Skip to main content

Netskope Help

Netskope SSO with Okta

Netskope integrates with multiple third-party applications to provide a wide range of solutions. You can configure single sign-on (SSO) on the Netskope Admin Console to connect to these applications with or without authentication. Using the SSO Enabled feature in the Netskope Admin Console, you can set up forced authentication when connecting to third-party applications through Okta.

In these instructions, Netskope Admin Console refers to the app in the Okta Applications Dashboard. Netskope UI refers to the Netskope tenant.

Locate the SSO Settings in Netskope UI
  1. To access SSO/SLO Settings in your tenant, go to Settings > Administration > SSO.

    image1.jpeg
  2. To view and edit IdP settings, click Edit Settings.

    image2.jpeg
  3. Here are the IdP URL, IdP Entity ID, IdP Certificate. Copy the IdP Entity ID to use when generating new IdP information in Okta.

Generate New IdP Information in Okta
  1. In the Okta Dashboard, go to Applications > Browse App Catalog.

  2. Search for Netskope and select Netskope Admin Console.

    image3.jpeg
  3. Click Add.

    image4.jpeg
  4. Enter your subdomain in the subdomain field and click Next.

  5. Scroll down to the Service Provider Entity ID field and enter the Service Provider EntityID from the Netskope UI, and then click Done.

  6. Go to the Sign On tab.

    image5.jpeg
  7. Scroll down to SAML Signing Certificates and click View SAML setup instructions.

    image6.jpeg

    Here are the IdP URL, IdP Entity ID, IdP Certificate to be copied into Netskope UI.

  8. Copy the new IdP information from Okta and enter them into the Netskope IdP fields.

    image2.jpeg
  9. In the Netskope UI, go to Settings > Administration > SSO and under SSO/SLO click Edit Settings. Enter your Okta information and click Save.

  10. Go to the Assignments tab and click Assign > Add People/Group, and then add users/groups who need access to the Netskope Admin Console.

    image7.jpeg
  11. Deactivate any old instances of Netskope Admin Console from Okta Applications Dashboard.

Provision Custom Roles with Okta using the Netskope Admin Console

Integrate Okta with Netskope so that Admins can access the Netskope Admin Console. The integration uses the Netskope Admin Console App (available in Okta), to provision users based on Custom Groups defined in Okta.

Provisioning Custom Admin Roles

This remaining sections explain how to assign custom roles to Netskope Admins that are provisioned via Okta. This does not work for local admin accounts. Using a predefined role like “Tenant Admin” will only allow you to provision admins with this role, so you need to have a more scalable way to assign different roles to admins that are provisioned through Okta.

Prerequisites

In order to complete this section, you must first:

  • Have existing Okta and Netskope Admin accounts

  • Enable SSO for your Netskope tenant

  • Deploy the Netskope Admin Console App in Okta

Create Custom Roles in Netskope

First confirm you have created your custom roles within Netskope. These roles need to have a similar naming convention as shown for this integration to work. Because you will use a contains statement within the Okta App, it’s important to prefix each custom role with an identical value. For example:

  • ns tenant admin

  • ns delegated admin

The prefix ns should be there for all custom roles. Assign whatever attributes you like for each custom role.

image8.png
Create Custom Groups within Okta

Now create the custom Groups inside Okta. These groups should match what you just created within Netskope.

  1. Go to Directory > Groups > Add Group.

    image9.png
  2. Check to ensure the prefix ns is there for all custom Groups that you will assign Admins to.

    image10.png
  3. Assign admins to their respective group based on the roles you assigned for each group within Netskope.

Define the Admin Role Attribute in the Netskope Admin Console

Now set the admin-role attribute to ns in the Netskope Admin Console App withing Okta.

  1. Open the Netskope Admin Console, go to the Sign On tab and click Edit.

  2. Set the admin-role attribute under SAML 2.0 to: Starts with and ns,and then click Save.

The integration to assign custom roles for Netskope admins via Okta is complete.