Netskope Community
06-29-2023 01:03 PM - edited 06-29-2023 01:06 PM
Netskope Private Access (NPA) is a Zero-Trust Network Access solution that provides seamless access for users accessing applications. One of the Zero-trust capabilities within NPA, Periodic Reauthentication, is based on an integration with your enterprise Identity Provider (IDP) such as Azure AD or Okta. This capability allows the Netskope client to challenge the user via your Identity Provider for credentials and MFA to maintain or activate access to internal applications. Administrators configure intervals for groups or OUs based on the security posture required. For example, the below configuration would require a user to authenticate to my IDP every 12 hours with a 1 hour grace period before access would be revoked:
Depending on your enterprise’s security requirements, you may wish to always enforce MFA or specific access requirements. This becomes a challenge if your Identity Provider caches sessions for a period of time which is increasingly common. The mini browser used by the Netskope client varies by operating system (Edge for Windows, Safari for Mac, etc). If your user has a cached session for the IDP within one of these browsers, it may transparently reauthenticate the user. If you’d like to change this behavior, many IDPs support app specific configurations that enforce MFA or other controls every time regardless of cached sessions. Below are instructions for two of the most common Identity Providers, AzureAD and Okta. These settings may also impact your SAML forward proxy authentication if you are using IPSEC or GRE steering to Netskope.
AzureAD
AzureAD will typically cache user sessions by default so periodic reauth will use this cached session by default as well. Administrators can configure a Conditional Access policy scoped to the Netskope User Enrollment and Authentication app. This Conditional Access Policy will require authentication to the Netskope app every time the user accesses this application which occurs when Periodic Reauth is triggered. Example configuration steps for this policy are below. Consult with your AzureAD or Microsoft 365 admin to ensure these policies will not conflict with other Conditional Access Policies.
With this enabled, your users should be prompted to authenticate and perform any other checks (Device Compliance, MFA, location based policies, etc) every time Netskope reauth is triggered.
Okta
Okta supports more frequent authentication policies to specific apps via app sign-on policies. Follow the steps below to configure a more frequent reauthentication policy. The steps below are a sample configuration. Consult with your Okta administrator to ensure this does not conflict with existing sign on policies.
Users should now be prompted for MFA every time they attempt to reauth, regardless of cached sessions. You can optionally alter this policy to require MFA on an interval or to prompt for credentials and to prompt for MFA.
06-30-2023 10:55 AM
Great article! Wondering if I could get your input on our periodic reauth implementation.
Some VPN solutions address similar issues by having backend settings that kickoff a script on the computer after connections are established.
Is there anything similar that can be leveraged/implemented for Netskope after reauthentication or successful connection to allow mapped drives to reconnect seamlessly? If not (and if that's not something in the works) how have other Private Access customers addressed this? Is there a recommended process/best practice after reauthentication has expired on a that was locked (short of an extensive Grace Period in the config) to allow connectivity and work to resume post-reathentication expiration?
07-06-2023 05:54 AM - edited 07-07-2023 08:26 AM
@AlfaBane the solution below should improve this behavior as prelogon allows the NPA tunnel to establish when the user tunnel goes down. This allows for items like drive mapping, password resets, and first time logon. As to your other item on the ability to call a script, there is an enhancement request for this functionality so if it's something you're interested in, please reach out to your local account team to discuss.
07-07-2023 09:50 AM
Thanks, Sam.
07-01-2023 09:22 PM
@AlfaBane Take a look at the NPA Pre-Logon Feature.
https://docs.netskope.com/en/configure-client-prelogon-connectivity.html
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In