This article will cover how to configure Single-Sign-On (SSO) for the Netskope Cloud Exchange (CE) platform using Azure Active Directory (AAD). This will allow you to manage administrator access to CE from purely within AAD, rather than configuring administrators on the platform manually.
Cloud Exchange is different from the standard Netskope tenant you would have access to as a customer, and facilitates the exchange of information between your various security and operations platforms. For information on what Cloud Exchange is (including how to deploy it), please see here.
Create a new Enterprise Application
Log into the Azure AD portal, and go to “Enterprise Applications”. You may need to search for this at the top of the portal.
Click New application.
Click Create your own application and name the application Netskope Cloud Exchange.
Select the 3rd option to create a non-gallery app: Integrate any other application you don’t find in the gallery.
Click Create when you are done.
Note, that Azure can sometimes have a quirk where it returns a 404 error when you click the Create button. Your application has should have been created, even if you get this error. If you encounter this issue, return to the Enterprise Applications view and click the refresh button. You should see your Netskope Cloud Exchange app appear in the list, despite getting a 404.
Copy the Cloud Exchange SSO information
Log in to Cloud Exchange using the admin (super administrator) user, and navigate to Settings > Users (this settings area will only be visible to the admin user).
Select the SSO Configuration tab, and toggle the SSO toggle ON (make sure you save this configuration).
Note down the 3x “Service Provider” fields at the bottom of the screen. The image below maps which URL should be used for which SAML config field in Azure AD.
Create Roles in Azure AD
Users can be assigned Read/Write or just Read access to the CE UI based on one of two roles assigned to them: Admin (read/write access) and Read Only. We need to create these roles in Azure AD so that they can be assigned to users who use the CE application.
Note: If you don’t create and map these roles then SSO will fail!
Return to the main Azure Active Directory menu (ensure you are NOT within the Enterprise Applications sub-menu). Select App registrations from the left-side menu, click the All applications tab, then select the Netskope Cloud Exchange app from the list.
Next, click App Roles from the left-side menu, followed by Create app role. You will be creating two roles: One for the Admin user role and one for the Read-Only user role.
Create the Admin role as follows:
- For Display name, enter
CE-Admin(this can be whatever you like) - For Allowed member types, select the first option:
Users/Groups - For Value, enter
netskope-ce-write;netskope-ce-read<- Ensure you copy/paste this exactly! - For Description, enter
Provide the user with read/write access to Cloud Exchange. - Ensure the Do you want to enable this app role? option is checked.
Create the Read-Only role as follows:
- For Display name, enter
CE-ReadOnly(this can be whatever you like) - For Allowed member types, select the first option:
Users/Groups - For Value, enter
netskope-ce-read<- Ensure you copy/paste this exactly! - For Description, enter
Provide the user with read-only access to Cloud Exchange. - Ensure the Do you want to enable this app role? option is checked.
You’re now finished configuring the App Roles. Return to the main Azure AD menu to proceed.
Configure the Cloud Exchange Enterprise App in Azure AD
From the Azure AD main menu, return to the Enterprise Applications list and select Netskope Cloud Exchange to configure it.
From the left-side menu, click Single sign-on, and select SAML when prompted.
Provide the SAML Configuration
Under Basic SAML Configuration, click the Edit button.
Copy the “Service Provider” URLs from the Cloud Exchange SSO Configuration page to the appropriate Azure AD SAML config field. See the table below for mapping.
| Azure AD SAML Field | Cloud Exchange Field |
|---|---|
| Identifier (Entity ID) | Service Provider Entity ID |
| Reply URL (Assertion Consumer Service URL) | Service Provider ACS URL |
| Sign on URL | Service Provider ACS URL |
| Relay State | N/A - Leave Blank |
| Logout URL | Service Provider SLS URL |
The Reply URL and Sign-on URL in Azure AD both use the Service Provider ACS URL from the Cloud Exchange portal. The Relay State field in Azure AD should be left blank.
Save your configuration when done.
Add Claims for Username & Roles
Click Edit next the Attributes & Claims section (section #2)
Click the button to Add new claim. Add a new claim as follows:
- For the Name field, enter
roles<– Enter this exactly! - Leave Namespace blank.
- For Source, ensure
Attributeis selected (default). - For Source attribute, select
user.assignedrolesfrom the dropdown.
Click Save to add the claim.
Repeat the process to add a recond role:
- For the Name field, enter
username<– Enter this exactly! - Leave Namespace blank.
