Solved

Synchronize users from Google Apps/Workspace and Okta for user/group provisioning and Admin Console

  • 31 May 2023
  • 8 replies
  • 19 views

Badge +11

Synchronize users from Google Apps/Workspace and Okta for user/group provisioning and Admin Console SSO

 

Hello good afternoon, thank you for your support, for your collaboration and for your valuable time.

Is it possible to synchronize users/groups from Google Apps/Workspace accounts ? in order to provision user/groups for policy management ?

 

Can I synchronize users from Okta and users from Google Apps/Workspace at the same time?

Is it possible to use SSO for the use of Google Apps/Workspace user credentials for the Tenant Admin Console?

 

Thanks for your time, good vibes and your collaboration.

 

I remain attentive

 

Best regards

icon

Best answer by sshiflett 15 June 2023, 16:50

View original

8 replies

Badge +11

@MetgatzNK - If I remember correctly Netskope do not support multiple provisioning methods.

Not sure on SSO.

 

https://docs.netskope.com/en/provisioning-users-for-netskope-client.html

https://docs.netskope.com/en/configure-single-sign-on-for-the-netskope-ui.html#UUID-3bb31014-d6d7-e4c3-ad97-61b4322630c6

 

Badge +11

Hello @ark007 , thanks for your reply.

 

But I have not seen or I have not found in the documentation how to synchronize users, ie user provisioning and groups provisioning from Google Workspace/Google Apps ? You have information. I imagine something as big as Google Workspace, like Office 365, Netskope if you must have your way by SCIM or something on how to synchronize your usurs and groups ?

Could you help me with this topic ? 

As always, thank you very much for your time

@rclavero @mzhang

@sshiflett @amurugesan @mkoyfman 

 

Thanks in advance for your support and collaboration

 

Best regards

Userlevel 5
Badge +16

Yeah, not supported is my recollection as well.  
Would be great if they could be, and match-merged across a common key, as that would allow for a smooth transition from from IDP to IDP, without deprovisioning all the users.
Additionally, it would allow organziations to rely on IDP for authentication, but still pull OU from AD for reporting/analytics.

Badge +11

Yes, I also did not see any documentation with specific to google workspace. I found an article that talks about syncing users and groups from Google cloud through directory importer. You can review to see if this is helpful.

 

https://support.netskope.com/s/article/Netskope-User-Provisioning-with-Secure-LDAP-to-Google-Cloud-Identity

Also you might try importing users from google workspace to okta and then sync users to Netskope tenant through SCIM. 

 

https://docs.netskope.com/en/provisioning-and-authentication.html 

Userlevel 6
Badge +16

So a few items here @MetgatzNK. Netskope does support provisioning from multiple sources provided the usernames and groups do not overlap for those sources.  So you can have multiple SCIM or Directory Importer sources or combination thereof provided they don't overlap.   For Okta and Google Workspace in the same tenant I would recommend using the LDAP based provisioning method for Google and SCIM for Okta.  

For the SAML questions, yes it should be possible to use Google Workspace for SAML based SSO to the Netskope WebUI.  For user auth such as periodic reauth or client enrollment, Netskope also supports multiple Identity Providers and you can differentiate on which IDP users are forwarded to based on domain names, location, access method and other criteria.  This may need to be enabled on your tenant via a feature flag. 

Badge +11

Hello @sshiflett @ark007 @qyost  good afternoon, thank you very much for your valuable information that you share with me.

 

One doubt, you comment that it can not be obtained from different sources, but example:

If in Okta I have the following users:

User01, User02, User03, User04.

 

And in Azure AD I have: User05, User06, User07, User08.

 

In Google Workspace: User010, User011, User012, User013.

 

1.- I mean there is no overlapping of users or groups, this is feasible ? this type of user/provisioning from different sources that have different users/groups ? In this case if it applies not to be able to have different sources ?

 

2.- For Google Workspace the only method of user provisioning is using LDAP ? is there no other method ? Only using LDAP importer with the agent ? Is there any other method like SCIM or any other method ?

 

3.- When using Netskope Directory Importer, I imagine that the machine or server must be a reliable device, that is to say that it is active and always up, since it will be doing the synchronization of users. My question with this is, how often or how often do you update accounts/users/groups from the Importer to the Netskope Tenant? I mean when I add or create users and groups, how often the Netskope Directory Importer Agent will be updating the users?

 

Thank you very much for your time, for your collaboration and good vibes.

 

I remain attentive

 

Best regards

Badge +11

Hello @sshiflett @ark007 @qyost

@rclavero 

@amurugesan @mkoyfman 

thank you very much always for your good will, for your good vibes and for your excellent and great collaboration.

 

It is possible that you can help me with the 3 points mentioned in the last post.

Thank you very much

 

Greetings and attentive to your comments.

Userlevel 6
Badge +16

Hello @MetgatzNK,

1.  So long as the usernames and group names don't overlap then yes this is feasible and supported. 

2.  I believe LDAP is still the supported method for Google as their is a SCIM limitation on the Google Workspace side.  

3.  That's correct, the Directory Importer periodically updates Netskope with user, group and OU updates.  The default time is every three hours but this can be lowered to one hour or increased as needed. 

Reply