Netskope Help

Reverse Proxy for Google Workspace with AWS Single Sign-On

  1. Log in to the AWS Admin Console.

  2. If you haven’t already, reference the Getting Started Guide for AWS Single-Sign On. At the time of this writing, the guide was found here: https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html

  3. Select Manage SSO Access to Your Cloud Applications.

  4. Select Add a New Application.

  5. Search for G Suite and click Add application.

    image2.png
  6. Follow the Configuration Instruction guide to get a working SSO configuration before proceeding to the next step. Ensure that the G Suite and AWS configuration is working properly before proceeding.

    image3.png
  7. Keep the Google SSO and AWS SSO configuration windows open.

  8. Log in to the Netskope tenant.

  9. Go to Settings > Security Cloud Platform > Reverse Proxy > SAML.

  10. Click Add Account and select G Suite from the dropdown list. Enter these parameters:

    1. Provide a descriptive name

    2. Copy the ACS URL from your AWS SSO configuration for G Suite and paste it in the ACS URL field in the Netskope G Suite configuration.

    3. Copy the AWS SSO sign-in URL from the AWS SSO configuration for G Suite and paste it in the IDP URL field in the Netskope G Suite configuration.

    4. Download the AWS SSO certificate and open it in a text editor.

    5. Copy and paste the certificate in the IDP Certificate field in the Netskope G Suite configuration.

    When finished, click Save.

    image4.png
  11. Select the magnifying glass next to the Google configuration in Netskope.

  12. Copy the Netskope SAML Proxy IdP URL and paste it in the Sign-in page URL field in the Google SSO with third party IDPs configuration.

  13. Copy the Netskope SAML Proxy Issuer Certificate and save it as a samlproxy.cer.

  14. Replace the certificate with samlproxy.cer and save the changes.

  15. Copy the Netskope SAML Proxy ACS URL and paste it in the Application Metadata section in the AWS Application ACS URL field.

    image5.png
  16. Save your changes.

  17. In the “SAML - Reverse Proxy” page in Netskope, select the gear icon as shown in the screenshot

    image6.png
  18. Ensure that Re-Sign SAML Assertions is enabled.

    image7.png
  19. Open an incognito window or ensure you are completely logged out of any Google or AWS accounts.

  20. Go to accounts.google.com, logon with your AWS credentials.

  21. You should see the URL rewritten as below

    image8.png
  22. In the Netskope console, go to SkopeIT > Application Events. You should see events logged here.