Doubts with NPA Web browser Private Access - SAML Azure AD

  • 17 May 2023
  • 3 replies
  • 69 views

Badge +11

Doubts with NPA Web browser Private Access - SAML Azure AD

 

Hello community, as always, many thanks for your comments, advice, recommendations and your time.

I have currently configured in our Tenant for user synchronization with SCIM, from Azure AD and I have SSO for Admin console access, using Azure AD, everything work OK.

 

Now I have a huge and big doubt, I understand that for user Private Access via Web i.e. Clientless, a SAML - Reverse Proxy account must be configured.

 

That's my big doubt: I am looking for documentation that supports this configuration, ie Private Access Web browser access with SAML - Reverse Proxy with Azure AD, but I have not found, I have only found for Okta, among others, but with Azure AD nothing.

 

Configure Browser Access for Private Apps:

https://docs.netskope.com/en/configure-browser-access-for-private-apps-378561.html#:~:text=for%20Private%20Apps-,Configure%20Browser%20Access%20for%20Private%20Apps,-Browser%20Access%20is

 

Reverse Proxy: https://docs.netskope.com/en/saml-reverse-proxy.html

 

So I understand that at this point it is not necessary that I federate with SSO my application, that is if I wanted to add a Private Access Web-Browser access to a URL of a simple example, the Web Interface of a Printer or Web access to the Web-Gui of a Firewall, Switch, router, etc, I should be able to do it without problems, using Web Browser Private Access Clientless. The Private web browser Clientless, Netskope is the gateway, where it redirects to the Azure-AD/Microsoft login, for access without third-party client without cleintes, so that this connection is authenticated with Netskope and in turn with Azure-Ad and then already allows me to enter the Web application ( https/http ) that the Publisher previously already has access and is reached by the publisher.

 

Now someone can support me clarifying these doubts:

 

1.- Should I create in Azure Ad a separate Enterprise Application for this SAML Proxy connection ? Can I use the SSO one ?

 

2 .- I must generate an Azure AD Enterprise application for each Private App that requires or only once and I can use this for all web private apps to generate (ie example the webgui router, firewall, printer, switch, etc ...?

 

3.- If I generate an Azure enterprise application, for the SSO of the Web-gui of the console, if I know that goes in the field of Identifier, but in the case of Reverse Proxy where do I get that information?

 

4.- If you can support me with a tutorial, guides, etc, I will be very grateful, because reading the official documentation I still do not reach the goal.


Thank you for your time, your advice and all the comments 

@rclavero @mzhang

@sshiflett @amurugesan @mkoyfman 

 

I remain attentive

 

Best regards

 


3 replies

Userlevel 6
Badge +16

Good morning @MetgatzNK,

 

Responses are below to your questions:

Should I create in Azure Ad a separate Enterprise Application for this SAML Proxy connection ? Can I use the SSO one ?

Yes.  This is a separate SAML integration from your existing integrations so a dedicated SAML app is required as the consumer service, entity ID and other parameters are different.  This also allows you to only assign authorized users to the Browser Access app in Azure AD as well. 

 

2 .- I must generate an Azure AD Enterprise application for each Private App that requires or only once and I can use this for all web private apps to generate (ie example the webgui router, firewall, printer, switch, etc ...?

 

Only one is required.  You will configure a single SAML integration that serves as authentication to the NPA authentication proxy.  Once authenticated, the Real-time Protection policies in Netskope determine which apps a user is entitled to and can access. 

 

3.- If I generate an Azure enterprise application, for the SSO of the Web-gui of the console, if I know that goes in the field of Identifier, but in the case of Reverse Proxy where do I get that information?


You will need to create a Reverse Proxy account under Settings > Security Cloud Platform > Reverse Proxy > SAML.  Select the Private Apps application for the account:

 

 

In Netskope:
IDP SSO URL is the Login URL from Azure AD
Certificate is the Base64 certificate downloaded from AzureAD

In Azure AD:

Identifier is the Audience URL from Netskope Settings

ACS URL is the Browser Access ACS URL from Netskope Settings

 

4.- If you can support me with a tutorial, guides, etc, I will be very grateful, because reading the official documentation I still do not reach the goal.

 

I will need to check if we have something public, if we don't I will take it as an action item on my part to get one published to the public facing docs. 

I hope this helps but please let me know if additional information is needed. 

Badge +11

Hello @sshiflett, thanks for your replay.

 

This was my big doubt, because the Identifier when you generate the SSO for the web Admin of the Tenant, the identicator, the ID, you get it from the SSO part of the Settings, but in the doc that I have searched and found of Web Browser private App does not make it clear, but now with what you say .... this is the important thing to clarify, then when you generate the App with Azure for the web browser private access is the Audience URL, according to what you tell me:

 

"In Azure AD:

Identifier is the Audience URL from Netskope Settings"


Thank you very much, I will check it this week and let you know how I am doing with this after

I have this key information.

 

Let me try it and let you know

 

Best regards

Userlevel 4
Badge +17

Greetings! @MetgatzNK  I wanted to check in with you to see if the solution provided by @sshiflett  was suitable for your needs. If it worked, please mark the reply as "Accept as Solution" so it will bubble up to the top for other users.

Reply