Introduction
This guide provides information on how to configure Beyond Identity integration with Netskope.
Contents
- Configure the Netskope admin SSO
- Configure the Netskope client SSO
- Enable Netskope client re-authentication
- Install the Netskope client in IdP mode and enroll Windows users
Configure the Netskope Admin SSO
- Log in to Netskope and go to Settings > Administration > SSO.
- Click Download Netskope Metadata. This will download the Netskope_saml_metadata.xml.
- Click Download Netskope Metadata. This will download the Netskope_saml_metadata.xml.
- In the Beyond Identity Admin console, go to Integrations > SAML > Add SAML Connection.
- Click Upload File and select Netskope_saml_metadata.xml.
- Enter Netskope Admin SSO for the Name.
- Click Save Changes.
- Note the IdP SSO URL, IdP Issuer and download the certificate.
- In Netskope, click Edit Settings on the SSO/SLO Settings page.
- Click Enable SSO.
- Enter the IDP URL (IdP SSO URL).
- Enter the IDP Entity ID (IdP Issuer).
- Paste the IDP Certificate.
- Click Submit.
Configure the Netskope client SSO
- In Netskope, click Settings > Security Cloud Platform > Forward Proxy > SSO.
- Note the SAML Entity ID and SAML ACS URL.
- Click Download SAML Certificate. This will download saml_cert.pem
- In the Beyond Identity Admin console, click Integrations > SAML > Add SAML Connection.
- Enter Netskope Client SSO for the name.
- Enter the SP Single Sign on URL (SAML ACS URL).
- Enter the SP Audience URI (SAML Entity ID).
- Select unspecified for the Name ID Format.
- Select UserName for the Subject User Attribute.
- Select http redirect for the Request Binding.
- Select X509 for the Authentication Context Class.
- Click Signed for the Signed Response.
- Click Upload File for the X509 Signing Certificate and choose saml_cert.pem.
- Click Save Changes.
- Note the IdP SSO URL, IdP Issuer, and download the certificate.
- Click New Account.
- Enter Netskope Client SSO Using Beyond Identity for the name.
- Enter the IdP SSO URL and IdP Entity Id (IdP Issuer).
- Paste the certificate.
- Click Save.
Enable Netskope client re-authentication
The Netskope client can be configured to require re-authentication to access private apps.
Prerequisites
- IdP federation must be configured.
- Users must be authenticated using the IdP and they must be imported into Netskope. Make sure that the user’s email address is available for IdP authenticated users.
- Your IdP must be configured in Netskope under Settings > Security Cloud Platform > SAML (under the Forward Proxy section ). The URL nsauth-<tenantname>.goskope.com must be publicly available.
To enable client re-authentication:
- On the Netskope client, go to Settings > Security Cloud Platform > Netskope Client > Devices and click Client Configuration.
- Select the Periodic re-authentication for Private Apps checkbox.
- Select a time period from the Re-authentication Interval dropdown list to determine how frequently re-authentication will occur.
- Select the Grace Period checkbox and enter the number of minutes a user has to re-authenticate after the interval time expires.
Note: The grace period must be less than the interval.
When re-authentication is enabled, an indicator displays on the Netskope client menu and you can re-authenticate by clicking the option in the menu.
If the interval expires, the Netskope client displays the IdP sign-in window for re-authentication.
If the grace period expires, the Netskope client disconnects from Netskope Private Access.
Re-authenticate on Logon
Netskope Private Access supports forced re-authentication into the Netskope Client when a device is restarted, or when a user logs out and then logs back into a device.
To re-authenticate on logon:
- Click Settings > Security Cloud Platform > Steering Configuration > Default tenant config.
- Click Steer Private Apps.
- Click Save.
- Create a new publisher.
- Click Settings > Security Cloud Platform > Publishers.
- Click New Publisher.
- Enter a name and select an update profile.
- Click Save and Continue.
- Click Generate Token.
- Copy the token.
- Click Done.
Install the Netskope client in IdP mode and enroll Windows users
There are two options for installing the Netskope Client (v71 and later) for IdP mode.
- Install the NSClient.msi without any parameters, which prompts users for the Netskope tenant name followed by the Beyond Identity login.
- (Recommended) Install the NSClient.msi with IDP parameters in multi-user mode, which prompts users for their Beyond Identity login only. This option can be packaged\deployed using software deployment tools.
Note: You will need to be an admin to deploy the Netskope client onto the endpoints.
To install the client in IDP mode
The following steps use the recommended option above.
- Install the .msi file using the following parameters:
msiexec /I NSClient.msi installmode=IDP tenant=<tenant name> domain=<goskope.com / eu.goskope.com / de.goskope.com> mode=peruserconfig
- After installation completes, click Finish. Users will be prompted or their Beyond Identity credentials.
- After logging in successfully, the Netskope client will validate the email address of the user in the tenant, and download the configuration files from the tenant.
- After downloading configuration files, the client will enroll itself and display a message of "Enrolled successfully".
- To verify registration, right-click the Netskope client and select Configuration. The user's email address will display on the details page.
Note: You may want to disable the Allow users to unenroll option in the Netskope tenant under Settings > Active Platform > Devices > Client Configurations.
Comments
0 comments
Please sign in to leave a comment.