This article is an add-on to our SAML configuration guide, supplementing the process described there with specific details and additional information unique to configuring SAML for the Netskope and Netskope Proxy Base App SAML 2.0 app connectors in OneLogin's app catalog.
Prerequisites
- Administrative access to configure single sign-on (SSO) in Netskope; you should follow the Netskope SAML process described there in conjunction with your OneLogin setup, as you will be exchanging some details between your accounts during the configuration
- If you intend to configure both SAML and provisioning for Netskope, you must enable provisioning before completing your SAML configuration.
Adding the Netskope Proxy Base App Connector
A copy of this app connector is required for each application protected by Netskope. For example, if you are using Netskope with Office 365, G Suite, and Salesforce, you must configure three proxy base app connectors. If a given Netskope-protected app does not have the Netskope Proxy Base App connector configured, Netskope will be unable to redirect app traffic for security analysis, and SAML authentication for that app will fail.
Configuration
SAML Proxy ACS URL
|
Enter the SAML Proxy ACS URL provided by Netskope. This value should be the same for each app connector you're configuring.
|
SAML Audience
|
Enter the ACS Consumer URL unique to the app you are currently configuring. This value will be different for each app connector.
|
No other app configuration is required for these connectors. Save the connector and complete your configuration using the Netskope SAML 2.0 app connector.
Adding the Netskope App Connector
After creating as many proxy base app connectors as needed for your Netskope-protected applications, use the Netskope app connector for the rest of your configuration. If you are also using Netskope for user provisioning, be sure to enable provisioning in this app connector before completing these steps.
Configuration
SAML Consumer URL
|
Enter the Assertion Consumer Service URL provided by Netskope.
|
SAML Audience
|
Enter the Service Provider Entity Id provided by Netskope.
|
SAML Recipient
|
If your Netskope configuration expects and validates a recipient URL for an endpoint that receives the SAML assertion and matches it to the ACS URL, enter it here. Otherwise, reenter the SAML Proxy ACS URL.
|
SAML Single Logout URL
|
Enter the Netskope Single Logout Service Request URL provided by Netskope.
|
ACS URL whitelist
|
Use regular expressions to format any ACS URLs to be allowed as necessary.
|
Parameters
Create a new parameter named admin-role with Include in SAML assertion enabled. This is used by Netskope to validate administrator mapping.
SSO
Copy your OneLogin SSO values to their corresponding fields in Netskope:
OneLogin
|
Netskope
|
Issuer URL
|
IDP ENTITY ID
|
SAML 2.0 Endpoint (HTTP)
|
IDP URL
|
SLO Endpoint (HTTP)
|
IDP SLO URL
|
X.509 Certificate
|
IDP CERTIFICATE
|
Complete your remaining SAML and app configuration as desired. |