User Provisioning and Authentication

User Provisioning and Authentication

User Provisioning with SCIM

The System for Cross-domain Identity Management (SCIM) simplifies user provisioning by standardizing identity information exchange across different cloud applications. Netskope supports SCIM integration with Microsoft Entra (formerly Azure AD) and Okta, using REST API v2 token authentication. This setup facilitates seamless user management, automating identity synchronization and reducing manual tasks.

* The previous method of using the Directory Tool and OAuth token to authenticate SCIM has been deprecated. Refer to Netskope Product EOL Announcements for more information. Use the REST API v2 token to integrate SCIM.

* Instructions in this section is applicable only for non admin users. For instructions to configure SSO for admin users, see Single Sign On for Administrators section.

Support Apps for User Provisioning

Forward Proxy Authentication

Forward Proxy Authentication (FPA) ensures secure access to cloud applications by requiring SAML-based authentication via an intermediary server that allows organizations to enforce granular authentication policies. Netskope’s FPA allows integration of multiple Identity Providers (IdPs) based on criteria like access methods (IPsec, GRE, Cloud Explicit Proxy, NS Client Enrollment) and network location, enabling flexible and secure user authentication management. Organizations can maintain existing SAML setups while utilizing Netskope’s enhanced authentication features, supporting multiple concurrent IdPs to match specific conditions for robust security and control.

Netskope FPA is supported only for Microsoft Entra and Okta.

Multiple and Concurrent IdP

You can configure and concurrently enable multiple IdP services (upto 150 SAML accounts) to authenticate users based on various criteria. The primary criterion, however, is the access method. The supported access method includes:

  • IPsec
  • GRE
  • Cloud Explicit Proxy
  • NS Client Enrollment

When enabled, the multiple IdP offers the following features:

  • Admin can enable multiple IdP services for different access methods.
  • Migrate an existing IdP from the older configuration setup to the new setup and preserve existing configurations.
  • When there is more than one IdP for a particular access method, the first matched access method will be used.
  • If an IdP service is configured for ALL access methods with additional options for a particular Network Location then only the requests from those network locations irrespective of the access method will use this IdP service.
  • Auth service domains need not be explicitly mentioned in the domain bypass.
Share this Doc

User Provisioning and Authentication

Or copy link

In this topic ...