groups are provisioned with no errors

AD_4nXdGb5nBsX5moxgF1JJQ5eFtg3ROK3RuMBqcSWPeTQJWADmlXhm0h0KWe-MJjyRB5gMVd2X1H3iDIv8XJPm62k5gtlwnZvriAJfez5sip2hXc1yAJ6K1GP2UF7E6pfYRC3Kd0UH9gUdxmllv2lpjuesFHGCr?key=2mcioa4Q2xpreinG_J20Yw

  1. Login to the Netskope Admin console
  2. Validate users/groups are provisioned from Settings > Security Cloud Platform > Users and Settings > Security Cloud Platform > Groups

 

Deploying the Netskope Client in IDP Mode with PingOne

 

How to Configure SAML 2.0 for the Netskope Client Enrollment with PingOne

Be the first to reply!

Reply


Terms & ConditionsCookie settings