Browser Access Authentication Bypass for URIs
Browser Access Authentication Bypass for URIs
This document explains how to configure and test use cases for the NPA Browser Access URI Authentication Bypass feature.
Background
NPA Browser Access is designed to enforce authentication for all incoming requests. As a result, any unauthenticated requests are automatically redirected to an Identity Provider (IdP) for authentication. In scenarios where URIs cannot carry an authentication cookie, the URI Auth Bypass feature for Browser Access provides a solution by bypassing authentication for the configured URI(s) and forwarding the request to the destination.
Example:
You have a browser access application defined with the hostname server.acme.com and would like to bypass authentication for URIs:
server.acme.com/rest/v1/system/subsystems/management_module
server.acme.com/rest/v1/system/subsystems/management_aav
In such scenarios, you can enable the URI Auth Bypass feature.
- Contact your Netskope Account Team to enable the feature flag for the NPA Bypass URI feature on your tenant.
- NPA Browser Access Application(s) and respective policies need to be already configured.
Go to https://docs.netskope.com/en/configure-browser-access-for-private-apps/ for configuration details.
Configure Authentication Bypass URIs
- Go to Settings > Security Cloud Platform > App Definitions and select the Private Apps tab.
- Create a New Browser Access Private App, or edit an existing one.
Note that this capability is supported for HTTP and HTTPS protocols only.
- Enable Bypass authentication for specific URIs, and enter the URIs to bypass.
For example:
/rest/v1/system/subsystems/management_module
Note- If there are multiple URIs to bypass, please separate them by a line.
- Up to 20 URIs per app definition are supported.
- Regular Expressions are not supported. Also, a null URI (like “/”) is not supported.
- As a security measure, Netskope requires an HTTP request header for the URI that would bypass authentication. The HTTP request header has a fixed key,
X-NSKP-URIBYPASS
, and the expected value needs to be configured as shown in the example below. The header value can be 8 to 64 characters long.Enter a header value, and then click Save.
Validate the URI Auth Bypass
After configuring the URIs to bypass authentication, requests for those URIs should no longer require authentication cookies. The examples below demonstrate one way to validate this using curl commands.
- Access the host server.acme.com. For example:
curl -m 60 -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com'
This should redirect to IdP authentication page (302) - Access the URI that would bypass authentication, but without the header in the request. For example:
curl -m 60 -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com/rest/v1/system/subsystems/management_module'
This should redirect to IdP authentication page (302) - Access the URI that would bypass authentication and has the correct header value in the request. For example:
curl -m 60 -H 'X-NSKP-URIBYPASS: iZymg4H1lgMkaR2Sk2Gt875EZmiTbQ0X' -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com/rest/v1/system/subsystems/management_module'
This should be a 200 OK response with no redirect. This validates the desired behavior. - Access the URI that would bypass authentication, but has an incorrect header value in the request. For example:
curl -m 60 -H 'X-NSKP-URIBYPASS: 8CoWaPlWw8XKOnHgnE0Gr3s8cyiIz1gw' -v --tlsv1.2 --tls-max 1.2 'https://server.acme.com/rest/v1/system/subsystems/management_module
‘
This should redirect to IdP authentication page (302)
Troubleshooting Steps
- Validate that the correct header key/value pairs are present for the URIs that would bypass authentication. Collect a HAR capture to confirm this.
- If any issues are found, please collect a screen recording and a HAR capture of the traffic flows, and share them with the Netskope Support team for further troubleshooting.