Goal: Create a guide on how to pass Tenant Admin role from Okta to Netskope.
Example: When logging in to Netskope Admin Console through Okta, different roles should be passed as per the requirement of the flow.
Information coming from Partner: Administrator should be able to configure different roles for different members as per the requirement definition.
Limitations: For a single Okta application, only 1 SSO can be configured in Netskope. To achieve this either we need to have multiple groups or single application with defined role.
Key Concepts:
Netskope Tenant - Admin should have local tenant admin account access to the Netskope tenant so that he can create custom roles / see the predefined roles during first time configuration.
Workflow:
This can be solved using 2 methods.
Method 1 - Using Group Attributes
In this method you can create multiple groups. Just remember that the group name should be the same as the Predefined role / Custom role configured in the Netskope Tenant.
Steps:
1 - Sign into the admin console of the Okta application.
2 - Go to Directory => Group
3 - Click on Add Group
4 - Enter the Group name as “Tenant Admin” and add the description. Description is optional.
5 - Once the Group is created, click on the newly created group. Click on application and then click on Assign Application. Assign the required applications and assign the users to that group.
6 - After that, assign the users to the group by clicking on people and then assign people.
7 - Once you click on Assign people, a new screen will appear and then search for the respective user.
8 - Once you have searched for the user, click on the + icon to add the user to the group and then click on Done.
9 - Once they login then they will be able to access the Admin console via Tenant Admin role and they will be able to create services accounts / invite / create roles.
You can verify it by following the below mentioned steps:
- Sign in to the User Netskope Application. You will see the list of the applications assigned to that particular user
- Click on the application and it will be opened in a new tab. After that click on settings.
- After that click on Administration.
- After that click on Administrator and Roles
- After that click on Role. (It will be blank if you are not a tenant administrator)
- You will be able to see the role in which you are logged in.
Method 2 - Using SCIM Attributes
In this method you can define the admin role in the SCIM attribute of the application. Just remember that the group name should be the same as the Predefined role / Custom role configured in the Netskope Tenant. Also, in this method you will be passing the role defined in the SCIM attribute so you cannot pass multiple roles.
In the previous method, you can pass multiple roles by creating multiple groups.
Steps:
Using SCIM Attributes
1 - Sign into the admin console of the Okta application.
2 - Go to Directory => Applications => Applications
3 - From the list of the applications, select the desired application and click on it.
4 - Click on Sign on
5 - After that click on the edit button to edit the SAML Attributes.
6 - After that add the custom / predefined role in the Configured SAML attributes section. Select the dropdown as equals.
Conclusion:
Once it is configured and depending on the role you will be able to access the tenant.
