Skip to main content
  • EN

dM8EuJ_ZbG6ImYOm9ge6Zzo8iyjGyFzCnS0fmTs1C1mdsepP-sQl1a0w_PK6blQwOjNLcsoslM0TYuN1WjoO8lsZIHYT69OdIpm7QpoTVC7ehKqkoDSjmsgMZ-HeKOtHhLPDDW5myHokpuFbYRDLfKw

Netskope Global Technical Success (GTS)

Replacing Expiring Entra ID SAML Certificates for Netskope Services

 

Netskope Cloud Version - 126

 

Objective

The purpose of this article is to explain how to replace the SAML Entra ID certificate used for Netskope SSO Tenant Access, Forward Proxy, or Reverse Proxy. This article explains the procedure for replacing the Entra ID certificate used for SAML authentication with Netskope for Tenant Access, Forward Proxy, or Reverse Proxy.
 

Prerequisite

Netskope tenant access and Entra ID access are required.

 

Context

When creating an enterprise application in Entra ID for Netskope Administration Console (SSO Tenant Access), or Netskope User Authentication (Forward Proxy or Reverse Proxy), Entra ID generates a SAML Certificate with an expiration date. When the expiration date is reached, you must renew the Entra ID SAML certificate, activate, and re-submit the certificate onto Netskope.

 

ℹ️ Expired certificates will trigger a warning similar to the one below in both "SAML - Forward Proxy" and "SAML - Reverse Proxy"

AD_4nXfAKjQJXmADYDepugx2Sr3UXSzqlI4Y3cz-wN-2-iKFqngxr2kacYQLN6BI_l1QzcGKjIAexTGXXZC_q5fO6kyf_jFaHOLyXHGVPEemWlICtBXK6MAZ0Z60d9WAgIt64jsA_X-X1A?key=gtgZ4mwr3RVva8DEVUh42g

 

Configuration

Step # 1 - Generate a new Entra ID Certificate (when expired or soon to be expired).

Path: Entra ID UI >>> Enterprise Applications >>> Select the Netskope Application with expired SAML certificate >>> Single sign-on

  • Click on “Edit”, select “New Certificate”, then press “Save”

 

AD_4nXcIbwa_Lsf_LSwlauCp1T_x-fo8MbFUTU0Pqp_cvyYFYrPAxB2oI_ft3cjKH3yt8Ax2f3DaNSxar1gjVlsn7GtSJFmdgnqgOrScBrg85WJlbKrbr6K7MA2ws1Nj17phVMjAFECvIw?key=gtgZ4mwr3RVva8DEVUh42g

 

ℹ️ When new certificate is saved, it will inactive state.

AD_4nXe2yKjyFUO7IIoXSupebmbB19nepBerh6udF289UyIYjccG0tkVLbXTA1b8FmRitRYP7y8sm_RgwAmq6ELgSgaEU20s1Sef_G14UabMr6YTkIh1zpTM4EX1qWsKNUBkIR9JJ1T0rw?key=gtgZ4mwr3RVva8DEVUh42g

 

Step #2 - Download the New certificate

  • Click on the new inactive certificate settings, then press “Base64 certificate download”

AD_4nXcZx9My1V0XUulzDG_guJGrxaVkg60od076TugS08hGSNcLOvBQyZfy7NAHcBzMe7EZB9chXXEnPaI3RZe6-IUX2LlV3ubcl6eEv182TpLbhoMeRzc9PBL2lCBROYjtTsvNkz8nKA?key=gtgZ4mwr3RVva8DEVUh42g

 

Step #3 - Make the New certificate active

  • Click on “Make Certificate active”

AD_4nXdaQIpBhN92VvWWF3F2jv_-DEj11V-pb8jZlfXV4Gs6PtSyIVIhwj2UbhL6_T7GFHeG3QSAmlUKYcYp45nc8bFLQOgU01j5KV7_ZMqIWfv5s4eXs9zXoLTbq7hhPIiB0w7IzzuxhA?key=gtgZ4mwr3RVva8DEVUh42g

 

Step #4 - Replace the Entra ID SAML certificate on Netskope Forward Proxy

Path: Netskope Tenant UI >>>  Security Cloud Platform >>> Forward Proxy >>> SAML

  • Click on Application’s name

AD_4nXfS-4OLuLAsJnzV1WtZ4YkDY5ZoyFQZZD-wmG3NLwQpDhrvTx1VIf5Db1yo0662OfjjLdSLs_x2M17fUZuVPCm3kjmeMTECBLn7dCyHdBqrYJiVE2FGPu8bJhfpeUb5flGC8VYp?key=gtgZ4mwr3RVva8DEVUh42g

  • Remove the old certificate and submit the new certificate, then press “Save”

AD_4nXdSXGtDF6UuuOc0eIygYN3xF6C7l39I8DLGjOSENe8SZIUnbJZwFaAHnl3vvnYFGMCpHiW-t2CJOShrkkTMv3BPQ-SVNieTj77y6n_D85lfIKkzT-KfLZGUJy0qeC79ktl67fT1cg?key=gtgZ4mwr3RVva8DEVUh42g

 

Validation

After the Entra ID SAML certificate is replaced, please ensure that everything is working as expected by performing the below test.


*** This test will only work if you use a valid user assigned to the enterprise application ***

AD_4nXfkkEDqUmfOTzMuBTW9kD6nSmMTbD4zE7lHHtcWu9d9Xq34mfst0YhZKq6fFsmtAOenrt26dM7R_Bqwjf6cXsVmhV9ycAx7IaAPwQck--le2hqGh6gbH2HW3_G-VfqYOVRofc7__Q?key=gtgZ4mwr3RVva8DEVUh42g

 

ℹ️ The above process can be extended to any other pages where 3rd party SAML certificate is needed to be submitted onto Netskope, such as SSO page, and SAML Reverse Proxy.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
Be the first to reply!

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings