Netskope SSO with Azure AD

This document explains how to configure Azure Active Directory (AD) for Single Sign On (SSO) to the Netskope tenant. Netskope now offers a gallery application in Azure AD for both admin SSO and user provisioning via SCIM. This document covers configuring the Azure AD gallery application for Admin SSO.

Prerequisites

You will need the following:

• An Azure AD subscription that supports Enterprise Applications.

• A Netskope tenant.

• An Azure Active directory user with which to test functionality.

Workflow

1. Create Enterprise Application and configure SSO in Azure AD.

2. Configure SSO parameters between Netskope and Azure AD.

3. Assign Users and/or Groups to the Netskope application in Azure AD.

Configuring SSO in Azure Active Directory and Netskope

1. Login to Microsoft Azure Portal

2. Select Enterprise Applications > New Application

   

   ---

   

3. Search for Netskope and select Netskope Administrator Console

   

4. In the Netskope Administrator Console page, select Set up single sign on

   

5. In the SAML Sign on page, click the pencil icon to add Basic SAML Configuration details.

   You can get these details from your tenant WebUI. In your tenant WebUI go to Settings > Administration > SSO page.

   

   • Identifier (Entity ID) – Service Provider Entity Id from your tenant WebUI

   • Reply URL (Assertion Consumer Service URL) – Reply URL from your tenant WebUI

   • Logout URL – Netskope Single Logout Service Request URL from your tenant WebUI

Configure SSO Parameters between Netskope and Azure AD

A custom role needs to be created in your Netskope tenant in order to complete this procedure.

To create a custom role, go to Settings > Administration > Roles and click New Role. Create a new Role with no blank spaces in the name, like DelegatedAdmin, and then add a description and select the desired settings (Privileges, Scopes, etc.). Save the Role, and then use this role name for the Users/Groups value.

For more details about Netskope Roles, go here. For Microsoft documentation and best practices, go here for Graph API and here for GUI information.

1. In the Netskope Administrator Console page in Azure AD, go to Permissions > App Registration.

   

2. Create app role. In the Netskope Administrator Console API permissions page, go to App Roles > Create app role.

   

   In the Create App Role pop-up, enter the Display Name, select Allowed member types, enter Value and provide a Description:

   When creating an app role, enter the role Value that was created in your tenant WebUI.

   

3. Go to Users and Groups and click Add user/group. Select users or group and then select a role. This role will be passed in the SAML assertion. When finished, click Assign.

   Refresh the assignment page, if the newly created Role is not visible.

   

4. Go to Single Sign-On > SAML-based Sign-on, download the SAML Signing Certificate in Base64 format, and copy the Login URL, Azure AD Identifier, and the Logout URL.

   

5. In your Netskope WebUI, go to Settings > Administration > SSO > SSO/SLO Settings and select Edit Settings.

   

6. Check the boxes to Enable SSO and Sign SSO Authentication Request and copy the following from the Azure Portal Netskope Administrator Console to your Netskope tenant

   From Azure	To Netskope
   Login URL	IDP URL
   Azure AD Identifier	IDP Entity ID
   Certificate from the SAML Sign On Popup window. Step 4 from the Configure SSO Parameters between Netskope and Azure ADsection.	IDP Certificate
   Logout URL	IDP SLO URL

   

Assign Users and/or Groups to the Netskope Application in Azure AD

1. Go back to the Netskope Administrator Console Overview and select Users and groups.

   

2. In the Add Assignment page, under Users and groups click None Selected to search and add a user and then under Select a role click None Selected to select a role. Once selected, click Assign.

This completes the setup. You can test by logging in to your Netskope tenant and verifying that SSO works. You can also try an Azure AD initated login as both should work.