Browser Access with Multiple IdPs

Browser Access with Multiple IdPs

This document explains how to configure and test a use case for the NPA Browser Access Multiple IdPs feature.

Enabling this feature allows you to configure multiple reverse proxy SAML accounts of type Private Apps. You can configure multiple reverse proxy SAML accounts (IdPs), and configure multiple email domains per SAML account configuration for criteria matching per IdP.

Use Case: ACME Corp has an existing enterprise IdP1. ACME Corp also has external users from Vendor A (using IdP a) and Vendor B (using IdP b) who require access to their applications. In such a scenario, you can enable the Browser Access Multiple IdP Support feature.

Prerequisites

UI Changes

SAML Account Page

When the Browser Access Multiple IdP feature flag is enabled for a tenant, an additional setting labeled User Authentication Domain will appear in the UI.

Note

Netskope supports up to 10 SAML accounts for Private Applications.

Landing Page

When multiple SAML accounts for Private Apps are configured, a new landing page (shown below) is presented to the end-user when they access a browser-based application for the first time. On this page, the user enters their email address and clicks Continue. Based on the configured domain match criteria, the relevant IdP is then presented to the user.

Notes

  • When the feature for multiple IdP is enabled and multiple IdPs are configured in the tenant, the landing page is presented for all configured Browser Access apps and for all the users accessing those apps.
  • It appears when accessing an application for the first time, and for all users requiring access to these applications.
  • The user will be required to re-enter their email on the landing page only after the Browser Access cookie expires (default is 24 hours), or if the browser cache is cleared.
  • In the screenshot above, ACME Corporation represents the account name.

Configuration

Example Configuration

In this example, ACME Corp and its associated vendors use different IdPs for user authentication.

ACME Corp: Uses IdP 1 with email domains @acme.com and @eu.acme.com.

Vendor A: Uses IdP a with email domains @vendora.com and @vendora2.com.

Vendor B: Uses IdP b with the email domain @vendorb.com.

Vendors A and B, who use IdP a and IdP b respectively, are external users requiring access to ACME Corp’s Browser Access applications.

It is assumed that IdP 1 is already configured. After the Browser Access Multiple IdP feature flag is enabled, IdP 1 is designated as the default IdP for Private Apps.

The default IdP will authenticate all users, except for those with email domains explicitly defined under other SAML accounts for Private Apps. Note that no explicit email domains need to be configured for the default IdP.

Notes

  • Default IdP (IdP 1) can also be modified to include “Specific Domains” if needed.
  • It is not mandatory to have a default account.

Configure IdP a

If you do not already have a SAML account to use, create a new SAML account.

  1. Go to Settings > Security Cloud Platform and click SAML (under Reverse Proxy).
  2. Click Add Account.
    2.png
  3. In the New Account window, enter a name for the account.
  4. Select Private Apps from the Application dropdown list.
  5. Enter these parameters:
    • IdP SSO URL: Enter your IdP SSO URL.
    • IdP Certificate: Enter your IdP certificate.
  6. Select Specific Domains for User Authentication Domain and enter the domain(s). For multiple domains, add each on a separate line.
    A screenshot of a computer

Description automatically generated
  7. Click Save and View Netskope Settings to see the URLs for this account. Copy the Browser Access ACS URL and Audience URL to use in your IdP account. Update your IdP account with these URLs before proceeding. ClientlessNetworkSettings.png

Configure IdP b

Similar to IdP a, create a new SAML account by repeating the steps above. Additionally, define the User Authentication Domain as seen in the screenshot below.
A screenshot of a computer

Description automatically generated

Landing Page Scenarios

These scenarios determine whether a landing page is presented for all configured Browser Access apps and the users accessing those apps.

Browser Access Multiple IdP Feature Flag Default SAML Account Specific Domain SAML Account Landing Page
Disabled Not applicable Not applicable No
Enabled Yes None No
Enabled Yes No domain specified No
Enabled None One account Yes
Enabled None Many accounts Yes
Enabled Yes One account Yes
Enabled Yes Many accounts Yes

Validation

  1. Access a NPA Browser Access App and the end-user should be presented with a landing page.

  2. Based on the configuration example above:
    Email entered within the landing page Expected IdP
    testa@vendora.com IdP a
    testb@vendorb.com IdP b
    testc@acme.com IdP 1
    testd@blah.com IdP 1

Troubleshooting

If any issues are found, please collect a screen recording and a HAR capture of the traffic flows, and share them with the Netskope support team for further troubleshooting.

Share this Doc

Browser Access with Multiple IdPs

Or copy link

In this topic ...