Skip to main content

Netskope for Office 365 (SP-initiated) Integration Guide


Use this guide to enable Service Provider (SP)-initiated Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to Netskope for Office 365.


1. Obtain a Netskope account with administrator permissions

2. Ensure administrator access is granted for Office 365 management, and verify Office 365 is not federated


If Office 365 is already federated, run the following command to convert Office 365 back to the Managed state before re-federation

   Set-MsolDomainAuthentication -DomainName "Domain to be federated" -Authentication Managed

3. Create a New Realm on SecureAuth IdP v9.0.1+ for the Netskope for Microsoft 365 integration

4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined

  • Data – an enterprise directory must be integrated with SecureAuth IdP

  • Workflow – the way in which users will access this application must be defined

  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

SecureAuth IdP Configuration Steps



1. In the Profile Fields section, map the directory field that contains the user's logon name to the Aux ID 1 Property – e.g. userPrincipalName

2. Map the directory field that contains the user's unique identifier to the Aux ID 2 Property – e.g.objectGUID

NOTE: This property must be mapped to ImmutableID on the Azure AD


Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication


3. Select SAML 2.0 (SP Initiated by Post) Assertion page from the Authenticated User Redirect dropdown in the Post Authentication section

User ID Mapping


4. Select the SecureAuth IdP Property corresponding to the directory field that contains the user's unique identifier – e.g. Aux ID 2

5. Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent from the Name ID Format dropdown

6. Select True from the Encode to Base64 dropdown

SAML Assertion / WS Federation


7. Set WSFed Reply To / SAML Target URL to the URL provided by Netskope for the server to be accessed

8. Set SAML Consumer URL to the URL provided by Netskope to accept the SAML assertion

9. Set WSFed / SAML Issuer to the Unique Name provided by Netskope – i.e. SharedSecretKey123

The WSFed / SAML Issuer must match exactly on the SecureAuth IdP side and the Netskope side

10. Set SAML Audience to urn.federation.MicrosoftOnline

11. Provide the SP Start URL to the URL provided by Netskope to enable SSO and to redirect users to the Netskope login page


12. Leave the Signing Cert Serial Number as the default value, unless a third-party certificate is used for the SAML assertion

If using a third-party certificate, click Select Certificate and select the appropriate certificate

13. Provide the Domain in order to Download the Metadata File to send to Netskope

NOTE: Export the Base64 SecureAuth IdP certificate as .CER and send the certificate to Netskope to import into the appliance tenant

SAML Attributes / WS Federation


14. Set the Name of Attribute 1 to IDPEmail

15. Set the Namespace (1.1) to

16. Select Basic from the Format dropdown

17. Select Aux ID 1 from the Value dropdown

18. Set the Name of Attribute 2 to ImmutableID

19. Set the Namespace (1.1) to

20. Select Basic64 Encoded from the Format dropdown

21. Select Aux ID 2 from the Value dropdown


Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

Optionally, in the Forms Auth / SSO Token section, click the View and Configure FormsAuth keys/SSO token link to configure the token/cookie settings and configure this realm for SSO.