Netskope Client Enforcement using Okta

The Netskope with Okta integration allows organizations to enforce steering cloud application traffic to Netskope’s cloud for very precise and granular analysis. If the Netskope client is not present on the device, the source IP coming to IDP is not going to be a Netskope proxy IP. The user is redirected to the Netskope page (Client checker) for client installation and activation.

Installing Netskope client on end user machines using an IdP is one of the automated mechanisms apart from using distribution mechanisms, like SCCM or JAMF.

Prerequisites

Users must be imported in the Netskope UI using one of these methods:

• Manually importing using CSV
• AD importer
• Okta(SCIM)
• Create SAML 2.0 APP on IDP

Click play to watch a video.

Configure an Okta App

1. Go to your Okta Admin Dashboard.
2. Go to the Applications and click Create App Integration.
3. Select SAML 2.0 from the list and click Next.
4. Enter an App Name.
5. Copy SAML Configuration details from your Netskope Tenant. Go to Security Cloud Platform > Enforcement and select Okta.
6. Paste the ACS URL in the Audience URI field in the SAML settings, and then click Next.
7. Download the public certificate from your SAML Okta Application and upload it in the Netskope tenant.

Create a Security Zone for Netskope IP Addresses

1. Go to Security > Networks in Okta and click Add zone.
2. Provide the Zone Name and copy all the Netskope IPs and paste into them Gateway IPs section. To get all the Netskope IPs, go to Security Cloud Platform > Enforcement > Netskope IP Ranges. After pasting all the IPs, click Save.



3. The Network Zone has been created.

Create an Authentication Policy

1. Go to Security > Authentication Policies and click Add a policy.
2. Click Add rule.
3. Create the Rule by selecting the specific group and zone (e.g. NetskopeZones) created in the last setup section and set the access to denied. With this configuration, any user logging into Okta from an endpoint that does not have a Netskope client installed and running will see only this application on the OKTA dashboard. This one available app will help to install the Netskope Client, making the user compliant and enabling them to see all of their permitted applications.
4. Click Save.
5. Also add the Client Enforcement Application in the Policy.

Validate Client Enforcement

1. 1. Enable the Client and you will see the lock on the Netskope Client Enforcement Application.
   2. Similarly when you don’t have the client, the application will be in the unlocked stage.
   3. When you click the unlocked application it will redirect you to the download page for the Netskope Client for your tenant.