Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/partner/help/en-us/index.html?contextId=sign-in-add-identity-provider

Add an identity provider

You need to set up an identity provider to use federated sign-in.

Requirements

You must be a Partner Super Admin.

Warning

If you want to use federated sign-in as your sign-in option, you must ensure that all your administrators are assigned to a domain and have an identity provider.

  • You must verify a domain first. You can't set up an identity provider if you haven't verified a domain. See Verify a federated domain.
  • Check that you have the information needed to set up your identity provider.

Add Microsoft Entra ID as an identity provider

Before you add Microsoft Entra ID as an identity provider, you must follow the instructions in Use Microsoft Entra ID as an identity provider.

You must have a record of the Tenant ID for your Microsoft Entra ID instance.

To add Microsoft Entra ID, do as follows:

  1. Go to Configure > Settings & policies > Federated identity providers.
  2. Click Add identity provider.

  3. In Add identity provider, do as follows:

    1. Enter a name and description.
    2. In Type, select Microsoft Entra ID.
    3. In Vendor, select Microsoft (Entra ID).
    4. In Configure Entra ID settings, enter your tenant ID.

    5. In Configure domains, click Select a domain and select your domain.

      You can add multiple domains, but each user can only be associated with a single domain.

    6. In Confirm identity provider MFA enforcement, select one of the following options:

      • IdP enforced MFA: Sophos Central allows the identity provider (IdP) to enforce multi-factor authentication (MFA).
      • No IdP enforced MFA: Sophos Central enforces MFA after IdP authentication is successful.

    7. Click Save.

    Setting up Microsoft Entra ID as an identity provider.

  4. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add OpenID Connect as an identity provider

Before you add OpenID Connect as an identity provider, you must follow the appropriate instructions in Use OpenID Connect as an identity provider.

We've used Okta as our example OpenID Connect provider in the images in these instructions.

To add OpenID Connect, do as follows:

  1. Go to Configure > Settings & policies > Federated identity providers.
  2. Click Add identity provider.

  3. In Add identity provider, do as follows:

    1. Enter a name and description.
    2. In Type, select OpenID Connect.
    3. In Vendor, select a vendor. For example, Okta.

    4. In Configure OpenID Connect settings, enter the following information:

      • Client ID: This is the Client ID for your Sophos Central application in Okta.
      • Issuer: This is your Configured Custom Domain in Okta. It's https://${DOMAIN}.okta.com.
      • Authz endpoint: This is https://$Issuer}/oauth2/v1/authorize.
      • JWKS URL: This is https://${Issuer}/oauth2/v1/keys.

    5. In Configure domains, click Select a domain and select your domain.

      You can add multiple domains, but each user can only be associated with a single domain.

    6. In Confirm identity provider MFA enforcement, select one of the following options:

      • IdP enforced MFA: Sophos Central allows the identity provider (IdP) to enforce multi-factor authentication (MFA).
      • No IdP enforced MFA: Sophos Central enforces MFA after IdP authentication is successful.

    7. Click Save.

    Setting up OpenID Connect as an identity provider.

  4. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Microsoft AD FS as an identity provider

Before you add Microsoft AD FS as an identity provider, you must follow the instructions in Use Microsoft AD FS as an identity provider.

You must know your AD FS metadata URL.

To add Microsoft AD FS, do as follows:

  1. Go to Configure > Settings & Policies > Federated identity providers.
  2. Click Add identity provider.

  3. In Add identity provider, do as follows:

    1. Enter a name and description.
    2. In Type, select Microsoft AD FS.
    3. In Vendor, select a vendor.
    4. In AD FS metadata URL, enter your AD FS metadata URL.

    5. In Configure domains, click Select a domain and select your domain.

      You can add multiple domains, but each user can only be associated with a single domain.

    6. In Confirm identity provider MFA enforcement, select one of the following options:

      • IdP enforced MFA: Sophos Central allows the identity provider (IdP) to enforce multi-factor authentication (MFA).
      • No IdP enforced MFA: Sophos Central enforces MFA after IdP authentication is successful.

    7. Click Save.

    Setting up Microsoft AD FS as an identity provider.

  4. In Federated identity providers, select your identity provider and make a note of the following:

    • Entity ID.
    • Callback URL.

  5. Add your Entity ID and Callback URL to your AD FS configuration.

  6. In Sophos Central Partner, go to Settings & Policies > Federation identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.