SAML Settings for Authentication
SAML Settings for Authentication
The SAML Forward Proxy must be configured with the Assertion Consumer Service (ACS) URL, IdP URL, and IdP Certificate by following this procedure.
* Creating IdPs through REST API calls is a controlled-GA feature. To enable this, please contact Netskope Support or your account executive.
* Instructions in this section is applicable only for non admin users. For instructions to configure SSO for admin users, see Single Sign On for Administrators section.
Get Netskope SAML Settings
-
Log in to the Netskope WebUI
-
Go to Settings > Security Cloud Platform and click SAML under Forward Proxy.
When configuring a Netskope app in the IdP, use the metadata and certificate from Settings > Administration > SSO page in Netskope WebUI. -
If the IdP account is already created, then in that IdP Account click Netskope Settings and copy the following:
For more information in creating an IdP account in Netskope, see the Adding New FP IDP section.-
SAML Entity ID
-
SAML Proxy ACS URL:
-
Download CERTIFICATE
-
Adding a New Forward Proxy IdP Service
To add a new IdP as an authentication service, do the following:
-
Go to Settings > Security Cloud Platform > Forward Proxy > SAML.
-
Click the NEW ACCOUNT button. In the New Account pop-up window, enter the following:
-
Name: Provide a name to identify the IdP service.
-
Access Method: Select the access method that will use this IdP service.
-
All – To use the IdP service for all access methods.
-
IPSec – Select this option to use the IdP service for IPsec access methods. For granular control, you can enable the IdP service for all tunnels or specific tunnels. To enable this IdP for a specific tunnel, select a Specific tunnel from the list and then select the tunnel from the IPSec Tunnel list.
If you have not configured an IPSec tunnel yet, click the gear icon to access the IPSec tunnel creation interface. -
GRE – To use the IdP service for GRE access methods. For granular control, you can enable the IdP service for all tunnels or specific tunnels. To enable this IdP for a specific tunnel, select Specific tunnel and then select the tunnel from the GRE Tunnel list.
-
Client Enrollment – To use the IdP service for client enrollment workflow.
-
Cloud Explicit Proxy – To use the IdP service when the access method is via Netskope Proxy.
-
-
-
IdP Configuration – In the Setup tab, enter the following details to configure the IdP service.
-
IDP SSO URL: This is the URL used to redirect the user to the IdP site for authentication. Contact your third-party Identity Provider and add the unique IdP login URL in this field.
-
IDP Entity ID: An entity ID is a globally unique name for a SAML entity, either an Identity Provider (IdP) or a Service Provider (SP).
-
IDP Certificate: Upload the certificate of the third-party IdP in this field. This is required by Netskope to validate the signature of the SAML assertion.
-
SAML Binding Method: Select between HTTP Post and HTTP Redirect as a method of communication method between IdP and tenant.
-
Alternate User Id Field : Netskope looks at the NameID field in the SAML assertion to get the user identity. If you would like to use another field for user identification, type the name of the SAML attribute in this field. Select the Status toggle to enable or disable the IdP service.
Click SAVE.
-
-
Options tab. These are optional settings. In this tab, you can specify granular controls to an IdP service so that the IdP is used only when very specific criteria (like network location and authentication domain ) are matched.
Adding a New Forward Proxy IdP Service with the REST API
GET, POST (Create), PATCH (Update), and DELETE are supported for creating SAML IdP accounts.
For specifics, please see Rest API v2 and your tenant’s Swagger API documentation located at https://<your_tenant>.netskope.com/apidocs/?include_beta_routes=0
Forward Proxy Global Settings
Administrators can use this page to configure user authentication settings. You can enable cookie surrogate, modify the authentication refresh interval, and modify the user authentication domain refresh interval. In addition, you can bypass specific domains and web categories for which authentication is not required.
Using IP Surrogate
IP surrogate is enabled by default for SAML forward proxy authentication. The Netskope service maps users to private IP addresses for user-based or group-based policy evaluations. User to private IP address mapping expires based on the configured authentication refresh interval setting.
