[HOW-TO] - Configure Tenant SSO with PingOne

  • 24 June 2023
  • 0 replies

Userlevel 2
Badge +15
  • Netskope Employee
  • 15 replies

Ping Identity’s PingOne platform provides the ability to define a SAML-compatible application that can be used for granting access to the Netskope Admin Console. This guide will walk you through the steps for creating a custom application to meet this use case.


Ping does not provide a pre-built application for SAML SSO - a custom application is required Ping One does not support SCIM for User and Group provisioning - you will need Ping Federate with the SCIM SaaS Provisioner integration.



Follow the below steps to create the custom SAML integration. The high-level process is to a) define a custom attribute that will contain the Netskope Admin Role; b) create the custom SAML application; and c) configure the Netskope tenant for SSO with Ping One.

  1. Login to the Ping console
  2. Click on your target Environment



  1. Expand Identities and click on Attributes
  2. Click the Plus sign to add a new attribute
  3. Choose Declared as the Attribute Type and click Next




  1. Define the new Attribute
    1. Name = Netskope Admin Role
    2. Display Name = Netskope Admin Role
    3. Description = Contains the name of the role the user will have in the Netskope Admin Console (Optional)



  1. Click Save
  2. Add the new Attribute to your user(s)
    1. Navigate to Users
    2. Click on the target user
    3. Click the Pencil next to personal Info to edit the user profile



  1. Scroll to Custom Attributes
  2. Click the Add button and choose the Netskope Admin Role attribute



  1. Set the value to match the role defined in the Netskope UI - predefined roles with spaces are supported. (Ex: Delegated Admin)



  1. Click Save
  1. Expand Connections and click on Applications
  2. Click the + sign




  1. Fill out the following information
    1. Application Name = Netskope Admin Console
    2. Description = Grant access to the Netskope Admin Console
    3. Icon = Optional
    4. Application Type = SAML Application



  1. Click Configure
  2. On the SAML Configuration dialog, select Manually Enter and provide the following details from Settings > Administration > SSO
    1. ACS URL = https://<TENANT>.goskope.com/saml/acs
    2. Entity ID = Service Provider Entity ID




  1. Click Save
  2. Click on the Configuration tab of the application details and make note of the information - you’ll need this information to complete the setup in the Netskope UI




  1. Click on Attribute Mappings in the application details
  2. Click the Pencil icon on the right to edit the SAML attributes




  1. Add / Edit the following SAML attributes and click Save
    1. saml_subject = Email Address
    2. admin-role = Netskope Admin Role (custom attribute you built earlier) Required
    3. emailaddress = Email Address
    4. givenname = Given Name
    5. surname = Family Name



  1. Toggle the application to be enabled






  1. In the Netskope tenant, navigate to Settings > Administration > SSO
  2. Click on Edit Settings under SSO/SLO Settings
  3. Enter the following information
    1. IDP URL = Initiate Single Sign-On URL
    2. Issuer ID = IDP Entity ID
    3. IDP Certificate = Download Signing Certificate in CRT format
      1. Open with text editor
      2. Copy and paste into Netskope dialog
    4. IDP SLO URL = Single Logout Service (Optional)
  4. Click Submit to save your settings


  1. Test the sign-on process
    1. Logout of the Netskope Console or launch an incognito window and go to https://<TENANT>goskope.com. You should be redirected to Ping to login




0 replies

Be the first to reply!