Configure Browser Access for Private Apps

Configure Browser Access for Private Apps

Browser Access is an additional method through which users can access enterprise internal web applications over HTTP/HTTPS. Users can also access non HTTP/HTTPS internal applications using the Netskope Client.


You must have an active Identity Provider (IdP) account and have privileges to modify settings in your IdP account that will direct traffic to Netskope.

Browser Access requires that the hostname in the originating HTTP request matches the hostname expected by the Application server.  Browser Access only supports HTTP/1.1, HTTP/2, and TLS 1.2. TLS 1.3 and HTTP/3 are not supported.


Browser Access is not offered for applications accessed through China PoPs.


  1. Create a SAML Reverse Proxy account in the Netskope UI, and then update your IdP account with the Netskope ACS URL and Audience URL.
  2. Enable Browser Access for a Private App.
  3. Create a Real-time Protection policy to grant users browser access to Private Apps.

Create a SAML Account for Browser Access

You will need your IdP SSO URL and certificate to complete these steps.

  1. Log in to the Netskope UI.
  2. Go to Settings > Security Cloud Platform and click SAML (under Reverse Proxy).
  3. Click Add Account.
  4. In the New Account window, enter a name for the account.
  5. Select Private Apps from the Application dropdown list.
  6. Enter these parameters:
    • IdP SSO URL: Enter your IdP SSO URL.
    • IdP Certificate: Enter your IdP certificate.
  7. Click Save and View Netskope Settings to see the URLs for this account. Copy the Browser Access ACS URL and Audience URL to use in your IdP account. Update your IdP account with these URLs before proceeding.


    Multiple IdPs for Browser Access are currently not supported. Only the first account in the list (the top one) will be considered (and the other ones will be omitted).

Enable Browser Access for a Private App

These instructions are for new and existing Private Apps.

  1. Go to Settings > Security Cloud Platform > App Definition and click Private Apps.
  2. Click New Private App to create a new private app, or select an existing app (and jump to step 4).
  3. Enter a meaningful app name in the Application Name field.
  4. Enable Allow Browser Access.
  5. Enter the Host domain in the Host field (like The Host field supports the following syntax: Host ( Only one host can be added. Browser Access does not support wildcards in host names. Next add a TCP port number.

    After adding the hostname and port, the Public Host URL is displayed. This is the URL by which properly authenticated users can access the private app. You can copy the public host name by clicking the copy icon CopyIcon.png.

  6. Select HTTP or HTTPS. For HTTPS, the private app must either use a certificate that is signed by a trusted certificate authority, or you must select the Trusted self-signed certificate option.


    Netskope supports self-signed trusted root certificates. Cross-signed root certificates are not supported in the certificate chain file. To learn more, go here.

    A Private App can be accessed via a browser in two ways: 

    • Using the generated hostname from the Public Host field.


      You can use the public host name for your custom host name in your DNS system. Create a DNS record, select the CNAME type, and then add your public host name.

    • Creating a custom hostname and uploading a certificate and key pair for the private host. Click the Custom Hostname toggle, and then click Upload the Certificate to open a page to enter your certificate and key.


      You will need to upload the certificate and key for the custom host name. Click the Custom Hostname toggle, and then click Upload the Certificate to open a page to enter your certificate and key.

      The server cert should be on top, followed by the rest of the chain, with the root cert at the bottom.

      For more information about certificates, refer to Configuring Certificates for Private Apps Browser Access.

  7. Click in the Publisher text field and select one or more Publishers from the dropdown list.


    For high-availability, add multiple publishers for each private app. Up to 16 Publishers can be used per app.

  8. Click Save.

Connecting the private app to the publisher may take several minutes. Make sure that you see the green icon for this private app before proceeding. If the badge is red, use the Troubleshooter feature or check your firewall rules before proceeding.


When a user has access to a private app on different tenants using Netskope-encoded Private App URLs from the same browser, then after accessing the Private App on one tenant, a user will need to clear the cookies from the browser before being able to access the Private App on a different tenant.

Create a Real-time Protection Policy for Browser Access to Private Apps

You need to create a Real-time Protection policy in order to allow Browser Access to Private Apps.

  1. Go to Policies > Real-time Protection.
  2. Click New policy and select Private App Access.
  3. For Source, select the Users, OU, or Groups for which you want to grant access to the private app(s).
  4. For Access Method, select Browser Access. At least one Access Method must be defined, either Browser Access or Client.

    If Browser Access is used, Client users will not be able to access Browser Access Private Apps. If Client is used, Client users and Browser Access users will have access to Private Apps.

    If Access Method is not showing, click Add Criteria to search for and select Access Method, and then select Browser Access.

  5. For Destination, leave Private App and select your private app from the dropdown list.
  6. For Action, select Allow to grant access. To deny access, select Block, select a policy notification template from the dropdown list, or create one.
  7. Give the policy a name (like Browser Access for JIRA), and then click Email Notification to choose the notification template for the policy. When finished, click Save.
  8. Click Apply Changes.

Clear Browser Access

Browser Access provides the ability to terminate a user’s active session. Go to Skope IT > Users, click the menu icon for a user, and then click Clear Private App Auth to clear the user’s browser access authentication information. As a result, the user will need to re-authenticate to access the private app.

Configure Google Workspace as the IdP for Browser Access Authentication

This document explains how to configure Google Workspace as your IdP to work with Browser Access to perform authentication in a browser.


To complete this procedure you need:

  • A basic understanding of SAML, like knowing the relation between the service provider (SP) and the identity provider (IdP).
  • A Google Workspace account. If you don’t have one, use these instructionsGo-to-Icon.png to create one.
  • A Private App configured for Browser Access.

For more information about creating a SAML application in Google, go hereGo-to-Icon.png.


  1. Get your Google Workspace SSO information.
  2. Configure Google Workspace with a customized SAML application.

First configure Google Workspace with a customized SAML application, finally end with the connecting of private app in the Clientless way.

Get your Google Workspace SSO Information

  1. Log in to Google WorkspaceGo-to-Icon.png and go to the Security Settings SSO pageGo-to-Icon.png.
  2. Copy the SSO URL and Certificate.

Create a Netskope SAML Reverse Proxy Account

  1. In the Netskope UI, go to Settings > Security Cloud Platform > Reverse Proxy > SAML and click Add Account.
  2. Enter a name and select Private Apps from the Application dropdown list.
  3. Enter your Google Workplace SSO URL and certificate.
  4. Click Save.
  5. Click Network Settings beside the account name.
  6. Copy the ACS URL and Audience URL.

Create a SAML Application

  1. Go back to Google WorkspaceGo-to-Icon.png , click Add App, and then click Add Custom SAML App.
  2. Enter an App Name and click Continue.
  3. On the next page just click Continue.
  4. For ACS URL, enter the ACS URL from the Netskope UI. For Entity ID, enter the Audience URL from the Netskope UI.
  5. Click Finish.

Test Browser Access

  1. In a browser, go to the Public Host address for the Private App configured for Browser Access. To get the Public Host address, go to Settings > Security Cloud Platform > App Definition > Private Apps and click on your private app.
  2. Use the Google Workspace account to authenticate and log in.
Share this Doc

Configure Browser Access for Private Apps

Or copy link

In this topic ...