Integration Guide for Netskope

This guide provides information on how to configure Beyond Identity integration with Netskope.

Configure the Netskope Admin SSO

1. Log in to Netskope and go to Settings > Administration > SSO.

   1. Click Download Netskope Metadata. This will download the Netskope_saml_metadata.xml.

      
      

2. In the Beyond Identity Admin console, go to Integrations > SAML > Add SAML Connection.

   1. Click Upload File and select Netskope_saml_metadata.xml.

   2. Enter Netskope Admin SSO for the Name.

      
      

   3. Click Save Changes.

   4. Note the IdP SSO URL, IdP Issuer and download the certificate.

3. In Netskope, click Edit Settings on the SSO/SLO Settings page.

   1. Click Enable SSO.

   2. Enter the IDP URL (IdP SSO URL).

   3. Enter the IDP Entity ID (IdP Issuer).

   4. Paste the IDP Certificate.

   5. Click Submit.

      
      

Configure the Netskope client SSO

1. In Netskope, click Settings > Security Cloud Platform > Forward Proxy > SSO.

   1. Note the SAML Entity ID and SAML ACS URL.

   2. Click Download SAML Certificate. This will download saml_cert.pem.

      
      

2. In the Beyond Identity Admin console, click Integrations > SAML > Add SAML Connection.

   1. Enter Netskope Client SSO for the name.

   2. Enter the SP Single Sign on URL (SAML ACS URL).

   3. Enter the SP Audience URI (SAML Entity ID).

   4. Select unspecified for the Name ID Format.

   5. Select UserName for the Subject User Attribute.

   6. Select http redirect for the Request Binding.

   7. Select X509 for the Authentication Context Class.

   8. Click Signed for the Signed Response.

   9. Click Upload File for the X509 Signing Certificate and choose saml_cert.pem.

      
      

   10. Click Save Changes.

   11. Note the IdP SSO URL, IdP Issuer, and download the certificate.

3. Click New Account.

   1. Enter Netskope Client SSO Using Beyond Identity for the name.

   2. Enter the IdP SSO URL and IdP Entity Id (IdP Issuer).

   3. Paste the certificate.

      
      

   4. Click Save.

Enable Netskope client re-authentication

The Netskope client can be configured to require re-authentication to access private apps.

Prerequisites

• IdP federation must be configured.

• Users must be authenticated using the IdP and they must be imported into Netskope. Make sure that the user’s email address is available for IdP authenticated users.

• Your IdP must be configured in Netskope under Settings > Security Cloud Platform > SAML (under the Forward Proxy section ). The URL nsauth-<tenantname>.goskope.com must be publicly available.

To enable client re-authentication:

1. On the Netskope client, go to Settings > Security Cloud Platform > Netskope Client > Devices and click Client Configuration.

   
   

2. Select the Periodic re-authentication for Private Apps checkbox.

3. Select a time period from the Re-authentication Interval dropdown list to determine how frequently re-authentication will occur.

4. Select the Grace Period checkbox and enter the number of minutes a user has to re-authenticate after the interval time expires.

   Note: The grace period must be less than the interval.

When re-authentication is enabled, an indicator displays on the Netskope client menu and you can re-authenticate by clicking the option in the menu.

If the interval expires, the Netskope client displays the IdP sign-in window for re-authentication.

If the grace period expires, the Netskope client disconnects from Netskope Private Access.

Re-authenticate on Logon

Netskope Private Access supports forced re-authentication into the Netskope Client when a device is restarted, or when a user logs out and then logs back into a device.

To re-authenticate on logon:

1. Click Settings > Security Cloud Platform > Steering Configuration > Default tenant config.

2. Click Steer Private Apps.

   
   

3. Click Save.

4. Create a new publisher.

   1. Click Settings > Security Cloud Platform > Publishers.

   2. Click New Publisher.

   3. Enter a name and select an update profile.

   4. Click Save and Continue.

   5. Click Generate Token.

   6. Copy the token.

      
      

   7. Click Done.

Install the Netskope client in IdP mode and enroll Windows users

There are two options for installing the Netskope Client (v71 and later) for IdP mode.

• Install the NSClient.msi without any parameters, which prompts users for the Netskope tenant name followed by the Beyond Identity login.

• (Recommended) Install the NSClient.msi with IDP parameters in multi-user mode, which prompts users for their Beyond Identity login only. This option can be packaged\deployed using software deployment tools.

Note: You will need to be an admin to deploy the Netskope client onto the endpoints.

To install the client in IDP mode

The following steps use the recommended option above.

1. Install the .msi file using the following parameters:

   msiexec /I NSClient.msi installmode=IDP tenant=<tenant name> domain=<goskope.com / eu.goskope.com / de.goskope.com> mode=peruserconfig

   

2. After installation completes, click Finish. Users will be prompted or their Beyond Identity credentials.

3. After logging in successfully, the Netskope client will validate the email address of the user in the tenant, and download the configuration files from the tenant.

   
   

4. After downloading configuration files, the client will enroll itself and display a message of "Enrolled successfully".

   
   

5. To verify registration, right-click the Netskope client and select Configuration. The user's email address will display on the details page.

   
   

   Note: You may want to disable the Allow users to unenroll option in the Netskope tenant under Settings > Active Platform > Devices > Client Configurations.