This site requires JavaScript to be enabled
External Customer KB > General > Configuring SAML for Netskope
Configuring SAML for Netskope
Article: KB0011109 Published: 11/10/2022 Last modified: 11/09/2022

This topic describes how to configure Netskope as a proxy and OneLogin to provide SSO for Netskope using SAML. In order to configure Netskope to monitor app traffic, the Netskope SAML proxy must be configured using the Netskope Proxy Base App in OneLogin's app catalog. Once this is configured, app traffic is redirected to the Netskope reverse proxy.

When users open an app, their identity is authenticated by OneLogin using SAML. After authentication, the user is directed to Netskope's reverse proxy for threat assessments. If you fail to configure the Netskope Proxy Base App then your app traffic won't redirect to the Netskope reverse proxy for security analysis.

The Netskope Proxy Base App provides the reverse proxy capacity, while the Netskope SAML 2.0 app uses SAML assertions to access the Netskope admin console.

Note: please contact Netskope for a complete list of applications and configurations. Most apps use the same SAML configuration detailed below. 


  1. Target App

    You must configure each target app in the Netskope UI to redirect traffic to the reverse proxy for security analysis. Below is a guideline to configure Netskope for Google Drive. 

    Add information from your Google Drive instance into the Netskope Admin UI.

    company apps

    Note: the Google ACS isn't in the Google Admin console. Use a plug-in for Firefox called SSO tracer to discover the consumer URL when an end-user uses SSO to log in to Google. Once you have that URL, copy it into the appropriate Netskope field – ACS URL.

  2. Active Directory

    In your Active Directory instance, create a Netskope Tenant Admin Group and any additional groups specific to Netskope.

  3. Custom User Fields

    Custom User Fields add additional fields to user records that capture attributes specific to your user directory. Create a Custom User Field, Go Through Proxy for example, that is read by Netskope to determine who is directed to the reverse proxy.

    • In the OneLogin Admin Console, select Users > Custom User Fields. Create a new user field named admin-role, this provides authorization information for Netskope. 

      company apps

    • Create a new role by navigating to Users > Roles > New Role. Create a unique name for this role and save.

    • Go to Users > New Mapping and select the newly created Role.

    • Create a New Mapping to the Active Directory Netskope Group you created earlier. Set Conditions to include MemberOf and Contains and select the group that was created in step 1. In Actions, select the Custom User Field you created and set the value to Tenant Admin or the role granted to the user in the Netskope RBAC list (Netskope UI).

      Select the Plus sign to add another action and set the admin-role to Tenant Admin.

      company apps

      Create a new mapping for additional Netskope roles.

    • Select Save and Reapply All Mappings.

Configure Netskope Proxy Base App

The Netskope Proxy Base App directs OneLogin to send the SAML message to the ACS URL instead of directly to the app. Admins must configure a separate instance of the Netskope Proxy Base app for every app subject to the reverse proxy. For instance, if you want Office 365, Salesforce, & Google Drive protected by Netskope, you must configure 3 separate instances of the Netskope Proxy Base, one for each app. 

  1. Copy the SAML Proxy ACS URL value from the Netskope Admin UI and paste in this field.

  2. Copy the target app ACS Consumer URL and paste into the SAML Audience URL field. This value is unique to each app you want directed to the Netskope reverse proxy.

company apps


Configure Netskope for SAML

Configure the Netskope SAML 2.0 app to allow users to access the Netskope admin console.

  1. In the admin portal, go to Apps > Add Apps, search and select NetSkope. On the Configuration page, click Save to add the app to Company Apps.

  2. Select the Configuration tab. 

    company apps

  3. Copy the SAML Proxy ACS URL value from the Netskope Admin UI and paste in this field. For example, 

  4. Copy the target app ACS Consumer URL and paste into the Audience URL field.

    ACS (Consumer) URL Validator is required. The is the SAML Proxy ACS URL with forward slashes and periods escaped out using a backslash, for example https:\/\/saml\.goskope\.com\/saml2\/http- post\/acs\/13lJv2lAQ9878UCO4slz\/22.

  5. Copy the SAML Proxy ACS URL value from the Netskope Admin UI and paste in this field. 

  6. For SAML Single Logout URL, enter the address OneLogin sends the logout request once a user logs out. 

  7. In the ACS URL Whitelist field, list ACS URLs to whitelist using regular expressions.

  8. Select the Parameters tab. Click the Add Parameter button and create an admin-role parameter. Check Include in SAML assertion box in the Flags field.

    company apps

  9. On the SSO tab, copy the URL for the SAML 2.0 Endpoint (HTTP). Paste the URL into the IdP URL field in Netskope.

    company apps

  10. On the Access tab, select the appropriate role.

    company apps




Expand/Collapse Comments
Was this helpful?