SAML Reverse Proxy with Google as SP and EntraID as IDP

Introduction and Prerequisites

This guide provides step-by-step instructions to configure Netskope Reverse Proxy for Single Sign-On (SSO) between Azure Active Directory (Entra ID) as the Identity Provider (IDP) and Google Workspace (GSuite) as the Service Provider (SP). This setup can also facilitate a secure migration from Entra ID SSO to Google Workspace with Netskope as an intermediary.

Reference Documentation

Prerequisites

To complete this setup, ensure you have the following:

Admin access to Azure AD with a P1 or P2 license.
Admin access to Google Workspace (GSuite).
Admin access to a Netskope tenant.
A registered domain name (e.g., example.uk).

Field Mapping Diagram

The following is the field mapping (in the config UI) between Entra ID, Netskope, and GSuite.

Setup Procedure

Azure AD Configuration

Log in to Azure Portal.
Navigate to Azure Active Directory.
If domain or user setup is required, refer to Section 4.5.
Select Enterprise Applications > New Application > Non-Gallery Application.
Assign a name (e.g., RP-GSuite) and click Add. Wait for Azure to complete the creation process.
Once created, open the application from the Enterprise Applications list.
Go to Assign users and groups, select Add user, and assign a test user.
- Ensure the test user’s email matches their Google Workspace email.
In the application settings, select Single sign-on.
Download the Base64 certificate and save it as a .cer file.
Copy the Login URL and Logout URL for later use.

Netskope Tenant Configuration

Log in to Netskope Tenant and navigate to, Settings > Security Cloud Platform > Reverse Proxy – SAML > Add Account.
Configure the following options using your domain name:
- IDP URL: Use the Azure AD Login URL.
- IDP Certificate: Upload the .cer file from the previous step.
Save the configuration. Once saved, expand the entry and retrieve the following values:
- SAML Proxy IdP URL
- SAML Proxy ACS URL
- SAML Proxy Issuer Certificate
Copy these values for later use.

Azure AD SSO Configuration

Go to SSO Configuration Section 1 in Azure AD and update the following:

Entity ID
Relay State (ensure it is configured to avoid errors)
Reply URL (ACS URL) (Use the SAML Proxy ACS URL from Netskope)

Google Workspace (GSuite) Configuration

Log in to Google Admin Console (admin.google.com).
If domain or user setup is needed, refer to the Google Workspace Domain/User Setup section of this topic .
Navigate to Security > Setup Single Sign-On (SSO) with a third-party IDP.
Configure the fields as follows:
- Sign-in page URL: Use the SAML Proxy IdP URL from Netskope.
- Sign-out page URL: Use the Logout URL from Azure AD.
- Certificate Upload: Upload the SAML Proxy Issuer Certificate from Netskope.
- Enable Use a domain-specific issuer.

Domain and User Setup (If Required)

Azure AD Domain/User Setup

Go to Azure Portal.
Navigate to Azure Active Directory.
Select Custom domain names > Add custom domain.
Enter your domain name, create a TXT record with your DNS registrar, and verify.
To create a test user: Go to Users > New User, enter the details, and assign the verified domain.

Google Workspace Domain/User Setup

In Google Admin Console, go to Domains > Manage Domains > Add a domain or domain alias.
Follow the instructions to verify domain ownership.
To create a test user: Go to Users > Add new user and ensure the email matches the Azure AD user.

Testing the SSO Setup

IDP-Initiated SSO (From Azure AD)

Open an Incognito browser window.
Go to myapps.microsoft.com.
Log in with the test user credentials.
Click the new application (e.g., RP-GSuite).
Google Drive should launch successfully, with a URL similar to:
- https://drive.google.com.rproxy.goskope.com/drive/my-drive
Log out and close the browser.

SAML Reverse Proxy with Google as SP and EntraID as IDP