Skip to main content
Question

Browser Access clientless users

  • March 2, 2026
  • 5 replies
  • 70 views
E

Hi

is it mandatory to provision on the tenant the users that will only have access to Browser Access apps?

 

I mean, for third-party or contractors, that won’t install the Netskope Client and that only need access to browser access private apps, is needed to provision them via SCIM or manually?

I have checked that having the user associated on the IdP, the user authenticates when trying to access the public URL of the BA private app, but if the user is not provisioned on the Netskope tenant, get a 401 error after authenticating even if the RTP policy allows “all users”

The user only access the private app via BA after provisioning on the tenant. Is this correct? I wouldn’t like to provision all my contractors on the tenant

 

Regards

5 replies

ejang
Netskope Employee
Forum|alt.badge.img+5
  • ejang
  • Netskope Employee
  • March 3, 2026

Yes, the user must be provisioned in the Netskope tenant.

"Security and Networking ReAImagined."
    E
    • ElTetu
    • Author
    • New Member III
    • March 3, 2026

    Yes, the user must be provisioned in the Netskope tenant.

     

    Hi ​@ejang, thanks for your response!

    I’d suggest that this wasn’t mandatory to work, as it forces the company to provision any single contractor (besides authenticating them) on Netskope, and I really don’t see the purpose for that.

     

    If that’s not possible, I would strongly recomend that this mandatory action were included in official documentation for the feature (Configure Browser Access for Private Apps - Netskope Knowledge Portal)

    Thanks. Regards

    CedricD
    Netskope Partner
    • CedricD
    • Netskope Partner
    • March 3, 2026

    Yes, the user must be provisioned in the Netskope tenant.

     

    Hi ​@ejang, thanks for your response!

    I’d suggest that this wasn’t mandatory to work, as it forces the company to provision any single contractor (besides authenticating them) on Netskope, and I really don’t see the purpose for that.

     

    If that’s not possible, I would strongly recomend that this mandatory action were included in official documentation for the feature (Configure Browser Access for Private Apps - Netskope Knowledge Portal)

    Thanks. Regards

    I understand your point of view.

    However, if you do not onboard the users into your Netskope tenant, you will not be able to define access restrictions for your private applications based on user or group constraints. This would not align with a true Zero Trust approach and would prevent you from leveraging Context-Aware, Real-Time Protection policies.

    Additionally, since the users are already onboarded in your IdP, what is preventing you from synchronizing them with your Netskope tenant? SCIM is an effortless integration that allows you to automatically sync and deprovision users directly from your IdP.

      E
      • ElTetu
      • Author
      • New Member III
      • March 5, 2026

      Hi ​@CedricD 

      I get what you mean. I mentioned it because there are situations where I might need to create emergency access for an external user, or simply run some functionality tests, where it doesn’t really make sense to go through the whole user provisioning process. In those cases, it would be useful to have a temporary or very specific policy that could apply to all users without necessarily reducing the overall security.

      In any case, my main point is that if this is absolutely required for the feature to work properly, then it should be clearly reflected in the documentation.

      It would have saved me almost two days of testing during the integration until I realized that this might be the issue, since my user was authenticating correctly but, for some reason, I wasn’t being authorized to access it even though I had a policy that should have allowed it.

      Regards

      notskope
      • notskope
      • New Member III
      • March 5, 2026

      For a policy to apply to “all users” there still needs to be a user account association.

       

      Netskope does not generally support the concept of “anonymous” with the exception of steered traffic via IPSEC/GRE.

      Former Netskope PS Consultant, Current Netskope customer

      Badges Winner

      Show all badges

      Not finding what you're looking for?

      Don't be shy and let us know about your challenge.

      Ask your question here!
      Terms & ConditionsCookie settingsAccessibility statement