Netskope SAML Integration issues

  • 24 November 2021
  • 4 replies
  • 98 views

Badge +1
  • New Member
  • 1 reply

I am facing an issue while integrating Netskope application with an Identity Provider.

 

As I understand correctly, Netskope looks for “admin-role” as a return attribute which must have a role value which is already defined in Netskope Tenant UI.

 

Scenario 1:

There are 2 groups at IDP end :

Basic Test : Present in IDP but role with the same name is not defined in Netskope

Tenant Admin : Present in IDP and role with same name is defined in Netskope

User is part of both of these groups. Now when user will access the application, he/she will get an error stating :
Error Code: Authorization Error
Error: Invalid role 'Basic Test'
This is because Netskope is checking whatever the first role that is being passed by IDP. It checked that Basic Test is the first role and immediately rejected it without looking further in the roles. But Tenant Admin was being passed


Scenario 2:

There are 2 groups at IDP end :

Yahoo : Present in IDP but role with the same name is not defined in Netskope

Tenant Admin : Present in IDP and role with same name is defined in Netskope

User is part of both of these groups. Now when user will access the application, he/she will not get an error and will be able to get in.
This is because Netskope is checking whatever the first role that is being passed by IDP. It checked that Tenant Admin is the first role and immediately gave access.

 

The key point here is Netskope only checks first role that is being passed and ignores the rest which is causing issues. In an ideal situation, we cannot control the flow to only pass Netskope’s roles first in order. Roles are only passed in alphabetical order.

Is this already an issue with Netskope ? What can be done to remediate this ?


4 replies

Badge +1

Hello Community Members/ Netskope Support,

 

Is there an update on my query ?

Badge +19

Hi @YC, thank you for your patience, we are currently reaching out to our support team to help assist with your question.  We'll get back to you as soon as possible!

 

Badge +2

Hello @YC , this is an enhancement request that needs to be reviewed by product management. The easiest is to have a short talk about it. I will send you my contact details to start the process.

Matthieu

Userlevel 4
Badge +14

@YC what IDP are you using?  Perhaps there is something that can be done on the IDP to avoid sending invalid group memberships.  Let us know the IDP and we may be able to come up with some alternative solutions on how to tackle this

Reply