Cloud Exchange SSO with Entra ID
Cloud Exchange SSO with Entra ID
This article explains how to configure Single-Sign-On (SSO) for the Netskope Cloud Exchange (CE) platform, specifically for Entra ID. This will allow you to manage administrator access to CE from within your existing Identity Provider (IdP) rather than configuring administrators within the platform manually.
Cloud Exchange is different from the standard Netskope tenant you would have access to as a customer and facilitates the exchange of information between your various security and operations platforms.
Click play to watch a video.
- Go to the Entra ID portal and sign in using your Entra ID account with sufficient permissions, like an Application Developer role.
- Go to Enterprise applications.
- Go to Manage > All applications and click New application.
- The Browse Microsoft Entra Gallery pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the Featured Applications section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for Netskope Cloud Exchange Administration Console and select the application.
- Enter a name that you want to use to recognize the instance of the application. For example, Netskope Cloud Exchange Administration Console – SSO.
- Click Create. Note that the gallery can sometimes have a quirk where it returns an error when you click the Create button. Your application should have been created, even if you get this error. If you encounter this issue, return to the Enterprise Applications view and click the Refresh button. You should see your Netskope Cloud Exchange app appear in the list.
- Log in to Cloud Exchange using the admin (super administrator) account, go to Settings > Users (this settings area will only be visible to the admin user).
- Select the SSO Configuration tab and toggle the SSO toggle ON (make sure you save this configuration).
- Note the Service Provider fields at the bottom of the screen. The image below shows which URL should be used for which SAML configuration field in Entra ID.
Users can be assigned Read/Write or just Read access to the Cloud Exchange UI based on the roles assigned to them: Admin (read/write access), Read-Only, or the custom admin with module-specific rights. You need to create these roles in Entra ID so that they can be assigned to users who use Cloud Exchange.
Note
If you don’t create and map these roles, SSO will fail.
- Return to the main Entra ID page (ensure you are NOT within the Enterprise Applications page). Select App registrations from the left-side menu, click All applications, and then select the Netskope Cloud Exchange app from the list.
- Click App Roles in the left panel, and then click Create app role. You need to create two roles: One for the Admin user role and one for the Read-Only user role.
Create the Admin role as follows:
- For Display name, enter CE-Admin (this can be whatever you like).
- For Allowed member types, select the first option: Users/Groups.
- For Value, enter
netskope-ce-write;netskope-ce-read
. Ensure you copy/paste this exactly. - For Description, enter
Provide the user with read/write access to Cloud Exchange
. Ensure that the Do you want to enable this app role? option is checked.
- Create the Read-Only role as follows:
- For Display name, enter CE-ReadOnly (this can be whatever you like).
- For Allowed member types, select the first option: Users/Groups.
- For Value, enter
netskope-ce-read
. Ensure you copy/paste this exactly. - For Description, enter
Provide the user with read-only access to Cloud Exchange
. Ensure that the Do you want to enable this app role? option is checked.
- Click Save. You’re finished configuring the App Roles.
- From the Entra ID main menu, return to the Enterprise Applications list and select Netskope Cloud Exchange.
- In the left panel, click Single sign-on, and then select SAML when prompted.
Provide the SAML Configuration
- Under Basic SAML Configuration, click Edit. Enter the Service Provider URLs from the Cloud Exchange SSO Configuration page to the appropriate Entra ID SAML configuration fields. See the tables below for mappings.
Entra ID SAML Field Cloud Exchange Field Identifier (Entity ID) Service Provider Entity ID Reply URL (Assertion Consumer Service URL) Service Provider ACS URL Sign on URL Service Provider ACS URL Relay State N/A – Leave Blank Logout URL Service Provider SLS URL The Reply URL and Sign-on URL in Entra ID both use the Service Provider ACS URL from the Cloud Exchange portal. The Relay State field in Entra ID should be left blank.
- Click Save.
Add Claims for Roles and Username
Click Edit, and in the Attributes & Claims, click Add new claim.
Add a new claim as follows:
For Name, enter roles
. Enter this exactly. Leave Namespace blank.
For Source, ensure Attribute is selected (default).
For Source attribute, select user.assignedroles from the dropdown list.
Click Save to add the claim.
Repeat the process to add a second role:
For Name, enter username
. Enter this exactly, Leave Namespace blank.
