Integration with Okta for SAML Authentication and User Provisioning

Integration with Okta for SAML Authentication and User Provisioning

This topic illustrates integration with Okta for authentication and provisioning users via SCIM. The integration workflow includes setting up authentication and configuring provisioning parameters in the Okta tenant.
System for Cross-domain Identity Management (SCIM) defines a standard for exchanging identity information across different cloud app vendors. The objects that are exchanged using SCIM are called resources (like user resources, group resources, etc). The purpose of SCIM is to automate the exchange of user identity information across apps for user provisioning.

The previous method of using the SCIM Integration Module within Directory Tools and OAuth token to authenticate SCIM has been deprecated. Refer to Netskope Product EOL Announcements for more information. Use the REST API v2 token to integrate SCIM.

The integration workflow includes the following steps:

  • Generating Netskope REST API v2 Token and SCIM URL

  • Configuring Netskope SCIM Provisioning in Okta

  • Validating SCIM Provisioning Configuration

  • Configuring Netskope SAML Authentication

  • Validate Netskope User Enrollment App in Okta

  • Enable New IdP Account in Netskope

Generating Netskope REST API v2 Token and SCIM URL

The first step of the integration is to set up authentication between Okta and Netskope via a REST API token. Follow the steps to create a REST API V2 token from your Netskope tenant. In your Netskope tenant admin WebUI, go to Settings > Tools > REST API v2 and click New Token.

In the Create REST API Token pop-up, provide the following details to create a token.

  • Enter a token name.

  • Select token expiry duration

    To ensure the security and reliability of your SCIM integration between Okta and Netskope select an appropriate expiration period for your API token.
  • Click the ADD ENDPOINT option and search for SCIM.

    • Select /api/v2/scim/Users URL and /api/v2/scim/Groups URLs

      Use the principle of least privilege (PoLP) and ensure this token is only scoped to the above SCIM endpoints and not consolidated with other endpoints.

      The principle of least privilege (PoLP) grants users and applications only the minimal resources and permissions needed for their tasks. This approach mitigates insider threats and account takeovers while also improving user experience, efficiency, and security.
  • Modify the permissions of the two endpoints that were just selected to support the Read+Write privilege.

  • When the Success window opens, copy the token to a safe place.

    This token can not be retrieved in the future. If you lose the token, you must reissue the token again.

Configuring Netskope SCIM Provisioning in Okta

This section illustrates the steps for configuring the Netskope User Enrollment app in the Okta tenant. The Netskope User Enrollment App in Okta combines both user authentication and enrollment functionality for inline access methods and is also responsible for provisioning the Okta sourced users and groups into the Netskope Platform.

  1. Login to OKTA admin UI and access the admin section by clicking the Admin button in the page header.

  2. Go to Applications > Applications. In the Applications page, click Browse App Catalog search for Netskope, and select the Netskope User Enrollment app.

  3. Click Add Integration in the Add Netskope User Enrollment page.

  4. Give a name (Application Label) for this app. For example: Netskope SAML Auth. Select Do Not Display Application Icon to Users. As the Netskope User Enrollment App is strictly for User Provisioning and Authentication, it is not an application users will need to interact with from their Okta Dashboard. Click Done.

  5. Go to the Provisioning tab and click the Configure API Integration button.

  6. Select the Enable API Integration option.

    • In the API Token, copy and paste the v2 token generated in the Generating Netskope REST API v2 Token and SCIM URL section.

    • In the Base URL, enter the new REST API v2 URL: https://<tenant-name>

    • Select the Import Groups checkbox if there is a requirement for group linking. More on the topic can be found here and here.

      Take a note of the new URL format https://<tenant-name> as part of REST API v2
    • Select Test API Credentials before proceeding to Save. You should receive a Netskope User Enrollment was verified successfully! message.

    • Click Save.

  7. On the Provisioning tab > To App, ensure to select Create Users, Update User Attributes, and Deactivate Users to complete the Netskope and Okta Lifecycle management capabilities.

  8. Navigate to the Assignments tab and Assign test users and/or groups. If managing users by group is a requirement in Netskope, ensure that you navigate to the Push Groups tab and push appropriate groups to Netskope.

Validating SCIM Provisioning Configuration

At this stage, it’s best to select a test group and users to ensure identities are provisioned within Netskope. To validate if the users/groups were created successfully, do the following:

  1. Log in to your Netskope tenant.

  2. Go to Settings > Security Cloud Platform > Netskope Client. Select both Users and Groups and validate both were created successfully.

Configuring Netskope SAML Authentication

  1. In the newly created Netskope User Enrollment App (Netskope SAML Auth), go to the Sign On tab and click Edit.

  2. Under the SAML 2.0 section, click to expand More Details to view and copy the following. They will be required when creating a new account in SAML Forward Proxy in your Netskope tenant:

    • Sign on URL

    • Issuer URL

    • Download the Signing Certificate

The next set of steps will generate the necessary Netskope SSO URLs and certificate to configure the OKTA Sign on settings.

Generating Netskope SSO URLs and Certificate

  1. In the Netskope tenant WebUI, go to Settings > Security Cloud Platform > Forward Proxy > SAML, and click New Account. Update the following details from Okta into the New Account pop-up window:

    • Provide a Name

    • Select the Appropriate Access Methods this Account will apply to.

    • Copy the Sign-on URL from Okta to IDP SSO URL

    • Copy the Issuer URL from Okta to IDP ENTITY ID

    • Upload Signing certificate from Okta to IDP Certificate

    • Leave SAML Binding Method as the default, “HTTP Post Binding”.

    • Click Save.

  2. Next to the newly created SAML Forward Proxy account, select Netskope Settings and copy the SAML Entity ID, SAML Proxy ACS URL.

Update Netskope User Enrollment App in OKTA

  1. In the OKTA admin UI, go to the newly created Netskope User Enrollment App.

  2. Go to the Sign On tab and click Edit.

  3. In the Advanced Sign-on Settings section, update the following copied from the newly created Netskope SAML account.

    • Copy the SAML Proxy ACS URL from Netskope to SAML ACS URL

    • Copy the SAML Entity ID from Netskope to SAML Entity ID

    • Application UserName Format: Select either the Okta Username or Email, as long as the value sent matches the primary email address of the user.

  4. Click Save.

Enable New Account in Netskope Admin WebUI

In the Netskope admin WebUI, enable the New Account status.

  1. Go to Settings > Security Cloud Platform > Forward Proxy > SAML, and open the new SAML account.

  2. Change the status to Enabled and click SAVE.

Share this Doc

Integration with Okta for SAML Authentication and User Provisioning

Or copy link

In this topic ...