Skip to main content
Question

Netskope Forward Proxy + SAML Integration with Microsoft Entra ID — Secure Enrollment Behavior

  • June 9, 2026
  • 0 replies
  • 65 views
tahadiwan01
Netskope Partner

Hello Everyone,

Hope All are doing well.

I have some query regarding SAML-Forward Proxy Secure Enrollment..

We’ve successfully completed the integration of Netskope Forward Proxy with Microsoft Entra ID (SAML), and everything is functioning as expected.

Configuration Summary

  • Microsoft Entra ID

    • Created Enterprise Application

    • Completed SCIM Provisioning

    • Verified user synchronization on Netskope

    • Configured Single Sign-On (SAML) for Netskope Forward Proxy

  • Netskope

    • Configured SAML Forward Proxy and exchanged certificates successfully

    • Tested the configuration using the SAML Forward Proxy test button — validation completed successfully ✅

 

Client Enrollment Behavior

After deploying the Netskope Client agent, users are prompted to authenticate using Microsoft Entra ID credentials via SAML. During the enrollment process, however, the configuration download fails, displaying an Enrollment Error message.

To isolate the issue, we temporarily disabled Secure Enrollment under MDM Distribution. Upon retry, the client successfully enrolled, confirming that Secure Enrollment enforcement directly impacts the SAML-based client registration workflow.

 

 

Question for Discussion

We deploy the Netskope Client to all corporate devices through Intune, with Secure Enrollment Tokens enabled as required for managed endpoints. That part works exactly as expected.

For contractors on BYOD, we need them to authenticate through SAML Forward Proxy, so we fully integrated Netskope SAML‑FP with Microsoft Entra ID (SCIM, SSO, cert exchange, validation tests — all successful).

The challenge is that SAML‑based enrollment fails as long as Secure Enrollment is enabled. If we temporarily disable Secure Enrollment, contractors authenticate via SAML and enroll without any issues.

So the question is :

Do we really need to disable Secure Enrollment for contractors enroll via SAML‑FP, then re‑enable it afterward, or is there a way to allow SAML enrollment for unmanaged/BYOD devices while keeping Secure Enrollment enforced for Intune‑managed devices?

 

Thanks.

    Badges Winner

    Show all badges

    Not finding what you're looking for?

    Don't be shy and let us know about your challenge.

    Ask your question here!
    Terms & ConditionsAccessibility statement