Optimizing Identity Provider Settings for NPA Periodic Reauth

  • 29 June 2023
  • 6 replies
  • 73 views

Userlevel 6
Badge +16

Netskope Private Access (NPA) is a Zero-Trust Network Access solution that provides seamless access for users accessing applications.  One of the Zero-trust capabilities within NPA, Periodic Reauthentication, is based on an integration with your enterprise Identity Provider (IDP) such as Azure AD or Okta.   This capability allows the Netskope client to challenge the user via your Identity Provider for credentials and MFA to maintain or activate access to internal applications.  Administrators configure intervals for groups or OUs based on the security posture required.  For example, the below configuration would require a user to authenticate to my IDP every 12 hours with a 1 hour grace period before access would be revoked:

 

 

Depending on your enterprise’s security requirements, you may wish to always enforce MFA or specific access requirements.  This becomes a challenge if your Identity Provider caches sessions for a period of time which is increasingly common.  The mini browser used by the Netskope client varies by operating system (Edge for Windows, Safari for Mac, etc).  If your user has a cached session for the IDP within one of these browsers, it may transparently reauthenticate the user.  If you’d like to change this behavior, many IDPs support app specific configurations that enforce MFA or other controls every time regardless of cached sessions.  Below are instructions for two of the most common Identity Providers, AzureAD and Okta. These settings may also impact your SAML forward proxy authentication if you are using IPSEC or GRE steering to Netskope.

AzureAD

AzureAD will typically cache user sessions by default so periodic reauth will use this cached session by default as well.  Administrators can configure a Conditional Access policy scoped to the Netskope User Enrollment and Authentication app.  This Conditional Access Policy will require authentication to the Netskope app every time the user accesses this application which occurs when Periodic Reauth is triggered.  Example configuration steps for this policy are below.  Consult with your AzureAD or Microsoft 365 admin to ensure these policies will not conflict with other Conditional Access Policies.   

 

  1.  Navigate to portal.azure.com.

  2. Open Conditional Access Policies by entering Conditional in the search bar.

     

  3. Click Create new policy.

     


  4. Enter a descriptive name in the Name field.

     



  5. Click No target resources selected.

     


  6. Check the Select apps option.


  7. Click None under the Select option.
     

     


  8. Search for and check the box next to your Netskope authentication app.
     

     

  9.  Click Select.

  10. Click 0 controls selected under the Session section. 

     

  11. Check the box next to Sign-in frequency

     


  12. Configure the interval for periodic reauthentication.  The example below uses 1 hour for a shorter demo interval.  You can select a longer interval but the interval must be shorter than the reauthentication interval configured in Netskope.  For example, if Netskope is configured to reauth every 12 hours, ensure this value is 11 hours or lower. 

     

  13. Click Select.

     


  14. Enable the policy and click Create.

 


With this enabled, your users should be prompted to authenticate and perform any other checks (Device Compliance, MFA, location based policies, etc) every time Netskope reauth is triggered.

 

Okta
Okta supports more frequent authentication policies to specific apps via app sign-on policies. Follow the steps below to configure a more frequent reauthentication policy. The steps below are a sample configuration. Consult with your Okta administrator to ensure this does not conflict with existing sign on policies.

  1. Navigate to your Okta admin console.

  2. Click Applications to expand the menu.

     

  3. Click Applications.

     

  4. Select your Netskope application. The name may vary.

     

  5. Click Sign On.

     

  6. Scroll down to Sign On Policy and click Add Rule.

  7. Enter a name for your rule under Rule Name.

     

  8. Scroll down to Actions and check the box next to Prompt for factor. Leave Every sign on checked.

     

  9. Click Save.

     

Users should now be prompted for MFA every time they attempt to reauth, regardless of cached sessions.  You can optionally alter this policy to require MFA on an interval or to prompt for credentials and to prompt for MFA. 


6 replies

Badge +13

Great article! Wondering if I could get your input on our periodic reauth implementation. 

  • Periodic Reauthentication of 12 hours for our client config
  • the typical behavior of the bulk of our users is to lock their device at the end of the day (rather than logging off or shutting down)
  • overnight, of course, this reauthentication expires
  • users reauthenticate after unlocking the device at the start of the day
  • private apps and sites connect fine
  • where we’ve run into problems, though, is the access of our internal network drives (drive mappings)
    • connectivity post-reauthentication looks to be limited to mapped drives and shares 
    • mapped drives disappear or show disconnected
    • troubleshooting to regain access after reauthentication has ranged from “manually running logon scripts and/or forcing gpupdate” to “rebooting the device"

 

Some VPN solutions address similar issues by having backend settings that kickoff a script on the computer after connections are established.

Is there anything similar that can be leveraged/implemented for Netskope after reauthentication or successful connection to allow mapped drives to reconnect seamlessly? If not (and if that's not something in the works) how have other Private Access customers addressed this? Is there a recommended process/best practice after reauthentication has expired on a that was locked (short of an extensive Grace Period in the config) to allow connectivity and work to resume post-reathentication expiration?

Badge +9

@AlfaBane Take a look at the NPA Pre-Logon Feature. 

 

https://docs.netskope.com/en/configure-client-prelogon-connectivity.html

 

 

Userlevel 6
Badge +16

@AlfaBane the solution below should improve this behavior as prelogon allows the NPA tunnel to establish when the user tunnel goes down.  This allows for items like drive mapping, password resets, and first time logon.   As to your other item on the ability to call a script, there is an enhancement request for this functionality so if it's something you're interested in, please reach out to your local account team to discuss. 

Badge +13

Thanks, Sam. 

Badge +12

Hi Sam, this NPA Periodic Reauth setting is tied to client config which intern is tied to user/usergroup.  Any chance to implement this on a device (s) level rather than user? 

Badge +12

Glad to hear someone is working on an enhancement to call a script. 

Reply