Netskope Help

Configure ADFS IdP for Netskope SAML – Forward Proxy
  1. Launch the ADFS console, right-click Relying Party Trusts and select Add Relying Party Trust.

    image38.png
  2. Select Claims aware and click Start.

    image39.png
  3. Select Enter data about the relying party manually and click Next.

    image40.png
  4. Enter Display Name: Netskope FP SAML Auth

    Enter Notes: SSO configuration with Netskope to provide user identity over IPSec/GRE tunnel and NS Client in IdP mode.

    Click Next.

    image41.png
  5. Click Next.

    image42.png
  6. Select Enable support for the SAML 2.0 WebSSO protocol and enter the SAML ACS URL you copied from the Netskope tenant.

    Click Next.

    image43.png
  7. Add the SAML Entity ID you copied from the Netskope tenant.

    Click Next.

    image44.png
  8. Leave the default settings and click Next.

    image45.png
  9. Click Next.

    image46.png
  10. Un-check the configure claims issuance policy for this application

    Click Close.

    image47.png
  11. The Relying Party trust has been created. Right-click on it and select Properties.

    image48.png
  12. Select Signature (tab) and click Add to add the Netskope SAML certificate.

    image49.png
  13. Click View to check the certificate, click OK and then click Apply.

    The certificate warning message can be ignored

    image50.png
  14. Select Advanced tab and select SHA-1.

    Click OK and click Apply.

    image51.png
  15. Right-click and select Edit Claim Issuance Policy.

    image52.png
  16. Click Add Rule.

    image53.png
  17. Select Send LDAP Attribute as Claim and click Next.

    image54.png
  18. Enter: Claim rule name: Send Email Address claim value

    Attribute store: Active Directory

    LDAP Attribute: E-Mail-Addresses

    Outgoing Claim Type: Name ID

    Click Finish

    image55.png
  19. Click Apply and click OK.

    image56.png
  20. Launch a Windows PowerShell in Administrator mode. Enter this command to list all the ADFS Relying Party Trusts.

    Get-AdfsRelyingPartyTrust | Select-Object Name, SigningCertificateRevocationCheck,EncryptionCertificateRevocationCheck 
    image57.png

    From the output you can see CheckChainExcludeRoot is configured for Signing and Encryption Revocation checks

  21. The Signing and Encryption Revocation checks value should be set to None

    Enter these commands:

    Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth" | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None
    Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth" | Set-AdfsRelyingPartyTrust -EncryptionCertificateRevocationCheck None
    image58.png
  22. Enter this command to validate the value has been set to None

    Get-AdfsRelyingPartyTrust | Select-Object Name, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck
    image59.png

    Click Exit to close the PowerShell.

    Note: Below command displays all the configurations of the relying party trust.

    Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth"
  23. Get the below details from ADFS which will be used within Netskope to configure the ADFS settings for SAML authentication.

    • Entity ID (format: https://<adfs fqdn>/adfs/services/trust)

    • IDP URL (format: https://<adfs fqdn>/adfs/ls/)

    • Token-signing certificate (available in ADFS > Service > Certificates)

    You can also browse to ADFS URL to extract details: https://<adfs fqdn>/FederationMetadata/2007-06/FederationMetadata.xml

    image60.png

The ADFS configuration is complete.