Use Client Re-authentication
Use Client Re-authentication
The Netskope Client can require a user to re-authenticate for access to private apps. IdP federation must be configured to use this feature. The Client and IdP prerequisites are:
- All users must be authenticated via the IdP and imported into your Netskope tenant. The email address of the user must be available for all IdP authenticated users.
- Configure your IdP in the Settings > Security Cloud Platform > SAML (under the Forward Proxy section ) in your Netskope Tenant UI. See SAML Forward Proxy for details.
- Ensure that the URL
nsauth-<tenant-URL>is publicly accessible. If not, please reach out to Netskope Support. - Re-authentication is configured and enabled on the Netskope Client.
Note
Starting with R123, an important change has been implemented to enhance the security posture. Users will now receive a prompt to re-authenticate when the NPA tunnel initially enrolls after an update to the Steering Configuration. Before R123, this behavior did not exist, and users would establish the NPA tunnel without re-authentication during the initial enrollment of NPA.
It is important to note that this update also introduces a new behavior specifically for IdP-based enrollment, particularly when client configuration profiles have NPA re-authentication enabled. Due to this change introduced in R123, users will now be required to authenticate twice during the initial IdP enrollment process: once at the time of NSClient IdP enrollment, and again for NPA re-authentication.
To configure Client re-authentication:
- Go to Settings > Security Cloud Platform > Netskope Client and click Client Configuration. Click New Client Configuration.
- Enter a configuration name and select a user group (or OU) from the dropdown.
- On the Private Apps tab, enable the Periodic re-authentication for Private Apps checkbox.
- Select a time period from the Interval dropdown for how often you want re-authentication to occur.
- To allow a user time to re-authenticate after the specified interval time has expired, enable the Grace Period checkbox and enter the amount of minutes. The grace period must be less than the interval.
- Click Save.
The Netskope Client menu shows when re-authentication is enabled, and allows you to re-authenticate by clicking that option on the menu.
If the interval expires, the Netskope Client prompts the IdP sign-in window for re-authentication. If the grace period expires, the Netskope Client disconnects from Netskope Private Access.
Tip
To customize the authentication frequency, which requires a customization on the IdP, refer to Optimizing Identity Provider Settings for NPA Periodic Re-authentication.
Re-authenticate on Logon
Netskope Private Access supports the ability to force a user to re-authenticate into the Netskope Client if the user’s device has restarted, or if the user logs out of the PC and logs back into the device. Contact Support to enable this functionality in your tenant.
