Single Sign On with Entra ID
Single Sign On with Microsoft Entra ID
This document explains how to configure Microsoft Entra ID for Single Sign On (SSO) to the Netskope tenant. Netskope now offers a gallery application in Microsoft Entra ID for both admin SSO and user provisioning via SCIM. This document covers configuring the Microsoft Entra ID gallery application for Admin SSO.
Prerequisites
You will need the following:
-
An Microsoft Entra ID subscription that supports Enterprise Applications.
-
A Netskope tenant.
-
An Microsoft Entra ID user with which to test functionality.
Workflow
-
Create an Enterprise Application and configure SSO in Azure AD.
-
Configure SSO parameters between Netskope and Azure AD.
-
Assign Users and/or Groups to the Netskope application in Azure AD.
Configuring SSO in Microsoft Entra ID admin center and Netskope
-
Login to Microsoft Entra admin center
-
Select Enterprise Applications > New Application
-
Search for Netskope and select Netskope Administrator Console
-
In the Netskope Administrator Console page, select Set up single sign on
-
In the SAML Sign on page, click the pencil icon to add Basic SAML Configuration details.
You can get these details from your tenant WebUI. In your tenant WebUI go to Settings > Administration > SSO page.-
Identifier (Entity ID) – Service Provider Entity Id from your tenant WebUI
-
Reply URL (Assertion Consumer Service URL) – Reply URL from your tenant WebUI
-
Logout URL – Netskope Single Logout Service Request URL from your tenant WebUI
-
Configure SSO Parameters between Netskope and Azure AD
A custom role needs to be created in your Netskope tenant to complete this procedure.
To create a custom role, go to Settings > Administration > Roles and click New Role. Create a new Role with no blank spaces in the name, like DelegatedAdmin, and then add a description and select the desired settings (Privileges, Scopes, etc.). Save the Role, and then use this role name for the Users/Groups value.
For more details about Netskope Roles, go here. For Microsoft documentation and best practices, go here for Graph API and here for GUI information.
-
In the Netskope Administrator Console page in Microsoft Entra ID, go to Permissions > App Registration.
-
Create app role. In the Netskope Administrator Console API permissions page, go to App Roles > Create app role.
In the Create App Role pop-up, enter the Display Name, select Allowed member types, enter Value, and provide a Description:
When creating an app role, enter the role Value that was created in your tenant WebUI. -
Go to Users and Groups and click Add user/group. Select users or groups and then select a role. This role will be passed in the SAML assertion. When finished, click Assign.
Refresh the assignment page, if the newly created Role is not visible. -
Go to Single Sign-On > SAML-based Sign-on, download the SAML Signing Certificate in Base64 format, and copy the Login URL, Azure AD Identifier, and the Logout URL.
-
In your Netskope WebUI, go to Settings > Administration > SSO > SSO/SLO Settings and select Edit Settings.
-
Check the boxes to Enable SSO and Sign SSO Authentication Request and copy the following from the Azure Portal Netskope Administrator Console to your Netskope tenant
From Azure To Netskope Login URL IDP URL Azure AD Identifier IDP Entity ID Certificate from the SAML Sign On Popup window. Step 4 from the Configure SSO Parameters between Netskope and Azure ADsection. IDP Certificate Logout URL IDP SLO URL
Assign Users and/or Groups to the Netskope Application in Azure AD
-
Go back to the Netskope Administrator Console Overview and select Users and groups.
-
In the Add Assignment page, under Users and groups click None Selected to search and add a user and then under Select a role click None Selected to select a role. Once selected, click Assign.
This completes the setup. You can test by logging in to your Netskope tenant and verifying that SSO works. You can also try an Azure AD initated login as both should work.