Configuring Passive Auth with an Endpoint URL
For O365 Apps that use Passive Auth URL, Netskope Auth Proxy can be deployed by modifying the Endpoint URL on the auth/federation server to point to the Netskope's Auth Proxy for the Passive Auth Flow. This way of configuring the Netskope Auth Proxy is applicable only for auth/federation servers that have a provision to configure the endpoint URL.
Configuring the Passive Auth in this manner offers the following benefits:
Netskope's Auth Proxy is no longer front-ending the Passive Auth flow; therefore, reducing risk of URL/page rewriting inconsistencies.
From a configuration standpoint, this no longer requires modification of Passive Auth URL in O365; instead, the Endpoint URL on the auth/federation server is modified.
Before configuring Passive Auth with an Endpoint URL, please consider:
This feature is only applicable to the Passive Auth flow. Active and MEX flows will still need to be configured by replacing the original URL's with Netskope Auth Proxy URLs on the O365 Powershell.
The Passive Auth flow will no longer be front-ended by Netskope. Active flows will still go through the expected proxy flow via Netskope's Auth Proxy.
This feature only works with ADFS and PingFederate (on-premises). These are the only Auth/Federation servers that allow you to modify the Endpoint URL.
Configure PingFederate Endpoint URL
To configure an Endpoint URL in PingFederate:
Ensure you have a working O365 Auth flow before employing Netskope's Auth Proxy.
In the Netskope UI, go to Settings > Security Cloud Platform > O365 Auth, select the PingFederate tab, and then copy the Netskope Endpoint URL.
Replace the Endpoint URL in PingFederate (go to PingFederate > IDP Configuration > SP Connection (select SP) > Protocol Settings > Endpoint URL).
Change
https://login.microsoftonline.com/login.srf
to the Netskope Endpoint URL.
Configure ADFS Endpoint URL
To configure an Endpoint URL in ADFS:
Ensure you have a working O365 Auth flow before employing Netskope's Auth Proxy.
In the Netskope UI, go to Settings > Security Cloud Platform > O365 Auth, select the ADFS tab, and then copy the Netskope Endpoint URL.
Replace the Endpoint URL in ADFS (go to ADFS > Trust Relationships > Relying Party Trusts > Microsoft Office O365 Identify Platform Properties> Endpoint URL).
Change
https://login.microsoftonline.com/login.srf
to the Netskope Endpoint URL.