Netskope Global Technical Success (GTS)
Replacing SCIM Integration with Netskope REST APIv2 in Okta
Netskope Cloud Version - 122
Objective
This article aims to explain how to replace the soon to be deprecated “SCIM Integration” with Netskope APIv2 for users/groups provisioning on Okta.
For further information, please visit the following articles:
Netskope Product EOL Announcements
SCIM Settings for User Provisioning
Note: EoL is targeted for 21st of March, 2025.
Context
SCIM integration between Netskope and Okta for the users and groups provisioning uses an OAuth token to access provisioning service in the cloud via URL: “addon-*.goskope.com/SCIM/v2”, this will be deprecated in March next year, and customers must take actions prior to its deprecation.
SCIM integration
Path: Netskope Tenant UI >>> Settings >>> Tools >>> Directory Tools >>> SCIM Integration as shown below:
Procedure
| ℹ️ If your tenant has been already migrated to RBACv3 please define the Service Account with the needed API v2 endpoint as explained here: https://docs.netskope.com/en/scim-user-provisioning-with-rbacv3 |
Step 1 - Create a new token as follows:
Path: Netskope Tenant UI >>> Settings >>> Tools >>> REST API V2
After that you click “SAVE”, please ensure you get the API V2 token by clicking the “COPY TOKEN” as shown below. Please make sure to store it in a safe place:
| ⚠️#1. Ensure that the Rest Api v2 feature is turned on ⚠️#2. Every REST API V2 token has an expiration |
Step 2. On Okta Admin Console, in Applications, locate the “Netskope User Enrollment” App (*App name may change)
Step 3. In the Provisioning tab change the URL and the Token as shown below:
Replace with:
|
| Current value | New Value |
| URL | https://addon-<tenantname>[.region].goskope.com/SCIM/v2 | https://<tenantname>[.region].goskope.com/api/v2/scim |
| Token | Old token got from the “Settings >>> Tools >>> Directory Tools >>> SCIM Integration” | New token got at Step #1 |
Step 4. Test the connection to ensure it is successful, if so then save the configuration:
| ⚠️ As mentioned on the Netskope Product EOL Announcements, If your Netskope tenant is hardened using IP Allowlist (Settings >>> Administration >>> IP Allowlist - see screenshot below), then you must ensure you add the respective source IP addresses of your integrated REST API V2 services to the Custom IP list. Important: Okta provides its IP ranges in the article below. |
Step 5. After some days of monitoring, please proceed to remove the old token under Settings >>> Tools >>> Directory Tools >>> SCIM Integration page as shown below
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
