We're ingesting users into our tenant through an intermediary IDP via SCIM, which is in-turn being fed users from our AD.
On the workstations, we're installing the client with IDP and multi-user modes enabled.
@qyost touched on it but yes this is supported with IDP based client enrollment with the client in multiuser mode. This will require multiple IDP support to be enabled on your tenant so that we can forward users to Google or Okta depending on the domain or other criteria.
Yeah, I caught after responding here that they might have been attempting to auth to different IDPs, rather than just having IDP and multiuser enabled.
But the notes about non-overlapping IDPs within the same tenant are certainly interesting.
Hello @qyost @sshiflett Thank you for your comments, for your collaboration and good vibes.
A ok, so for multi-user environments, for workstations, without being inside an AD, only with Okta and Google Workspace users, thinking in endpoints, without windows domain, with different local accounts, using for example in those desktops 3 or 4 different accounts, which in turn will be mapped to 3 or 4 different accounts in Netskope, according to what they tell me the best option is:
Install the client in user mode, in Multi-User, with IDP Mode ? that then you think is the best option ?
For the Multi-User IDP Mode is there any key requirement or prerequisite I imagine to have the users/groups provided but is there any point to have in great or important consideration ? Points to consider that I should pay attention to ?
Thanks as always for your time for your kind collaboration and for your good vibes.
I remain attentive
Regards and attentive to your comments.
@MetgatzNK so long as peruserconfig (multiuser) mode is enabled on the client and you have the user/groups that will be authenticated via the IDP provisioned, there shouldn't be any other items.
Hello @sshiflett thanks for your reply.
So the best option for this case is to install using peruserconfig (multiuser) and indicate the IDP mode.
That is, example:
msiexec /I NSClient.msi tenant=<tenanat> domain=region.goskoe.com installmode=IDP mode=peruserconfig.
I understand that only one IDP can be used for the Netskope installation. Because I don't see that it can be distinguished, that is, if I use IDP using Okta or Google Workspace or Azure AD. I can only define one method, right? Because I don't see how it would distinguish at the login level if there are different IDPs... or if it is capable of doing so? that is to say, have users in Okta, others in Google Workspace and others in Azure AD and that in IDP mode can distinguish the IDP for each SP?
@qyost
Thank you very much for your time, for your comments and collaboration.
Kind regards
My understanding (if I'm tracking the comments correctly) is that you could use multiple IDP if they have unique domain portion of the userID. i.e. foo@bar.com, foo@bar.net, and foo@barbarbar.com could be pointed at three distinct IDP all configured for the same tenant.
Hello @qyost , thank you for your reply.
As always thank you for your time and cooperation.
But what happens for example in the case that I have
In okta users:
user01@dominio1.com
user02@dominio1.com
user03@dominio1.com
user04@dominio1.com
And in Google workspace:
user05@dominio1.com
user06@dominio1.com
user07@dominio1.com
user08@dominio1.com
In both cases the same domain, only that some users are in Google Workspace and others in Okta.
At the IDP level and the multiuser install, how can I indicate or be able to indicate that x user goes with certain IDP or other users against Other ? are they the same domain, How would it be done in such a case ? @sshiflett
Thank you, I remain attentive
Best regards
@MetgatzNK we need something to differentiate the users on such as domain or IP address. Since these are shared devices, I assume they come from static IP addresses? We could potentially specify the IP or egress IP that these devices will be coming from. If all these users are on the same domain, is there a delineation of which users belong to each domain?