Skip to content

Set up an identity provider

Now set up an identity provider. The ZTNA gateway authenticates users based on records held by the identity provider.

The steps depend on which provider you want to use.

If you're setting up Okta as an identity provider, your ZTNA gateway must be version 1.1 or higher.

You can use Microsoft Entra ID (Azure AD) for user synchronization and as an identity provider.

Make sure you've already set up Microsoft Entra ID (Azure AD) user groups and synced them with Sophos Central.

  1. Sign in to Sophos Central.
  2. Go to My Products > ZTNA > Identity Providers.
  3. Click Add identity provider.

    Identity provider page.

  4. Enter your identity provider settings as follows:

    1. Enter a name and description.
    2. In Provider, ensure Microsoft Entra ID (Azure AD) is selected.
    3. Enter the Microsoft Entra ID (Azure AD) settings for Client ID, Tenant ID, and Client secret.

      If you set up Microsoft Entra ID (Azure AD) as described in this guide, you gathered these settings when you created the tenant. See Set up directory service.

    4. Click Test Connection and make sure the connection is made.

    5. Click Save.

    Add Identity Provider page.

Before you can use Okta as your identity provider, you must create and configure a new Okta app integration with the right settings for use with ZTNA.

To do this, you do as follows:

  • Create an app integration.
  • Add the identity provider to ZTNA.

We assume here that you have user groups in Okta. If you don't, use Okta's tools to synchronize groups from your directory service to Okta. Make sure you've also synchronized your groups with Sophos Central.

Create an app integration

  1. In the Okta dashboard, go to Applications.

    Okta dashboard menu.

  2. Click Create App Integration.

    Okta Applications page.

  3. In Create a new app integration, do as follows:

    1. Select OIDC.
    2. Select Web Application.

    Okta new application.

  4. In New Web App Integration, do as follows:

    1. Enter a name.
    2. Select Client Credentials.
    3. Select Refresh Token.

    Okta new app integration.

  5. On the same tab, in Sign-in redirect URIs, enter the address where Okta will send the authentication response and token. This must be the gateway host FQDN followed by /oauth2/callback. For example:

    https://ztna.mycompany.net/oauth2/callback

    Okta redirect URI.

  6. In Assignments, select Skip group assignment for now.

    Okta assignments.

  7. Open your new application. On the General tab, make a note of the Client ID and Client Secret. You'll need them when you set up Okta as your identity provider in Sophos Central.

    ZTNA app details.

  8. On the Okta API Scopes tab, set the permissions that are needed:

    • okta.groups.read
    • okta.idps.read

    You only need okta.idps.read if you're using AD Sync.

    Okta API Scopes tab.

  9. On the Assignments tab, click Assign > Assign to Groups. Select your existing group of users.

    Okta Assignments tab.

  10. On the Sign On tab, go to OpenID Connect ID Token and do as follows:

    1. Click Edit.
    2. Add a Groups claim expression.
    3. Click Save.

    OpenID Connect ID Token.

Add the identity provider to ZTNA

  1. Sign in to Sophos Central.
  2. Go to My Products > ZTNA > Identity Providers.
  3. Click Add identity provider.

    Identity providers page in Sophos Central.

  4. Enter your identity provider settings as follows:

    1. Enter a name and description.
    2. In Provider, select Okta.
    3. Enter the Okta settings for Client ID, Client secret, and Issuer URI.

      These are the Okta settings noted earlier.

    4. Click Test Connection and make sure the connection is made.

    5. Click Save.

    Add Identity Provider page.

Next, you set up a gateway.