Yes, have you seen this?

Netskope SSO with Azure AD  Step 12 (under the first section - Configuring SSO in Azure Active Directory and Netskope)

Addendum to Step 6 (under the second section - Configure SSO Parameters between Netskope and Azure AD)

After selecting App registration, select App roles (you can also go directly to App Registration on the left, select All Applications --> Netskope Administrator Console --> App Roles)

SKIP STEP 7 - IT IS OUT OF ORDER AND SHOULD BE AFTER STEP 8 

When you create a new app role in Step 8, the Value field is the SAML attribute admin-role (only seen with a  browser SAML Tracer) which you created in Step 6 above in the Netskope Admin console.

In Step 9, you assign the role to the group that you created in Step7. I like to keep the names the same. Please see snapshots from my configuration.

Netskope Admin console - custom roles

Entra admin center - App roles for Netskope Administrator Console Enterprise Application 

Does this help?

Additional tidbit: Why do you have to create custom Admin roles in the Netskope Admin console? The Predefined Netskope roles have spaces in the names. Microsoft Entra ID does not support spaces in the app role value ~ https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-use-app-roles-customers

Thanks @jonbartlett. I did find that after I added my post but thanks for the additional information.

One additional bit to beware of with custom roles.  They are not treated the same as predefined roles, even if copied directly from them, when the RBAC schema updates.   New pages can (and often do) get added with a Deny permission.