This site requires JavaScript to be enabled
External Customer KB > General > Configuring SAML for Netskope
Configuring SAML for Netskope
Article: KB0011109 Published: 03/07/2024 Last modified: 03/07/2024

This article is an add-on to our SAML configuration guide, supplementing the process described there with specific details and additional information unique to configuring SAML for the Netskope and Netskope Proxy Base App SAML 2.0 app connectors in OneLogin's app catalog.

Prerequisites

  • Administrative access to configure single sign-on (SSO) in Netskope; you should follow the Netskope SAML process described there in conjunction with your OneLogin setup, as you will be exchanging some details between your accounts during the configuration
  • If you intend to configure both SAML and provisioning for Netskope, you must enable provisioning before completing your SAML configuration.

Table of Contents

 

 

Adding the Netskope Proxy Base App Connector

A copy of this app connector is required for each application protected by Netskope. For example, if you are using Netskope with Office 365, G Suite, and Salesforce, you must configure three proxy base app connectors. If a given Netskope-protected app does not have the Netskope Proxy Base App connector configured, Netskope will be unable to redirect app traffic for security analysis, and SAML authentication for that app will fail.

Configuration

SAML Proxy ACS URL

Enter the SAML Proxy ACS URL provided by Netskope. This value should be the same for each app connector you're configuring.

SAML Audience

Enter the ACS Consumer URL unique to the app you are currently configuring. This value will be different for each app connector.
Proxy Base App Configuration

No other app configuration is required for these connectors. Save the connector and complete your configuration using the Netskope SAML 2.0 app connector.

 

 

Adding the Netskope App Connector

After creating as many proxy base app connectors as needed for your Netskope-protected applications, use the Netskope app connector for the rest of your configuration. If you are also using Netskope for user provisioning, be sure to enable provisioning in this app connector before completing these steps.

Configuration

SAML Consumer URL

Enter the Assertion Consumer Service URL provided by Netskope.

SAML Audience

Enter the Service Provider Entity Id provided by Netskope.

SAML Recipient

If your Netskope configuration expects and validates a recipient URL for an endpoint that receives the SAML assertion and matches it to the ACS URL, enter it here. Otherwise, reenter the SAML Proxy ACS URL.

SAML Single Logout URL

Enter the Netskope Single Logout Service Request URL provided by Netskope.

ACS URL whitelist

Use regular expressions to format any ACS URLs to be allowed as necessary.
Netskope App Configuration

Parameters

Create a new parameter named admin-role with Include in SAML assertion enabled. This is used by Netskope to validate administrator mapping.

Netskope App Parameters - New Parameter

SSO

Copy your OneLogin SSO values to their corresponding fields in Netskope:

OneLogin

Netskope

Issuer URL

IDP ENTITY ID

SAML 2.0 Endpoint (HTTP)

IDP URL

SLO Endpoint (HTTP)

IDP SLO URL

X.509 Certificate

IDP CERTIFICATE

 

 

Complete your remaining SAML and app configuration as desired.

Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo