SAML Settings for Authentication

SAML Settings for Authentication

The SAML Forward Proxy must be configured with the Assertion Consumer Service (ACS) URL, IdP URL, and IdP Certificate by following this procedure.

Get Netskope SAML Settings

  1. Log in to Netskope WebUI

  2. Go to Settings > Security Cloud Platform and click SAML under Forward Proxy.

    When configuring a Netskope app in the IdP, use the metadata and certificate from Settings > Administration > SSO page in Netskope WebUI.
  3. If the IdP account is already created, then in that IdP Account click Netskope Settings and copy the following:

    For more information in creating an IdP account in Netskope, see the Adding New FP IDP section.
    • SAML Entity ID

    • SAML Proxy ACS URL:

    • Download CERTIFICATE

  • Adding a New Forward Proxy IdP Service

    To add a new IdP as an authentication service, do the following:

    1. Go to Settings > Security Cloud Platform > Forward Proxy > SAML.

    2. Click the NEW ACCOUNT button. In the New Account pop-up window, enter the following:

      • Name: Provide a name to identify the IdP service.

      • Access Method: Select the access method that will use this IdP service.

        • All – To use the IdP service for all access methods.

        • IPSec – Select this option to use the IdP service for IPsec access methods. For granular control, you can enable the IdP service for all tunnels or specific tunnels. To enable this IdP for a specific tunnel, select a Specific tunnel from the list and then select the tunnel from the IPSec Tunnel list.

          If you have not configured an IPSec tunnel yet, click the gear icon to access the IPSec tunnel creation interface.
        • GRE – To use the IdP service for GRE access methods. For granular control, you can enable the IdP service for all tunnels or specific tunnels. To enable this IdP for a specific tunnel, select Specific tunnel and then select the tunnel from the GRE Tunnel list.

        • Client Enrollment – To use the IdP service for client enrollment workflow.

        • Cloud Explicit Proxy – To use the IdP service when the access method is via Netskope Proxy.

    3. IdP Configuration – In the Setup tab, enter the following details to configure the IdP service.

      • IDP SSO URL: This is the URL used to redirect the user to the IdP site for authentication. Contact your third-party Identity Provider and add the unique IdP login URL in this field.

      • IDP Entity ID: An entity ID is a globally unique name for a SAML entity, either an Identity Provider (IdP) or a Service Provider (SP).

      • IDP Certificate: Upload the certificate of the third-party IdP in this field. This is required by Netskope to validate the signature of the SAML assertion.

      • SAML Binding Method: Select between HTTP Post and HTTP Redirect as a method of communication method between IdP and tenant.

      • Alternate User Id Field : Netskope looks at the NameID field in the SAML assertion to get the user identity. If you would like to use another field for user identification, type the name of the SAML attribute in this field. Select the Status toggle to enable or disable the IdP service.

        Click SAVE.

    4. Options tab. These are optional settings. In this tab, you can specify granular controls to an IdP service so that the IdP is used only when very specific criteria (like network location and authentication domain ) are matched.

    Forward Proxy Global Settings

    Administrators can use this page to configure user authentication settings. You can enable cookie surrogate, modify the authentication refresh interval, and modify the user authentication domain refresh interval. In addition, you can bypass specific domains and web categories for which authentication is not required.

    Using IP Surrogate

    IP surrogate is enabled by default for SAML forward proxy authentication. The Netskope service maps users to private IP addresses for user-based or group-based policy evaluations. User to private IP address mapping expires based on the configured authentication refresh interval setting.

    Using Cookie Surrogate

    A cookie surrogate is useful in cases where users are behind a NAT device and the Netskope Security Cloud Platform sees the same IP for all the users that are behind NAT. When this feature is enabled, the cookie surrogate resolves this by using a cookie to fetch user identity. For this purpose, enter the private IP address of the NAT.

    To use a cookie surrogate, go to Settings > Security Cloud Platform > Foward Proxy > SAML and click Settings. In the Settings pop-up enable the Enable Cookie Surrogate toggle, and then enter the source IP address (like 1.1.1.1) or subnet (like 1.1.1.0/24) for the cookie surrogate in the Source IP Addresses text field and click the + button.

    Cookie Surrogate for Desktop Applications

    Native apps on a desktop that do not honor cookie redirects, or background traffic from a browser such as .js and .css that do forward cookies or support redirects, may not have user identity available. When user identity is unavailable:

    • Policies that are user specific for access to specific apps, instances, or SSL decryption, etc., will not be enforced.

    • Events (Application/Page) will not show use information, but will show the IP address of the user.

    • With cookie surrogate, IdP authentication will happen for each browser instance because it is cookie dependent.

    • Device information is not supported with cookie surrogate.

    • Remediate actions include bypassing authentication for problematic domains.

    Refresh Interval Settings

    In the Settings pop-up, in the Authentication tab, you can configure the Authentication Refresh Interval and User Authentication Domain Refresh Interval.

    Authentication Refresh Interval

    This option applies to both IP surrogate and the cookie surrogate token. To refresh the authentication token after a specified length of time, enter the days and hours for the Authentication Refresh Interval. The default value is 7 days, the minimum is 1 hour, and the maximum is 180 days.

    For IPSec, GRE, or EPoT deployments, you can run the following POST request from the end device to force expiration of a specific user-to-IP mapping for IP surrogate behind the tunnel:

    curl -X POST -H "X-NS-REMOVE-AUTH-ENTRY: 1" -H "Content-Type: application/json" -d "{"comment": "<enter your comment>"}" https://nsauth-<enter your tenant>.goskope.com/

    Note

    The API option to remove IP surrogate is in Beta. Contact your Netskope Sales team to enable this feature in your account.

    User Authentication Domain Refresh Interval

    If you set up the user authentication domain for IdP selection, you can control how frequently users are prompted to enter their email. Enter the days and hours for the User Authentication Domain Refresh Interval. This feature is optional; the default is 7 days, the minimum is 1 hour, and the maximum is 180 days.

    Bypass Settings

    You can specify domains, web categories, and network IP addresses for which user authentication is not required. To specify authentication bypass settings, go to Settings > Security Cloud Platform > Foward Proxy > SAML and click Settings. In the Settings pop-up click the Bypass tab.

    Domain Bypass

    Click to add comma-separated URLs to bypass. When finished, click Save.

    Adding your IdP domains here are recommended.

    Web Category Bypass

    Click to add add comma-separated URLs to bypass. When finished, click Save.

    Source IP Address Bypass

    Click to edit and search for source networks. For each of the networks found, you can choose to bypass based on User IPs or Egress IPs (just one, not both). Enter the IP address, IP address range, or CIDR netmask in the text field. Click the Devices Deviceinformation Settings 104.png icon to add multiple network locations. After adding the network locations, click Save.

    Share this Doc

    SAML Settings for Authentication

    Or copy link

    In this topic ...