Cloud Exchange SSO with Azure AD
Cloud Exchange SSO with Azure AD
This article explains how to configure Single-Sign-On (SSO) for the Netskope Cloud Exchange (CE) platform, specifically for Azure AD. This will allow you to manage administrator access to CE from within your existing Identity Provider (IdP) rather than configuring administrators within the platform manually.
Cloud Exchange is different from the standard Netskope tenant you would have access to as a customer and facilitates the exchange of information between your various security and operations platforms.
Click play to watch a video.
- Go to the Azure portal and sign in using your Azure AD account with sufficient permissions, like an Application Developer role.
- Browse to Azure Active Directory and select Enterprise applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant.
- In the Enterprise Applications pane, select New application.
- The Browse Azure AD Gallery pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the Featured Applications section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for Netskope Cloud Exchange Administration Console and select the application.
- Enter a name that you want to use to recognize the instance of the application. For example, Netskope Cloud Exchange Administration Console – SSO.
- Click Create. Note that Azure can sometimes have a quirk where it returns an error when you click the Create button. Your application should have been created, even if you get this error. If you encounter this issue, return to the Enterprise Applications view and click the refresh button. You should see your Netskope Cloud Exchange app appears in the list.
- Log in to Cloud Exchange using the admin (super administrator) account, go to Settings > Users (this settings area will only be visible to the admin user).
- Select the SSO Configuration tab and toggle the SSO toggle ON (make sure you save this configuration).
- Note the Service Provider fields at the bottom of the screen. The image below shows which URL should be used for which SAML configuration field in Azure AD.
Users can be assigned Read/Write or just Read access to the Cloud Exchange UI based on the roles assigned to them: Admin (read/write access), Read-Only, or the custom admin with module-specific rights. You need to create these roles in Azure AD so that they can be assigned to users who use Cloud Exchange.
Note
If you don’t create and map these roles, SSO will fail.
- Return to the main Azure Active Directory menu (ensure you are NOT within the Enterprise Applications sub-menu). Select App registrations from the left-side menu, click All applications, and then select the Netskope Cloud Exchange app from the list.
- Click App Roles in the left panel, and then click Create app role. You need to create two roles: One for the Admin user role and one for the Read-Only user role.
Create the Admin role as follows:
- For Display name, enter CE-Admin (this can be whatever you like).For Allowed member types, select the first option: Users/Groups. For Value, enter
netskope-ce-write;netskope-ce-read. Ensure you copy/paste this exactly.For Description, enter Provide the user with read/write access to Cloud Exchange.Ensure that the Do you want to enable this app role? option is checked.
- For Display name, enter CE-Admin (this can be whatever you like).For Allowed member types, select the first option: Users/Groups. For Value, enter
- Create the Read-Only role as follows:
- For Display name, enter CE-ReadOnly (this can be whatever you like).For Allowed member types, select the first option: Users/Groups.For Value, enter
netskope-ce-read. Ensure you copy/paste this exactly.For Description, enter Provide the user with read-only access to Cloud Exchange.Ensure that the Do you want to enable this app role? option is checked.
- For Display name, enter CE-ReadOnly (this can be whatever you like).For Allowed member types, select the first option: Users/Groups.For Value, enter
- Click Save. You’re finished configuring the App Roles. Return to the main Azure AD menu to proceed.
- From the Azure AD main menu, return to the Enterprise Applications list and select Netskope Cloud Exchange.
- In the left panel, click Single sign-on, and then select SAML when prompted.
Provide the SAML Configuration
- Under Basic SAML Configuration, click Edit. Enter the Service Provider URLs from the Cloud Exchange SSO Configuration page to the appropriate Azure AD SAML configuration fields. See the tables below for mappings.
Azure AD SAML Field Cloud Exchange Field Identifier (Entity ID) Service Provider Entity ID Reply URL (Assertion Consumer Service URL) Service Provider ACS URL Sign on URL Service Provider ACS URL Relay State N/A – Leave Blank Logout URL Service Provider SLS URL The Reply URL and Sign-on URL in Azure AD both use the Service Provider ACS URL from the Cloud Exchange portal. The Relay State field in Azure AD should be left blank.
- Click Save.
Add Claims for Username & Roles
Click Edit, and in the Attributes & Claims, click Add new claim.
 |
Add a new claim as follows:
For Name, enter roles. Enter this exactly. Leave Namespace blank.
For Source, ensure Attribute is selected (default).
