Browser Access with Multiple IdPs
Browser Access with Multiple IdPs
This document explains how to configure and test a use case for the NPA Browser Access Multiple IdPs feature.
Enabling this feature allows you to configure multiple reverse proxy SAML accounts of type Private Apps. You can configure multiple reverse proxy SAML accounts (IdPs), and configure multiple email domains per SAML account configuration for criteria matching per IdP.
Use Case: ACME Corp has an existing enterprise IdP1. ACME Corp also has external users from Vendor A (using IdP a) and Vendor B (using IdP b) who require access to their applications. In such a scenario, you can enable the Browser Access Multiple IdP Support feature.
Prerequisites
- Enable the feature flag for NPA Browser Access Multiple IdP (contact Support or your sales rep).
- Your NPA Browser Access Application(s), respective policies, and SAML Reverse Proxy Account of type Private Apps are already configured.
Review https://docs.netskope.com/en/configure-browser-access-for-private-apps/ for configuration details. - External users (users from additional IdPs) are imported via SCIM or Directory Importer to the Netskope tenant.
Review these articles for additional details.
https://docs.netskope.com/en/netskope-scim-settings/
https://docs.netskope.com/en/configure-directory-importer/
UI Changes
SAML Account Page
When the Browser Access Multiple IdP feature flag is enabled for a tenant, an additional setting labeled User Authentication Domain will appear in the UI.
Note
Netskope supports up to 10 SAML accounts for Private Applications.
Landing Page
When multiple SAML accounts for Private Apps are configured, a new landing page (shown below) is presented to the end-user when they access a browser-based application for the first time. On this page, the user enters their email address and clicks Continue. Based on the configured domain match criteria, the relevant IdP is then presented to the user.
Notes
- When the feature for multiple IdP is enabled and multiple IdPs are configured in the tenant, the landing page is presented for all configured Browser Access apps and for all the users accessing those apps.
- It appears when accessing an application for the first time, and for all users requiring access to these applications.
- The user will be required to re-enter their email on the landing page only after the Browser Access cookie expires (default is 24 hours), or if the browser cache is cleared.
- In the screenshot above, ACME Corporation represents the account name.
Configuration
Example Configuration
In this example, ACME Corp and its associated vendors use different IdPs for user authentication.
ACME Corp: Uses IdP 1 with email domains @acme.com and @eu.acme.com.
Vendor A: Uses IdP a with email domains @vendora.com and @vendora2.com.
Vendor B: Uses IdP b with the email domain @vendorb.com.
Vendors A and B, who use IdP a and IdP b respectively, are external users requiring access to ACME Corp’s Browser Access applications.
It is assumed that IdP 1 is already configured. After the Browser Access Multiple IdP feature flag is enabled, IdP 1 is designated as the default IdP for Private Apps.
The default IdP will authenticate all users, except for those with email domains explicitly defined under other SAML accounts for Private Apps. Note that no explicit email domains need to be configured for the default IdP.
Notes
- Default IdP (IdP 1) can also be modified to include “Specific Domains” if needed.
- It is not mandatory to have a default account.
Configure IdP a
If you do not already have a SAML account to use, create a new SAML account.
- Go to Settings > Security Cloud Platform and click SAML (under Reverse Proxy).
- Click Add Account.
- In the New Account window, enter a name for the account.
- Select Private Apps from the Application dropdown list.
- Enter these parameters:
- IdP SSO URL: Enter your IdP SSO URL.
- IdP Certificate: Enter your IdP certificate.
- Select Specific Domains for User Authentication Domain and enter the domain(s). For multiple domains, add each on a separate line.
- Click Save and View Netskope Settings to see the URLs for this account. Copy the Browser Access ACS URL and Audience URL to use in your IdP account. Update your IdP account with these URLs before proceeding.
Configure IdP b
Similar to IdP a, create a new SAML account by repeating the steps above. Additionally, define the User Authentication Domain as seen in the screenshot below.
Landing Page Scenarios
These scenarios determine whether a landing page is presented for all configured Browser Access apps and the users accessing those apps.
Browser Access Multiple IdP Feature Flag | Default SAML Account | Specific Domain SAML Account | Landing Page |
---|---|---|---|
Disabled | Not applicable | Not applicable | No |
Enabled | Yes | None | No |
Enabled | Yes | No domain specified | No |
Enabled | None | One account | Yes |
Enabled | None | Many accounts | Yes |
Enabled | Yes | One account | Yes |
Enabled | Yes | Many accounts | Yes |
Validation
- Access a NPA Browser Access App and the end-user should be presented with a landing page.
- Based on the configuration example above:
Email entered within the landing page Expected IdP testa@vendora.com IdP a testb@vendorb.com IdP b testc@acme.com IdP 1 testd@blah.com IdP 1
Troubleshooting
If any issues are found, please collect a screen recording and a HAR capture of the traffic flows, and share them with the Netskope support team for further troubleshooting.