- For Source, ensure
Attributeis selected (default). - For Source attribute, select
user.mailfrom the dropdown.
Click Save to add the claim.
Once you’ve added the two new claims, your Attributes & Roles should look as follows:
Download the SAML Signing Certificate
Back on the SAML configuration page, scroll down to Section 3 - SAML Signing Certificate, and click to download the Base64 certificate (see the image below).
Copy the Azure AD Application URLs
Next, under Section 4 - Set up Netskope Cloud Exchange, copy the Login URL, Logout URL, and Azure AD Identifier URL. You will need to paste these into the Cloud Exchange UI in the next section.
Add Users & Groups to the Enterprise Application
The last step we need to perform in Azure AD is to assign users and/or groups to the Cloud Exchange app to provide them with access. We will also assign either the Read-Only or Admin roles we created earlier to these users/groups to grant them the appropriate permissions within CE.
From the left-side menu within the Cloud Exchange Enterprise Application, select Users and groups, then click Add user/group.
Select the users and/or groups that are permitted to use the Cloud Exchange application. You MUST also assign a role to the selected users/groups; ie: CE-Admin (read/write), or CE-ReadOnly (read-only).
WARNING: If you do not assign a role, SSO will fail when the user attempts to sign in. Also, DO NOT assign the default User role you see in the list: this will also cause SSO to fail. You must only use the roles that you explicitly created in Azure AD yourself.
After assigning users/groups and applicable roles, your user/group list should look similar to the below:
Finish the SSO Configuration in Cloud Exchange
Return to the SSO Configuration section of the Cloud Exchange UI (Settings > Users > SSO Configuration).
Copy the Azure app URLs
For the 3 Identity Provider URL fields in the Cloud Exchange SSO configuration, paste the corresponding Azure AD Application URLs you copied when configuring SAML on the Azure AD side. See the table below for mapping:
| Cloud Exchange Field | Azure AD SAML Config Field |
|---|---|
| Identity Provider Issuer URL | Azure AD Identifier URL |
| Identity provider SSO URL | Login URL |
| Identity provider SLO URL | Logout URL |
Copy the SAML Signing Certificate
Open the Base64 SAML Signing Certificate you downloaded from Azure AD earlier in a text editor such as Notepad or TextEdit. Don’t use MS Word. The certificate will have a .cer extension.
Copy the contents of the certificate file into the Public x509 Certificate field in the Cloud Exchange SSO config (see the image above).
Save your SSO Configuration when done.
Testing the SSO Configuration
Open a new Incognito window (to avoid any potential issues with caching) and point your browser to the URL of your Cloud Exchange deployment.
If you enabled the “SSO” checkbox as instructed at the beginning of this guide, you will two options when reaching Cloud Exchange:
- Login with SSO
- Login with Username/Password
Option #2 is used for local login (ie: the default admin user, or any user manually added to the user list in CE).
Select Login with SSO. You should be redirected to Azure AD to sign in.
Upon entering your user credentials, you should be authenticated and redirected to the Cloud Exchange interface.
In the example below, the Adele user was assigned the CE-ReadOnly role, so almost all of the Settings menu is hidden.
Troubleshooting
If you are having issues signing in, first, look at which platform is giving you an error: Azure AD, or Cloud Exchange?
If the error you are presented with is from Azure AD, then there is likely an issue with your config on the Azure AD side. Double-check your URLs and/or whether the user you are attempting to sign in as is assigned to the application (or present in the group assigned to the app).
In the image below, my nathan@lightwave.cloud user was unable to sign in, as they were not assigned to the application in Azure AD.
If you are getting an error from Cloud Exchange, then you have likely stuffed up the URLs entered into either CE or Azure AD, not added the custom username and roles claims in Azure AD, or not assigned any roles to the user you are signing in as.
If you get the error {"detail":"Method Not Allowed"}, check that the URLs copied into both Azure AD and Cloud Exchange are correct and in the right place.
If you get the error {"detail":"Could not authenticate. username/roles attribute not set."}, then check that you added the username and roles claims in the SAML config, AND assigned roles correctly to users when you added them to the Enterprise Application in Azure AD.
If you pass SSO fine but receive a red Error while fetching data message in CE, then there is a problem with the role you have assigned to the user. Ensure you entered netskope-ce-write;netskope-ce-read as the attribute for the Admin role (CE-Admin) and netskope-ce-read as the attribute for the Read-Only role (CE-ReadOnly). Additionally, check that you have assigned one of these roles to your impacted user: You may also get this error if the default User role is assigned.