For Source attribute, select user.assignedroles from the dropdown list.
Click Save to add the claim.
 |
Repeat the process to add a second role:
For Name, enter username. Enter this exactly, Leave Namespace blank.
For Source, ensure Attribute is selected (default).
For Source attribute, select user.mail from the dropdown list. Click Save to add the claim.
 |
Once you’ve added the two new claims, your Attributes & Roles should look as follows:
 |
Download the SAML Signing Certificate
Back on the SAML configuration page, scroll down to SAML Signing Certificate, and click to download the Base certificate.
Copy the Azure AD Application URLs
Under Set up Netskope Cloud Exchange, copy the Login URL, Logout URL, and Azure AD Identifier URL. You will need to paste these into the Cloud Exchange UI in the next section.
 |
The last step to perform in Azure AD is to assign users and/or groups to the Cloud Exchange app to provide them with access. We will also assign either the Read-Only or Admin roles we created earlier to these users/groups to grant them the appropriate permissions within Cloud Exchange.
- From the left panel in the Cloud Exchange Enterprise Application, select Users and groups, and then click Add user/group.
- Select the users and/or groups that are permitted to use the Cloud Exchange application. You must also assign a role to the selected users/groups, like CE-Admin (read/write), or CE-ReadOnly (read-only).
Caution
If you do not assign a role, SSO will fail when the user attempts to sign in. Also, DO NOT assign the default role you see in the list; this will also cause SSO to fail. You must only use the roles that you explicitly created in Azure AD yourself.
After assigning users/groups and applicable roles, your user/group list should look similar to this:
 |
- Return to Cloud Exchange and go to Settings > Users > SSO Configuration.
- Enter the Azure app URLs For the Identity Provider URL fields in the Cloud Exchange SSO configuration. Paste the corresponding Azure AD Application URLs you copied when configuring SAML on the Azure AD side. See the table below for mapping:s
Cloud Exchange Field Azure AD SAML Config Field Identity Provider Issuer URL Azure AD Identifier URL Identity provider SSO URL Login URL Identity provider SLO URL Logout URL 
- Enter the SAML Signing Certificate. Open the Base SAML Signing Certificate you downloaded from Azure AD earlier in a text editor, such as Notepad or TextEdit. Don’t use MS Word. The certificate will have a .cer extension.
- Copy the contents of the certificate file into the Public x509 Certificate field in the Cloud Exchange SSO config (see the image above).
- Click Save.
Open a new Incognito window (to avoid any potential issues with caching) and point your browser to the URL of your Cloud Exchange deployment.
If you enabled the SSO checkbox as instructed earlier this guide, you will two options when connecting to Cloud Exchange:
- Log in with SSO.
- Log in with Username/Password.
The SSO option is used for local login (like a default admin user, or any user manually added to the user list in CE).
 |
Select Login with SSO. You should be redirected to Azure AD to sign in.
 |
Upon entering your user credentials, you should be authenticated and redirected to the Cloud Exchange interface. In the example below, the Adele user was assigned the CE-ReadOnly role, so almost all of the Settings menu is hidden.
 |
If you are having issues signing in, first look at which platform is giving you an error: Azure AD, or Cloud Exchange? If the error you see is from Azure AD, then there is likely an issue with your configuration on the Azure AD side. Double-check your URLs and/or whether the user you are attempting to sign in as is assigned to the application (or present in the group assigned to the app).
In the image below, my nathan@lightwave.cloud user was unable to sign in, as they were not assigned to the application in Azure AD.
 |
If you are getting an error from Cloud Exchange, then you likely have incorrect URLs entered into either CE or Azure AD, not added the custom username and roles claims in Azure AD, or not assigned any roles to the user you are signing in as.
If you get the error {“detail”:”Method Not Allowed”}, check that the URLs copied into both Azure AD and Cloud Exchange are correct and in the right place.
If you get the error {“detail”:”Could not authenticate. username/roles attribute not set.”}, then check that you added the username and roles claims in the SAML config, AND assigned roles correctly to users when you added them to the Enterprise Application in Azure AD.
 |
If you pass SSO fine but receive a red Error while fetching data message in CE, then there is a problem with the role you have assigned to the user. Ensure you entered netskope-ce-write;netskope-ce-read as the attribute for the Admin role (CE-Admin) and netskope-ce-read as the attribute for the Read-Only role (CE-ReadOnly). Additionally, check that you have assigned one of these roles to your impacted user. You may also get this error if the default User role is assigned.
 |
