Netskope Tools Directory Importer to SCIM Migration Process

  • 27 June 2023
  • 0 replies

Userlevel 4
Badge +16

Users are provisioned in three different methods within the tenant-manually adding them, Netskope Tools Directory Importer, or via System for Cross-domain Identity Management (SCIM).  SCIM is an open standard designed to manage user identity information.  It is possible to use all three methods to provision users to the tenant.  However, it is recommended that only one method be used to avoid confusion.


As more and more resources migrate to the cloud, it makes sense to use an Identity Provider (IDP) which resides in the cloud as well.  SCIM provides a defined schema for representing users and groups, and a RESTful API to run CRUD operations on those user and group resources.


This guide provides administrators the ability to migrate from the Netskope Tools Director Importer to SCIM, regardless of the service provider such as Okta or Ping.


Netskope Tools Directory Importer

  • Netskope Tools Directory Importer is installed, running, and on the latest version of code.

  • Users and groups confirmed to be synced to the tenant.

  • Backup of the folders and files located at C:UsersPublic etskope

  • Confirm user attributes used, found at C:Program
    FilesNetskopeNSAdaptersADImporter sADImporterConfig.json if installed using the default settings.


SCIM Resource

  • SCIM application initially setup and connected to the tenant, do not provision users or push groups yet.

  • Confirm user attributes to be used.


Tenant Settings

Review each setting area below to note the users and organization units used.  These will need to be reconfigured after migrating from OU’s to groups.


  • Users
    https://<tenant name>

  • Client Configurations
    https://<tenant name>

  • Groups
    https://<tenant name>

  • Steering Configurations
    https://<tenant name>

  • Policies
    • SSL Decryption
      https://<tenant name>

    • Real-time Protection
      https://<tenant name>.com/ns#/inline-policy-page

    • API-enabled Protection
      https://<tenant name>

    • Endpoint Protection
      https://<tenant name>

    • Behavior Analytics
      https://<tenant name>


NOTE: Steering and client configurations will be the default tenant config until everything is mapped when using SCIM after the migration to SCIM.


  1. Open a ticket with Netskope support to coordinate the migration with backend engineering.

  2. Verify users and groups being provisioned using Netskope Tools Directory Importer and those in the SCIM resource, ie Okta, are the same.

  3. Delete the users and groups from the Directory Importer with a LDAP filter query using a dummy query like

    When the dummy query is sent to Netskope, using ADImporter, we will send delete requests for all users and groups, this will mark the users as deleted; however, we will not delete user records from the backend.  By not deleting the user records, we retain the user certificates and corresponding userkeys.

    The userkey is found in the file nsconfig.json on the user’s machine, for reference. 

  4. Provision users and push groups within the SCIM resource.

    When pushing groups, they may be created as “new” if the naming format of a group is different in SCIM than Netskope Tools Directory Importer.

  5. Confirm user and group associations in the tenant UI and databases.

  6. Reassociate client configurations, steering configurations, and policies in the tenant UI.

  7. Confirm client functionality for CASB, SWG, DLP, and CFW policies. 


Using SCIM at a cloud provider will provide an easier method to administer users or groups since it is not dependent on a tool which connects to directory services, wherever they may reside.


Netskope Support


Please reach out if there are issues the migration as additional actions might need to be done if all of the users and/or groups are not removed from the UI.

0 replies

Be the first to reply!