Set up an identity provider

You can use Microsoft Entra ID (Azure AD) for user synchronization and as an identity provider.

Make sure you've already set up Microsoft Entra ID (Azure AD) user groups and synced them with Sophos Central.

1. Sign in to Sophos Central.
2. Go to My Products > ZTNA > Identity Providers.

3. Click Add identity provider.

   

4. Enter your identity provider settings as follows:

   1. Enter a name and description.
   2. In Provider, ensure Microsoft Entra ID (Azure AD) is selected.

   3. Enter the Microsoft Entra ID (Azure AD) settings for Client ID, Tenant ID, and Client secret.

      If you set up Microsoft Entra ID (Azure AD) as described in this guide, you gathered these settings when you created the tenant. See Set up directory service.

   4. Click Test Connection and make sure the connection is made.

   5. Click Save.

   

Before you can use Okta as your identity provider, you must create and configure a new Okta app integration with the right settings for use with ZTNA.

To do this, you do as follows:

• Create an app integration.
• Add the identity provider to ZTNA.

We assume here that you have user groups in Okta. If you don't, use Okta's tools to synchronize groups from your directory service to Okta. Make sure you've also synchronized your groups with Sophos Central.

Create an app integration

1. In the Okta dashboard, go to Applications.

   

2. Click Create App Integration.

   

3. In Create a new app integration, do as follows:

   1. Select OIDC.
   2. Select Web Application.

   

4. In New Web App Integration, do as follows:

   1. Enter a name.
   2. Select Client Credentials.
   3. Select Refresh Token.

   

5. On the same tab, in Sign-in redirect URIs, enter the address where Okta will send the authentication response and token. This must be the gateway host FQDN followed by /oauth2/callback. For example:

   https://ztna.mycompany.net/oauth2/callback

   

   Note

   If you set up a gateway on Sophos Firewall, you must add a new redirect URI in the following format: https://<gateway's external FQDN>/ztna-oauth2/callback.

6. In Assignments, select Skip group assignment for now.

   

7. Open your new application. On the General tab, make a note of the Client ID and Client Secret. You'll need them when you set up Okta as your identity provider in Sophos Central.

   

8. On the Okta API Scopes tab, set the permissions that are needed:

   • okta.groups.read
   • okta.idps.read

   You only need okta.idps.read if you're using AD Sync.

   

9. On the Assignments tab, click Assign > Assign to Groups. Select your existing group of users.

   

10. On the Sign On tab, go to OpenID Connect ID Token and do as follows:

    1. Click Edit.
    2. Add a Groups claim expression. For more information, see Add a custom groups claim.
    3. Click Save.

    

Add the identity provider to ZTNA

1. Sign in to Sophos Central.
2. Go to My Products > ZTNA > Identity Providers.

3. Click Add identity provider.

   

4. Enter your identity provider settings as follows:

   1. Enter a name and description.
   2. In Provider, select Okta.

   3. Enter the Okta settings for Client ID, Client secret, and Issuer URI.

      These are the Okta settings noted earlier.

   4. Click Test Connection and make sure the connection is made.

   5. Click Save.