Updated on February 16, 2025

Netskope Client Enforcement Using OneLogin

Netskope Client Enforcement Using OneLogin

This document guides through the steps to configure the Netskope Client Enforcement application in OneLogin as a self-service option to deploy the Netskope Client.

 This document demonstrates the use of Netskope Client enforcement with the pre-configured ‘AARP’ application within OneLogin. The outlined steps are applicable to any similar SaaS application.

The Application AARP is accessible to the end user only when the Netskope Client is active. The access to this application is denied if the Netskope Client is disabled or uninstalled.

Prerequisites

  • Import user email address information into Netskope tenant. You can add it under Settings > Security Cloud Platform > Users. To learn more, view User Provisioning.
  • Users are assigned to their respective applications in OneLogin.
  • Access and admin rights in the OneLogin tenant.
  • Access and admin rights in the Netskope webUI .

Before You Begin

Obtain Netskope Redirect URL and Organization ID

  1. Log into your Netskope Tenant.

  2. Go to Settings > Security cloud platform > Netskope Client > Enforcement.

  3. Select OneLogin

  4. Copy the following values:

    • Netskope Redirect URL

    • Organization ID

Obtain Netskope IP Addresses

To obtain Netskope IP address:

  1. Log into your Netskope Tenant.

  2. Go to Settings > Security cloud platform > Netskope Client > Enforcement.

  3. Select OneLogin.

  4. Click Netskope IP Ranges to copy IP addresses.

OneLogin App Configurations

Perform the following OneLogin configurations to create SAML custom connector to allow Netskope Client download:

  1. Log into OneLogin.

  2. Go to Applications.

  3. Click Add App.

  4. In the Search box, type and select SAML Custom connector (Advanced).

  5. In Add SAML Custom Connector (Advanced) window, perform the following:

    1. Add the display name. For example, Netskope Client Enablement.

    2. Upload Netskope logo according to the aspect ratio mentioned on the webUI.

    3. Add the description regarding the purpose of this application.

    4. Click Save.

    After you save, the webUI opens for more configurations such as Info, Configuration, Rules, and so on.

  6. Click the Configuration tab.

  7. Enter the following details according to the values captured from your Netskope tenant (See here to view how to obtain values from Netskope tenant):

    1. RelayState: Enter your OneLogin tenant domain URL.

    2. Audience (Entity ID): Enter the Organization ID from the Netskope tenant.

    3. Recipient: Enter the Netskope Redirect URL.

    4. ACS (Consumer) URL: Enter the Netskope Redirect URL.

  8. Add other configurations as displayed in the following image:

  9. Click the SSO tab.

  10. Click View Details under X.509 certificate.

  11.  This opens a new webUI with the certificate.You can download the certificate.

  12. Click Save.

    To learn more, view: Add apps to OneLogin.

Upload Certificates in Netskope

Here, you can use the certificate downloaded from your OneLogin application.

To upload your certificate in the Netskope tenant:

  1. Go to Settings > Security Cloud Platform > Netskope Client > Enforcement.

  2. Click Upload available in the OneLogin Public Key field.

After you complete the process of creating your application, you can now assign this application to Users or User Groups within OneLogin. 

This enables users to download and install Netskope Client whenever a user clicks the Netskope Client Enablement application that you created.

To learn more about adding users or user groups in OneLogin, view Add Users.

Configure IP Allowlist

You can configure IP Allowlist to enable access to SaaS Applications within OneLogin from Netskope IPs.

This step ensures that the SaaS Applications are restricted to be accessible from selective Netskope IPs only. If a user tries to access the Application in absence of Netskope Client, the access is denied.

To configure allowlist:

  1. Log into OneLogin.

  2. Go to Security > Policies.

  3. Click New App Policy.

  4. Add a name to the policy.

  5. In the IP Address Allowlist, copy and paste the Netskope IP addresses captured from your Netskope tenant ( See here to view how to obtain Netskope IP addresses).

  6. Click Save.

Assign Security Policy to OneLogin Application

  1. In one login, go to Applications. For the context of this document, this policy is assigned to AARP application.

  2. Under the selected application, go to the Access tab.

  3. Choose the Policy that you had created in Configure IP Allowlist.

  4. Click Save.

Validate Client Enforcement

Log into OneLogin using the ID that contains the Netskope client enablement application assigned.

Try accessing the AARP application in the absence of Netskope Client. The WebUI displays the following “Access Denied” notification.

If you click the Netskope Client enablement application, it redirects you to download the Netskope Client. This ensures that users are enforced to access the SaaS applications with Netskope Client enabled. 

Share this Doc

Netskope Client Enforcement Using OneLogin

Or copy link

In this topic ...