Browser Access Authentication Bypass for URIs

Browser Access Authentication Bypass for URIs

This document explains how to configure and test use cases for the NPA Browser Access URI Authentication Bypass feature.

Note

Before requesting the enablement of this feature, review this documentation thoroughly to fully understand the requirements and functionality. Note that the feature doesn’t support ‘/’ as a valid URI for authentication bypass, and custom HTTP request headers need to be included for authentication bypass.

Background

NPA Browser Access is designed to enforce authentication for all incoming requests. As a result, any unauthenticated requests are automatically redirected to an Identity Provider (IdP) for authentication. In scenarios where one or more URIs cannot carry an authentication cookie, the URI Auth Bypass feature for Browser Access provides a solution by bypassing authentication for the configured URI(s) and forwarding the request to the destination.

Example:

You have a browser access application defined with the hostname server.acme.com and would like to bypass authentication for URIs:

  • server.acme.com/rest/v1/system/subsystems/management_module
  • server.acme.com/rest/v1/system/subsystems/management_aav

In such scenarios, you can enable the URI Auth Bypass feature.

Prerequisites

  • Contact your Netskope Account Team to enable the feature flag for the NPA Bypass URI feature on your tenant.
  • NPA Browser Access Application(s) and respective policies need to be already configured.
    Go to https://docs.netskope.com/en/configure-browser-access-for-private-apps/ for configuration details.
  • An additional HTTP request header is expected to be included for URIs that require authentication bypass. The HTTP request header uses a fixed key, X-NSKP-URIBYPASS, and the expected value must be configured in the Netskope UI.

Configure Authentication Bypass URIs

  1. Go to Settings > Security Cloud Platform > App Definitions and select the Private Apps tab.
  2. Create a New Browser Access Private App, or edit an existing one. Enable the Allow Browser Access toggle.

    Note that this capability is supported for HTTP and HTTPS protocols only.

  3. Enable Bypass authentication for specific URIs, and enter the URIs to bypass.

    For example: /rest/v1/system/subsystems/management_module

    Notes

    • If there are multiple URIs to bypass, put them on separate lines.
    • Up to 20 URIs per App Definition are supported.
    • Regular Expressions are not supported. Also, a null URI (like “/”) is not supported.
  4. As a security measure, Netskope expects an additional HTTP request header to be included for URIs that require authentication bypass. The HTTP request header has a fixed key, X-NSKP-URIBYPASS, and the expected value needs to be configured as shown in the example below.
    In the Private App Definition, under URI Bypass, enter a header value.

    Notes

    • The header value can be 8 to 64 characters long.
    • The header value is a secret between the customer and Netskope, and only the URIs configured in the App Definition under URI Bypass, along with the http request header and key, will bypass authentication.

    Click Save

Validate the URI Auth Bypass

After configuring the URIs to bypass authentication, requests for those URIs should no longer require authentication cookies. The examples below demonstrate one way to validate this using curl commands.

  1. Access the host server.acme.com. For example:
    curl -m 60 -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com'
    This should redirect to IdP authentication page (302)
  2. Access the URI that would bypass authentication, but without the header in the request. For example:
    curl -m 60 -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com/rest/v1/system/subsystems/management_module'
    This should redirect to IdP authentication page (302)
  3. Access the URI that would bypass authentication and has the correct header value in the request. For example:
    curl -m 60 -H 'X-NSKP-URIBYPASS: iZymg4H1lgMkaR2Sk2Gt875EZmiTbQ0X' -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com/rest/v1/system/subsystems/management_module'
    This should be a 200 OK response with no redirect. This validates the desired behavior.
  4. Access the URI that would bypass authentication, but has an incorrect header value in the request. For example:
    curl -m 60 -H 'X-NSKP-URIBYPASS: 8CoWaPlWw8XKOnHgnE0Gr3s8cyiIz1gw' -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com/rest/v1/system/subsystems/management_module
    This should redirect to IdP authentication page (302)

Troubleshooting Steps

  1. Validate that the correct header key/value pairs are present for the URIs that would bypass authentication. Collect a HAR capture to confirm this.
  2. If any issues are found, please collect a screen recording and a HAR capture of the traffic flows, and share them with the Netskope Support team for further troubleshooting.
Share this Doc

Browser Access Authentication Bypass for URIs

Or copy link

In this topic ...