Configure ADFS IdP for Netskope SAML – Forward Proxy

Configure ADFS IdP for Netskope SAML – Forward Proxy

  1. Launch the ADFS console, right-click Relying Party Trusts and select Add Relying Party Trust.
  2. Select Claims aware and click Start.
  3. Select Enter data about the relying party manually and click Next.
  4. Enter Display Name: Netskope FP SAML Auth

    Enter Notes: SSO configuration with Netskope to provide user identity over IPSec/GRE tunnel and NS Client in IdP mode.

    Click Next.

  5. Click Next.
  6. Select Enable support for the SAML 2.0 WebSSO protocol and enter the SAML ACS URL you copied from the Netskope tenant.

    Click Next.

  7. Add the SAML Entity ID you copied from the Netskope tenant.

    Click Next.

  8. Leave the default settings and click Next.
  9. Click Next.
  10. Uncheck the configure claims issuance policy for this application

    Click Close.

  11. The Relying Party trust has been created. Right-click on it and select Properties.
  12. Select Signature (tab) and click Add to add the Netskope SAML certificate.
  13. Click View to check the certificate, click OK and then click Apply.

    The certificate warning message can be ignored

  14. Select Advanced tab and select SHA-1.

    Click OK and click Apply.

  15. Right-click and select Edit Claim Issuance Policy.
  16. Click Add Rule.
  17. Select Send LDAP Attribute as Claim and click Next.
  18. Enter: Claim rule name: Send Email Address claim value

    Attribute store: Active Directory

    LDAP Attribute: E-Mail-Addresses

    Outgoing Claim Type: Name ID

    Click Finish

  19. Click Apply and click OK.
  20. Launch a Windows PowerShell in Administrator mode. Enter this command to list all the ADFS Relying Party Trusts.
    Get-AdfsRelyingPartyTrust | Select-Object Name, SigningCertificateRevocationCheck,EncryptionCertificateRevocationCheck 

    From the output you can see CheckChainExcludeRoot is configured for Signing and Encryption Revocation checks

  21. The Signing and Encryption Revocation checks value should be set to None

    Enter these commands:

    Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth" | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None
    Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth" | Set-AdfsRelyingPartyTrust -EncryptionCertificateRevocationCheck None
  22. Enter this command to validate the value has been set to None
    Get-AdfsRelyingPartyTrust | Select-Object Name, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck

    Click Exit to close the PowerShell.

    Note: Below command displays all the configurations of the relying party trust.

    Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth"
  23. Get the below details from ADFS which will be used within Netskope to configure the ADFS settings for SAML authentication.
    • Entity ID (format: https://<adfs fqdn>/adfs/services/trust)
    • IDP URL (format: https://<adfs fqdn>/adfs/ls/)
    • Token-signing certificate (available in ADFS > Service > Certificates)

    You can also browse to ADFS URL to extract details: https://<adfs fqdn>/FederationMetadata/2007-06/FederationMetadata.xml


The ADFS configuration is complete.

Share this Doc

Configure ADFS IdP for Netskope SAML – Forward Proxy

Or copy link

In this topic ...