Skip to content
Last update: 2022-01-05

Set up an identity provider

Now set up an identity provider. The ZTNA gateway authenticates users based on records held by the identity provider.

The steps depend on which provider you want to use.

You can use Microsoft Azure AD for user synchronization and as an identity provider.

Make sure you've already set up Azure AD user groups and synced them with Sophos Central.

  1. Sign in to Sophos Central.
  2. In the left menu, select ZTNA.

    Screenshot of the ZTNA menu in Sophos Central

  3. In Zero Trust Network Access, do as follows:

    1. In the left menu, select Identity Providers.
    2. Click Add identity provider.

    Screenshot of the Identity providers page in Sophos Central

  4. Enter your identity provider settings as follows:

    1. Enter a name and description.
    2. In Provider, ensure Azure AD is selected.
    3. Enter the Azure AD settings for Client ID, Tenant ID, and Client secret.

      If you set up Azure AD as described in this guide, you gathered these settings when you created the tenant. See Set up directory service.

    4. Click Test Connection and make sure the connection is made.

    5. Click Save.

    Screenshot of Add Identity Provider page

Before you can use Okta as your identity provider, you must create and configure a new Okta app integration with the right settings for use with ZTNA.

To do this, you do as follows:

  • Create an app integration.
  • Add an authorization server.
  • Add the identity provider to ZTNA.

We assume here that you have user groups in Okta. If you don't, use Okta's tools to synchronize groups from your directory service to Okta. Make sure you've also synchronized your groups with Sophos Central.

Create an app integration

  1. In the Okta dashboard, go to Applications.

    Okta dashboard menu

  2. Click Create App Integration.

    Okta Applications page

  3. In Create a new app integration, do as follows:

    1. Select OIDC.
    2. Select Web Application.

    Okta new application

  4. In New web application integration, do as follows:

    1. Enter a name.
    2. Select Client credentials.
    3. Select Refresh token.

    Okta new app integration

  5. On the same tab, in Sign-in redirect URI, enter the address where Okta will send the authentication response and token. This must be the gateway host FQDN followed by /oauth2/callback. For example:

    https://ztna.mycompany.net/oauth2/callback

    Okta redirect URI

  6. In Assignments, select Skip group assignments for now.

    Okta assignments

  7. Open your new application. On the General tab, make a note of the Client ID and Client Secret. You'll need them when you set up Okta as your identity provider in Sophos Central.

    ZTNA app details

  8. On the Okta API Scopes tab, set the permissions that are needed:

    • okta.groups.read
    • okta.idps.read

    You only need okta.idps.read if you're using AD Sync.

    Okta API Scopes tab

  9. On the Assignments tab, click Assign > Assign to groups. Select your existing group of users.

    Okta Assignments tab

Add an authorization server

  1. On the Okta dashboard, go to Security > API.

    Security menu

  2. On the Authorization Servers tab, click Add Authorization Server.

    Okta Authorization Servers tab

  3. In the Add Authorization Server dialog, enter a name and description. Click Save.

    Okta Add Authorization Server dialog

  4. On the Authorization Servers tab, you see the new server. Make a note of the Issuer URI. You'll need it later.

    Authorization server issuer URI

  5. On the Scopes tab, click Add Scope and add a scope called "customScope". You don't need to add any other details. This scope is only used for testing later.

    Authorization server Scopes tab

  6. On the Claims tab, click Add Claim. A claim enables ZTNA to see groups for authentication. Enter the details as follows:

    1. In Name, enter "groups" (with a lowercase g).
    2. In Token Type, select ID Token and then Userinfo/id_token request.
    3. In Value type, enter Expression.
    4. Enter this value:

      Arrays.isEmpty(Arrays.toCsvString(Groups.startsWith("active_directory","",100))) ? 
      Groups.startsWith("OKTA","",100) : 
      Arrays.flatten(Groups.startsWith("OKTA","",100),
      Groups.startsWith("active_directory","",100)) 
      

    Okta Add Claim dialog

  7. On the Access Policies tab:

    1. Click Add Policy. Accept the defaults and click Create Policy.
    2. When you see the new policy details, click Add Rule. Accept the defaults and click Create Rule.

Add the identity provider to ZTNA

  1. Sign in to Sophos Central. In the left menu, select ZTNA.

    ZTNA menu in Sophos Central

  2. On the Zero Trust Network Access page, do as follows:

    1. In the left menu, select Identity Providers.
    2. Click Add identity provider.

    Identity providers page in Sophos Central

  3. Enter your identity provider settings as follows:

    1. Enter a name and description.
    2. In Provider, select Okta.
    3. Enter the Okta settings for Client ID, Client secret, and Issuer URI.

      These are the Okta settings noted earlier.

    4. Click Test Connection and make sure the connection is made.

    5. Click Save.

    Screenshot of Add Identity Provider page

Next, you set up a gateway.

Back to top