Log in to the Microsoft Entra admin center with your admin credentials.
Go to Applications > Enterprise Applications and click New Application.
Select Create your own application. On the Create your own application page, enter a name for the application (like Netskope Private Apps), and select Integrate any other application you don’t find in the gallery (Non-gallery), and then click Create.
Select Users and Groups.
Click Add user/group and select Users and Groups (under Add Assignment).
Enter or select the name of the user(s) or group(s) that should have the option to use the Browser Access functionality (like Contractors, or 3rd party partners). Click Select and then click Assign.
Select Single Sign-on.
Click SAML on the Set up Single Sign-On with SAML page.
On Section 1 (Basic SAML Configuration), click Edit (Entra ID requires these values to generate a SAML signing certificate).
Add identifier: input a temporary value, like https://dummyurl.com
Add reply URL: input a temporary value, like https://dummyurl.com
Click Save.
On Section 3 (SAML Certificates), Download the SAML Certificate (Base64)
On Section 4 (Set up ApplicationName), copy the Login URL and Microsoft Entra ID Identifier.
Log in to your Netskope admin console, go to Settings > Security Cloud Platform > Reverse Proxy > SAML, and then click Add Account. Select Private Apps in the APPLICATION dropdown menu and enter the following:
Name: Enter a name for the app.
IdP SSO URL: Paste the Login URL copied from the Entra admin center.
IdP Certificate: Paste the contents of the SAML Signing Certificate downloaded from the Entra admin center.
Click Save.
Click for the Private Apps application you just created and copy the Audience URL and Browser Access ACS URL from the Netskope Settings window.
Go back to the Entra admin center. Ensure that you are in the Single Sign-on configuration page for the application you created previously and enter the following:
On Section 1, click Edit.
Identifier (Entity ID): Paste the Audience URL copied in the previous step.
Reply URL: Paste the Browser Access ACS URL copied in the previous step. (See below).
