Netskope Global Technical Success (GTS)

Netskope Admin SSO - Microsoft Azure

Objective

This document provides step-by-step instructions to help our customers configure SSO with Azure for Netskope Admin accounts.

Details
When configuring Single Sign-On for the admins to access the Netskope tenant below are the prerequisites:

• Local Login admin access to Netskope tenant
• Admin access to Azure “Microsoft Entra ID”

Step-by-Step configuration

Step1: Login into the Netskope Tenant using the “Local Login” Credentials shared with the admin when the tenant was created.
 

Link: https://<NetskopeTenant>.goskope.com/locallogin

Step2: 

Path: Netskope Tenant UI >>> Settings >>> Administration >>> SSO 

Step3: Click on “New Account” on SSO Page to configure the Single Sign-On setup for Azure.

Once clicked we will see a 3 page prompt:

1. Account Info
2. Netskope Settings
3. Create Account

Account Info

We can start the configuration by assigning a Name to the account (eg: Azure Admin SSO).

User Authentication Domain is an important field - which will decide which IDP to select looking at the domain in case of multiple IDPs being used. (Multiple IDP access is not available by default).

Add/Manage existing or new domain

Path: Netskope Tenant UI >>> Settings >>> Administration >>> Internal-domains

Alternate User ID Attribute - This is an optional field and can be used to provide alternative attributes. Currently Netskope User ID is an email address by default.

Netskope Settings

When setting up SAML (Security Assertion Markup Language) authentication, the ACS URL, Entity ID, and SAML certificate are required from the Service Provider (SP) to establish a secure and successful connection between the SP and the Identity Provider (IdP).

1. The ACS URL is where the IdP sends the SAML assertion (authentication response) after a user successfully authenticates.
2. The Entity ID is a unique identifier for the ISP. Distinguishes the SP from other providers, ensuring that the correct service is interacting with the IdP. 
3. The SAML certificate is used to sign and encrypt the SAML assertions and responses, ensuring data integrity and confidentiality.

**We can also download the SP Metadata (XML file - Which Comprises all the information mentioned above). 

SP Metadata file can be later used to upload all the required information on Azure.

Admin roles – we can decide whether all admin roles should be directed to log in via SSO, or if only specific admin roles should use SSO for authentication.

Create Account

Account Status needs to be Enabled in order for the SSO to work.

We can use extra layer of security by enabling - Sign SSO Authentication request
-  Which adds a digital signature to the Single Sign-On (SSO) authentication request, ensuring its integrity. When the request is signed, it confirms to the Identity Provider (IdP) that the request truly comes from the Service Provider (SP) and has not been altered in transit.

**This helps prevent unauthorized or tampered login attempts by verifying the legitimacy of the authentication request before allowing access.

Disable Force Authentication - by checking this box, Netskope will not send Force Authentication requests in the SAML Request. (Bypassing Auth. for admins)
By default, users will be required to login(Authenticate) to the application.

—----------------------- In order to fetch further (Required) information —-----------------------------

• IDP SSO URL
• IDP Entity ID
• IDP Certificate

Step 4: Login to the Azure Account with admin privileges to configure the IDP side and fetch the required information.

Azure: https://portal.azure.com

Navigate: Home > Microsoft Entra ID > Enterprise Applications > Manage > All Applications

Step5: Click on the “New Application” to add and configure “Netskope Administrator Console”

Once added, select the application to start the configuration

Netskope Administrator Console > Setup Single Sign on

Step6: Upload the SP Metadata file (Downloaded in step3-Network Settings) to Azure on the Single Sign-on with SAML page.

Which will automatically complete the below fields on Azure:

1. SP Entity ID
2. SP ACS URL

Click “Save” to activate the changes & Complete the IDP Configuration.

Step7: Download the IDP Certificate and copy the IDP SSO URL & IDP Entity ID from Azure “Single Sign-on with SAML” page. 

Step8: Paste the IDP SSO URL & IDP Entity ID along with IDP Certificate to the Netskope SSO configuration (Step3 - Create Account) :-

Recommended (Optional)

**Single Logout (SLO) ensures that when a user logs out from one service (Service Provider), they are also logged out from other services connected to the same Identity Provider (IdP). This provides a unified logout experience across multiple applications that use the same authentication system.

Click “Finish” to complete the Admin SSO Configuration on Netskope (SP).
 

Note: If the tenant is logged off after the 8th step, you can log back into the tenant using local admin credentials by visiting https://<tenant-URL>/locallogin. Once logged in, proceed with the steps below to complete the integration.

Step9: Assign Admins to the “Netskope Administrator Console” under “Users and groups” making sure the admins are mapped to the designated role (Access Permissions) first, Netskope will not allow the admin to login into the tenant if not mapped with a role.

*In this “user” term is being used for admins

1. Create a “App Role”
2. Assign a user & “App Role” to the Application (Netskope Administrator Console)

Netskope Administrator Console > Security > Permissions > Application Registration

Netskope Administrator Console > Security > Permissions > Application Registration > App roles

We can create a new app role on Azure using the roles available on the Netskope tenant or we can create new roles on the Netskope tenant and then map them to Azure under the “App roles” page.

=====================

Sample

Path: Netskope Tenant UI >>> Settings >>> Administration >>> Roles

We can create a new role or use the predefined roles (Name, Value) pair to map the role on Azure.

Name: Tenant Admin

Value: TenantAdmin

Using the same we can create a role on Azure and while assigning map it to the user/admin.

=====================

Creating a new role on Azure

Add the Name & value, select the checkbox and hit “Apply” - New role is created successfully.

B.

Assign user/admin to the Netskope Administrator Console application + “App role”

Select “Add user/group”

Select User & role which we created under app role and hit “Assign” to map admin to the application along with role (Access Permissions).

Step10: Admins can successfully login using the Azure SSO to the Netskope tenant.

Netskope Tenant > Settings > Administration > Admins

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.