Netskope Global Technical Success (GTS)

Netskope Client Enforcement Using Onelogin

Netskope Cloud Version - 122

Objective

This document outlines the necessary steps to configure Netskope client enforcement using Onelogin

Context

Netskope client enforcement mandates that end users must have the Netskope client installed and actively connected to a Netskope tenant to gain access to SaaS applications through the identity provider (IDP).

With Netskope client enforcement enabled, end users will be able to access the configured SaaS Applications only when Netskope client is enabled on the system. In the absence of Netskope clients, access to SaaS applications will be denied.

This document will also guide through the steps to configure the Netskope Client Enforcement application in Onelogin  as a self-service option to deploy the Netskope Client.

Note: Refer this link to learn more about Netskope client enforcement.

This document demonstrates the use of Netskope client enforcement with the pre-configured 'AARP' application within OneLogin. The outlined steps are applicable to any similar SaaS application.

The Application AARP should be accessible to the end user only when the Netskope client is active. If the Netskope client is disabled or uninstalled, access to this Application will be denied.

Lab recreate

Before beginning with the configuration, please ensure that the end user’s email address is already imported into the Tenant under Settings - Security Cloud platform - Users

The following document shows a brief walkthrough of the steps to deploy client enforcement. These are some of the prerequisites:

• Users are assigned to their respective applications in Onelogin.
• Access and admin rights into the OneLogin tenant.
• Access and admin rights in the Netskope tenant.

Step 1: OneIogin configurations to create SAML custom connector to allow Netskope client download

Create a SAML connector within One Identity to enforce end users to download Netskope client

Go to Application - Add App

Look for SAML Custom connector (Advanced)

Add the application name, import Netskope logo as seen in the screenshot below. Save this Application

Path: Netskope Tenant UI >>> Settings >>> Security cloud platform >>> Netskope client - Enforcement - Onelogin. 

Copy the values of Redirect URL and Organization ID.

Go back to the SAML custom connector that you created in OneLogin. Applications - Netskope client enablement. Go to configuration and enter the values captured from Netskope tenant UI as shown below : 

Adjust the other configurations as seen in the snapshot below

Go to SSO Tab and click on “View details” under X.509 certificate. You will be navigated to a new web page that has the certificate. Download the certificate. Once done, save the application.

Go back to your Netskope Tenant UI and upload the certificate as seen in the screenshot below. 

Path: Netskope Tenant UI >>> Settings >>> Security cloud platform >>> Netskope client - Enforcement - Onelogin. 

Once the Application has been created, assign it to Users / User groups within Onelogin. This application will  allow users to download and install Netskope client when user clicks on the “Netskope client enablement” application created above.

Step 2: Configuring IP Allowlisting to allow access to SaaS Applications within Onelogin from Netskope IPs only

This step ensures that the SaaS Applications are restricted to be accessible from selective Netskope IPs only. If a user tries to access the Application in absence of Netskope client,, the access will be denied.

Go to Onelogin and go to Security - Policies and create a new app policy

Add a name to the Policy 

To obtain the Netskope IP addresses for your tenant -

Path: Netskope Tenant UI >>> Settings >>> Security Cloud platform >>> Netskope client - Enforcement and copy the IP addresses from the Netskope IP Ranges section as seen below.

Copy these IP addresses and paste them under the Policy created in Onelogin and hit save

Step 3: Assign this Security policy to a SaaS App in Onelogin

In one login, go to Applications. For the context of this document, this policy has been assigned to AARP application.

Under the selected application, go to access and choose the Policy created in Step 2. Click Save.

Verification

Log in to onelogin using the ID which has the Netskope client enablement application assigned. 

Try accessing the AARP application in the absence of Netskope client and you will receive the below “access denied” notification

If you click on the Netskope client enablement application, you will be redirected to download the Netskope client. This will ensure that users are enforced to access the SaaS applications with Netskope client enabled. 

Please note that the above template has been modified from the Netskope Tenant Web UI.

Path: Netskope Tenant UI >>> Settings >>> Tools >>> Templates

The default template will look like below

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.