User Provisioning and Authentication
User Provisioning and Authentication
User Provisioning with SCIM
The System for Cross-domain Identity Management (SCIM) simplifies user provisioning by standardizing identity information exchange across different cloud applications. Netskope supports SCIM integration with Microsoft Entra (formerly Azure AD) and Okta, using REST API v2 token authentication. This setup facilitates seamless user management, automating identity synchronization and reducing manual tasks.
* Instructions in this section is applicable only for non admin users. For instructions to configure SSO for admin users, see Single Sign On for Administrators section.
Support Apps for User Provisioning
-
Community Support Apps
Forward Proxy Authentication
Forward Proxy Authentication (FPA) ensures secure access to cloud applications by requiring SAML-based authentication via an intermediary server that allows organizations to enforce granular authentication policies. Netskope’s FPA allows integration of multiple Identity Providers (IdPs) based on criteria like access methods (IPsec, GRE, Cloud Explicit Proxy, NS Client Enrollment) and network location, enabling flexible and secure user authentication management. Organizations can maintain existing SAML setups while utilizing Netskope’s enhanced authentication features, supporting multiple concurrent IdPs to match specific conditions for robust security and control.
Multiple and Concurrent IdP
You can configure and concurrently enable multiple IdP services (upto 150 SAML accounts) to authenticate users based on various criteria. The primary criterion, however, is the access method. The supported access method includes:
- IPsec
- GRE
- Cloud Explicit Proxy
- NS Client Enrollment
When enabled, the multiple IdP offers the following features:
- Admin can enable multiple IdP services for different access methods.
- Migrate an existing IdP from the older configuration setup to the new setup and preserve existing configurations.
- When there is more than one IdP for a particular access method, the first matched access method will be used.
- If an IdP service is configured for ALL access methods with additional options for a particular Network Location then only the requests from those network locations irrespective of the access method will use this IdP service.
- Auth service domains need not be explicitly mentioned in the domain bypass.