Multi-user in non-AD environments - Users in Google and Okta

  • 31 May 2023
  • 9 replies
  • 155 views

Badge +11

Multi-user in non-AD environments - Users in Google and Okta

 

Hello, good afternoon, I hope all is well.

 

I have the following question.

 

In an environment where you have users with Okta and others from Gmail, for user accounts, how would you do in environments where you do not have Active Directory for multi-user workstations ?

 

I mean example:

 

We have approx 30 workstations shared, by 3 or 4 people, where different people login to that workstation in different work shifts, with different local account on those workstations.

So these machines use local accounts but I need to differentiate the access privileges of each of those 4 people/accounts to different access level for Netskope policies.

 

How do I use multi-user or Multi-User Mode in this kind of environment? Is it possible to do it IDP-like with Okta accounts as with Google Workspace accounts ?

 

Thank you for your time and your collaboration

 

Best regards


9 replies

Userlevel 5
Badge +16

We're ingesting users into our tenant through an intermediary IDP via SCIM, which is in-turn being fed users from our AD.

On the workstations, we're installing the client with IDP and multi-user modes enabled.

 

Userlevel 6
Badge +16

@qyost touched on it but yes this is supported with IDP based client enrollment with the client in multiuser mode.  This will require multiple IDP support to be enabled on your tenant so that we can forward users to Google or Okta depending on the domain or other criteria. 

Userlevel 5
Badge +16

Yeah, I caught after responding here that they might have been attempting to auth to different IDPs, rather than just having IDP and multiuser enabled.

But the notes about non-overlapping IDPs within the same tenant are certainly interesting.

 

Badge +11

Hello @qyost @sshiflett Thank you for your comments, for your collaboration and good vibes.

 

A ok, so for multi-user environments, for workstations, without being inside an AD, only with Okta and Google Workspace users, thinking in endpoints, without windows domain, with different local accounts, using for example in those desktops 3 or 4 different accounts, which in turn will be mapped to 3 or 4 different accounts in Netskope, according to what they tell me the best option is:

 

Install the client in user mode, in Multi-User, with IDP Mode ? that then you think is the best option ?

 

For the Multi-User IDP Mode is there any key requirement or prerequisite I imagine to have the users/groups provided but is there any point to have in great or important consideration ? Points to consider that I should pay attention to ?

 

Thanks as always for your time for your kind collaboration and for your good vibes.

 

I remain attentive

 

Regards and attentive to your comments.

Userlevel 6
Badge +16

@MetgatzNK so long as peruserconfig (multiuser) mode is enabled on the client and you have the user/groups that will be authenticated via the IDP provisioned, there shouldn't be any other items.  

Badge +11

Hello @sshiflett  thanks for your reply.

 

So the best option for this case is to install using peruserconfig (multiuser) and indicate the IDP mode.

 

That is, example:


msiexec /I NSClient.msi tenant=<tenanat> domain=region.goskoe.com installmode=IDP mode=peruserconfig.

 

I understand that only one IDP can be used for the Netskope installation. Because I don't see that it can be distinguished, that is, if I use IDP using Okta or Google Workspace or Azure AD. I can only define one method, right? Because I don't see how it would distinguish at the login level if there are different IDPs... or if it is capable of doing so? that is to say, have users in Okta, others in Google Workspace and others in Azure AD and that in IDP mode can distinguish the IDP for each SP?

@qyost 

 

Thank you very much for your time, for your comments and collaboration.

 

Kind regards

Userlevel 5
Badge +16

My understanding (if I'm tracking the comments correctly) is that you could use multiple IDP if they have unique domain portion of the userID.   i.e. foo@bar.com, foo@bar.net, and foo@barbarbar.com could be pointed at three distinct IDP all configured for the same tenant.

Badge +11

Hello @qyost  , thank you for your reply.

As always thank you for your time and cooperation.

But what happens for example in the case that I have

 

In okta users:

user01@dominio1.com
user02@dominio1.com
user03@dominio1.com
user04@dominio1.com

 

And in Google workspace:

user05@dominio1.com
user06@dominio1.com
user07@dominio1.com
user08@dominio1.com

In both cases the same domain, only that some users are in Google Workspace and others in Okta.

 

At the IDP level and the multiuser install, how can I indicate or be able to indicate that x user goes with certain IDP or other users against Other ? are they the same domain, How would it be done in such a case ? @sshiflett 

 

Thank you, I remain attentive

 

Best regards

Userlevel 6
Badge +16

@MetgatzNK we need something to differentiate the users on such as domain or IP address.  Since these are shared devices, I assume they come from static IP addresses?  We could potentially specify the IP or egress IP that these devices will be coming from. If all these users are on the same domain, is there a delineation of which users belong to each domain? 

Reply