For Source, ensure Attribute is selected (default).
For Source attribute, select user.mail from the dropdown list. Click Save to add the claim.
Once you’ve added the two new claims, your Attributes & Roles should look as follows:
Download the SAML Signing Certificate
Back on the SAML configuration page, scroll down to SAML Signing Certificate, and click to download the Base certificate.
Copy the Entra ID Application URLs
Under Set up Netskope Cloud Exchange, copy the Login URL, Logout URL, and Entra ID Identifier URL. You will need to paste these into the Cloud Exchange UI in the next section.
The last step to perform in Entra ID is to assign users and/or groups to the Cloud Exchange app to provide them with access. We will also assign either the Read-Only or Admin roles we created earlier to these users/groups to grant them the appropriate permissions within Cloud Exchange.
- From the left panel in the Cloud Exchange Enterprise Application, select Users and groups, and then click Add user/group.
- Select the users and/or groups that are permitted to use the Cloud Exchange application. You must also assign a role to the selected users/groups, like CE-Admin (read/write), or CE-ReadOnly (read-only).
Caution
If you do not assign a role, SSO will fail when the user attempts to sign in. Also, DO NOT assign the default role you see in the list; this will also cause SSO to fail. You must only use the roles that you explicitly created in Entra ID.
After assigning users/groups and applicable roles, your user/group list should look similar to this:
Finish the SSO Configuration in Cloud Exchange
- Return to Cloud Exchange and go to Settings > Users > SSO Configuration.
- Enter the app URLs for the Identity Provider URL fields in the Cloud Exchange SSO configuration. Paste the corresponding Entra ID Application URLs you copied when configuring SAML on the Entra ID side. See the table below for mappings:
Cloud Exchange Field Entra ID SAML Config Field Identity Provider Issuer URL Entra ID Identifier URL Identity provider SSO URL Login URL Identity provider SLO URL Logout URL - Enter the SAML Signing Certificate. Open the Base SAML Signing Certificate you downloaded from Entra ID earlier in a text editor, such as Notepad or TextEdit. Don’t use MS Word. The certificate will have a .cer extension.
- Copy the contents of the certificate file into the Public x509 Certificate field in the Cloud Exchange SSO config (see the image above).
- Click Save.
Test the SSO Configuration
Open a new Incognito window (to avoid any potential issues with caching) and point your browser to the URL of your Cloud Exchange deployment.
If you enabled the SSO checkbox as instructed earlier this guide, you will two options when connecting to Cloud Exchange:
- Log in with SSO.
- Log in with Username/Password.
The SSO option is used for local login (like a default admin user, or any user manually added to the user list in CE).
Select Login with SSO. You should be redirected to Entra ID to sign in.
Upon entering your user credentials, you should be authenticated and redirected to the Cloud Exchange interface. In the example below, the Adele user was assigned the CE-ReadOnly role, so almost all of the Settings menu is hidden.
Troubleshooting SSO for Cloud Exchange with Entra ID
If you are having issues signing in, first look at which platform is giving you an error: Entra ID, or Cloud Exchange? If the error you see is from Entra ID, then there is likely an issue with your configuration on the Entra ID side. Double-check your URLs and/or whether the user you are attempting to sign in as is assigned to the application (or present in the group assigned to the app).
In the image below, my nathan@lightwave.cloud user was unable to sign in, as they were not assigned to the application in Entra ID.
If you are getting an error from Cloud Exchange, then you likely have incorrect URLs entered into either CE or Entra ID, not added the custom username and roles claims in Entra ID, or not assigned any roles to the user you are signing in as.
If you get the error {“detail”:”Method Not Allowed”}, check that the URLs copied into both Entra ID and Cloud Exchange are correct and in the right place.
If you get the error {“detail”:”Could not authenticate. username/roles attribute not set.”}, then check that you added the username and roles claims in the SAML config, AND assigned roles correctly to users when you added them to the Enterprise Application in Entra ID.
If you pass SSO fine but receive a red Error while fetching data message in CE, then there is a problem with the role you have assigned to the user. Ensure you entered netskope-ce-write;netskope-ce-read
as the attribute for the Admin role (CE-Admin) and netskope-ce-read
as the attribute for the Read-Only role (CE-ReadOnly). Additionally, check that you have assigned one of these roles to your impacted user. You may also get this error if the default User role is assigned.