Using Cookie Surrogate
A cookie surrogate is useful in cases where users are behind a NAT device and the Netskope Security Cloud Platform sees the same IP for all the users that are behind NAT. When this feature is enabled, the cookie surrogate resolves this by using a cookie to fetch user identity. For this purpose, enter the private IP address of the NAT.
To use a cookie surrogate, go to Settings > Security Cloud Platform > Forward Proxy > SAML and click Settings. In the Settings pop-up enable the Enable Cookie Surrogate toggle, and then enter the source IP address (like 1.1.1.1) or subnet (like 1.1.1.0/24) for the cookie surrogate in the Source IP Addresses text field and click the + button.
Cookie Surrogate for Desktop Applications
Native apps on a desktop that do not honor cookie redirects, or background traffic from a browser such as .js
and .css
that do forward cookies or support redirects, may not have user identity available. When user identity is unavailable:
-
Policies that are user specific for access to specific apps, instances, or SSL decryption, etc., will not be enforced.
-
Events (Application/Page) will not show use information, but will show the IP address of the user.
-
With cookie surrogate, IdP authentication will happen for each browser instance because it is cookie dependent.
-
Device information is not supported with cookie surrogate.
-
Remediate actions include bypassing authentication for problematic domains.
Limitations with the IPSec/GRE Cookie Surrogate
Depending on the website’s structure and its Cross-Origin Resource Sharing (CORS) policy, there may be scenarios where the nspatoken cookie is either omitted or cannot be transmitted as part of the request. During user authentication, Netskope establishes the user’s identity by setting and receiving the nspatoken cookie between the Netskope service and the user’s browser. If the nspatoken is absent in the browser’s subsequent requests, Netskope will block the connection as it relies on the token to validate the user session and authorize communication.
Refresh Interval Settings
In the Settings pop-up, in the Authentication tab, you can configure the Authentication Refresh Interval and User Authentication Domain Refresh Interval.
Authentication Refresh Interval
This option applies to both IP surrogate and the cookie surrogate token. To refresh the authentication token after a specified length of time, enter the days and hours for the Authentication Refresh Interval. The default value is 7 days, the minimum is 1 hour, and the maximum is 180 days.
For IPSec, GRE, or EPoT deployments, you can run the following POST request from the end device to force expiration of a specific user-to-IP mapping for IP surrogate behind the tunnel:
curl -X POST -H "X-NS-REMOVE-AUTH-ENTRY: 1" -H "Content-Type: application/json" -d "{"comment": "<enter your comment>"}" https://nsauth-<enter your tenant>.goskope.com/
When IP surrogate is removed for the inline user, an audit event is generated. This activity is listed as “Removed Auth Entry” followed by your comment in the curl command. Go to Settings > Administration > Audit Logs to view audit events.
Note
The API option to remove IP surrogate is in Controlled GA. Contact your Netskope Sales team to enable this feature in your account.
User Authentication Domain Refresh Interval
If you set up the user authentication domain for IdP selection, you can control how frequently users are prompted to enter their email. Enter the days and hours for the User Authentication Domain Refresh Interval. This feature is optional; the default is 7 days, the minimum is 1 hour, and the maximum is 180 days.
Bypass Settings
You can specify domains, web categories, and network IP addresses for which user authentication is not required. To specify authentication bypass settings, go to Settings > Security Cloud Platform > Forward Proxy > SAML and click Settings. In the Settings pop-up click the Bypass tab.
Domain Bypass
Click to add comma-separated URLs to bypass. When finished, click Save.
Web Category Bypass
Click to add add comma-separated URLs to bypass. When finished, click Save.
Source IP Address Bypass
Click to edit and search for source networks. For each of the networks found, you can choose to bypass based on User IPs or Egress IPs (just one, not both). Enter the IP address, IP address range, or CIDR netmask in the text field. Click the icon to add multiple network locations. After adding the network locations, click Save.