Configure ADFS IdP for Netskope SAML – Forward Proxy
Launch the ADFS console, right-click Relying Party Trusts and select Add Relying Party Trust.
Select Claims aware and click Start.
Select Enter data about the relying party manually and click Next.
Enter Display Name: Netskope FP SAML Auth
Enter Notes: SSO configuration with Netskope to provide user identity over IPSec/GRE tunnel and NS Client in IdP mode.
Click Next.
Click Next.
Select Enable support for the SAML 2.0 WebSSO protocol and enter the SAML ACS URL you copied from the Netskope tenant.
Click Next.
Add the SAML Entity ID you copied from the Netskope tenant.
Click Next.
Leave the default settings and click Next.
Click Next.
Un-check the configure claims issuance policy for this application
Click Close.
The Relying Party trust has been created. Right-click on it and select Properties.
Select Signature (tab) and click Add to add the Netskope SAML certificate.
Click View to check the certificate, click OK and then click Apply.
The certificate warning message can be ignored
Select Advanced tab and select SHA-1.
Click OK and click Apply.
Right-click and select Edit Claim Issuance Policy.
Click Add Rule.
Select Send LDAP Attribute as Claim and click Next.
Enter: Claim rule name: Send Email Address claim value
Attribute store: Active Directory
LDAP Attribute: E-Mail-Addresses
Outgoing Claim Type: Name ID
Click Finish
Click Apply and click OK.
Launch a Windows PowerShell in Administrator mode. Enter this command to list all the ADFS Relying Party Trusts.
Get-AdfsRelyingPartyTrust | Select-Object Name, SigningCertificateRevocationCheck,EncryptionCertificateRevocationCheck
From the output you can see CheckChainExcludeRoot is configured for Signing and Encryption Revocation checks
The Signing and Encryption Revocation checks value should be set to None
Enter these commands:
Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth" | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None
Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth" | Set-AdfsRelyingPartyTrust -EncryptionCertificateRevocationCheck None
Enter this command to validate the value has been set to None
Get-AdfsRelyingPartyTrust | Select-Object Name, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck
Click Exit to close the PowerShell.
Note: Below command displays all the configurations of the relying party trust.
Get-AdfsRelyingPartyTrust -Name "Netskope FP SAML Auth"
Get the below details from ADFS which will be used within Netskope to configure the ADFS settings for SAML authentication.
Entity ID (format: https://<adfs fqdn>/adfs/services/trust)
IDP URL (format: https://<adfs fqdn>/adfs/ls/)
Token-signing certificate (available in ADFS > Service > Certificates)
You can also browse to ADFS URL to extract details: https://<adfs fqdn>/FederationMetadata/2007-06/FederationMetadata.xml
The ADFS configuration is complete.