This site requires JavaScript to be enabled
External Customer KB > General > Provision Users to Netskope
Provision Users to Netskope
Article: KB0011116 Published: 09/29/2020 Last modified: 09/29/2020

This article describes how to configure OneLogin to provision users to Netskope


Configure SAML for Netskope, see Configure SAML for Netskope.

Enable Provisioning

  1. Log into OneLogin as a Super User or Account Owner and go to Apps > Company Apps > Netskope.

  2. On the Configuration tab, connect to the Netskope API.

    company apps

    1. Enter into the SCIM base URL field.

    2. Enter the SCIM Bearer token you received from Netskope.

    3. Click Enable. If the connection is successful, the API Status icon switches to

      company apps

  3. On the Provisioning tab, enable provisioning and set your admin approval policy.

    1. Select Enable provisioning.

    2. Select the provisioning actions that require admin approval.

      If you select any of the available actions, an admin must go to Users > Provisioning and manually approve the action every time it occurs.

    3. Select how users that are deleted in OneLogin are handled in Netskope.

      Choose between Delete, Suspend, or Do Nothing.

    4. Under Entitlements, click Refresh.

      Refreshing entitlements populates Netskope Role values on the Parameters tab and updates the values available when you configure Rules.

  4. On the Parameters tab, map Netskope user attributes to OneLogin user attributes. These mappings instruct OneLogin how to populate user attribute values to Netskope when provisioning users from OneLogin. Define any OneLogin attribute values to populate Netskope fields in this task.

    company apps

    To update the OneLogin Value field, click the parameter row to launch the Edit Field Fieldname dialog.

    The email parameter should default to email

Note: When a new user is created, an error appears. We recommend you provision all users and after users fail, go to More Actions and select Reapply entitlement mappings. Once you complete this step, the error disappears and the users are provisioned.

Use Rules to Provision Users to Netskope User Groups

You can define rules to provision subsets of your OneLogin users into Netskope user groups. For example, define a subset of users by filtering on a specific OneLogin user attribute value and then define an action that provisions the subset of users to a specific Netskope user group.

  1. Go to Apps > Company Apps and search for Netskope.

  2. Go to the Rules tab.

  3. Click New rule to open the New Mapping dialog and set the conditions and actions that determine which users are provisioned from from OneLogin to specific Netskope user groups.

  4. Give your rule a name.

  5. In the Conditions area, click + to add a condition. Use the fields to define a condition that specifies a subset of users to be acted upon by the rule. Conditions are based on OneLogin user attribute values.

    • Create a new Netskope user group and provision users to it.

    • Provision users to an existing Netskope user group.

    • In the Actions area, click + to add an action. Use the fields to define the action performed on users by the rule. 

    • To view a list of users affected by the provisioning rule, click Show Affected Users. Review the list and refine your rule until only intended users are listed.

    • Once you are satisfied with your rule, click Save.

      To add another provisioning rule, click New rule.

  6. The order in which rules are applied matters and can impact provisioning results. Drag and drop the rule rows to put them in the order that produces correct results. Click Save.

  7. Go to the More Actions menu and click Reapply Provisioning Mappings to apply the new rule.

    Important: you must reapply mappings any time you create or update rules.

Test Provisioning

Test the provisioning setup to confirm successful provisioning from OneLogin to Netskope.

  1. Go to Apps > Company Apps. Search for and select the Netskope app.

  2. Go to the Provisioning tab. Ensure that the following options are selected.

    • Enable provisioning for Netskope

    • Create user

    • Delete user

    • Update user

  3. Click Save.

  4. Go to Users > Roles.

  5. Create a test role and add Netskope to it. Click Save.

  6. Access the test role you created and go to the Users tab.

  7. Under Add Users to Role Manually, add your test user(s).

  8. Click Save. This will trigger provisioning of the test user to Netskope.

  9. Per the settings in step 2, you must approve the provisioning action before it can proceed. To do this, go to Users > Provisioning. Use search and filters to locate your provisioning task. It's located in Pending status.

  10. Click the row. Click Ignore or Approve, depending on your test case.

  11. If the provisioning row displays Failed on the Provisioning page, click the row to view the reason for the failure. Click Retry to try again.

  12. When the user has been successfully provisioned according to OneLogin, go to Netskope and confirm the user is added.

  13. Continue to test for user updates and user deletions.

Expand/Collapse Comments
Was this helpful?