This article is going to cover how to leverage PingOne for SCIM Provisioning via PingOne.
SCIM Provisioning
Netskope supports provisioning of users and user groups authenticated via Ping Identity. The Netskope SCIM app supports the following:
Push New Users: New users created through Ping Identity will also be created in Netskope
Push Groups: Groups created through Ping Identity will also be created in Netskope
Push Profile Updates: Updates made to the users profile through Ping Identity will also be pushed to Netskope
Push User Deletion: Deleting a user in Ping Identity will also delete the user in Netskope.
By default a user disabled in Ping Identity will be deleted in Netskope.
Configuration Steps
Configuration in Netskope
- Login into your Netskope Admin Console.
- Select Settings in the lower left.
- Select Tools > REST API v2.
- Ensure REST API Status is enabled
- Select New Token and enter an appropriate name.
- Select a token expiry duration (To ensure the security and reliability of your SCIM integration between Ping Identity and Netskope select an appropriate expiration period for your API token)
- Click the ADD ENDPOINT option and search for SCIM.
Select /api/v2/scim/Users URL and /api/v2/scim/Groups URLs
Use the principle of least privilege (PoLP) and ensure this token is only scoped to the above SCIM endpoints and not consolidated with other endpoints.
Modify the permissions of the two endpoints that were just selected to support the Read+Write privilege.
- When the Success window opens, copy the token to a safe place. This token can not be retrieved in the future. If you lose the token, you must reissue the token again.
Configure Netskope SCIM Provisioning in Ping Identity
- Login to the Ping identity Console
- Navigate to Integrations > Provisioning
- Create a New Connection
- Select Identity Store
- Select SCIM Outbound and Next
- Provide an appropriate name and description and optionally upload a logo image
- Click Next
- The SCIM Base URL should be https://<netskopetenantname>/api/v2/scim. For example, if your Netskope tenant is acme.goskope.com, the SCIM Base URL should be: https://acme.goskope.com/api/v2/scim
- Authentication Method should be Oauth 2 Bearer Token and paste the token copied from the Netskope tenant
- Select Test Authentication and the result should be Connection Successful
- Select Next
- Change User Identifier and User Filter Expression to match your desired identifier.
- Select the appropriate option for Group Membership Handling, information on Group Membership Handling can be found here.
- Enable the appropriate actions the SCIM Connection should perform.By default a user disabled in Ping Identity will be deleted in Netskope.
- Enable the SCIM Connection
Configuring Outbound Group Provisioning Rule
- Go to Integrations → Provisioning.
- On the Rules tab, Add a New Rule.
- Add an appropriate name and description and create the rule.
- Select the Plus sign next to the Netskope SCIM Provisioning Connection.
- Click Save.
- On the Configuration tab, click Group Provisioning.
- To add groups, click Add Groups.
- To search groups, enter a group name in the Search Group Name field.
- To view provisioned groups, click Selected groups.
- Click Save
- To accept a merge or overwrite memberships when a group with the same name exists on the target, click the checkbox next to I understand and want to continue, in the Merge Group Memberships or Overwrite Group Memberships modal.
- Click User Filter
- Create an appropriate User Filter. More on User Filtering rules can be found here.
- Click Attribute Mapping and the pencil icon to edit
- If deploying the Netskope Client in IDP Mode, ensure the primary email address is mapped to the workEmail Netskope Attribute. See an example below:
- If deploying the Netskope client in UPN mode (Active Directory Joined Machines) ensure the User Principal Name is mapped to the userName Netskope Attribute.
- Enable the Rule
- Ensure Users and Groups are provisioned with no errors
- Login to the Netskope Admin console
- Validate users/groups are provisioned from Settings > Security Cloud Platform > Users and Settings > Security Cloud Platform > Groups
Deploying the Netskope Client in IDP Mode with PingOne
How to Configure SAML 2.0 for the Netskope Client Enrollment with PingOne