Skip to content

Set up an identity provider

Now set up an identity provider. The ZTNA gateway authenticates users based on records held by the identity provider.

Note

You can only add one entry for each identity provider.

The steps depend on which provider you want to use.

You can use Microsoft AD (on-prem) for user synchronization and as an identity provider.

If you're setting up Microsoft AD (on-prem) as an identity provider, your ZTNA gateway must be on version 2.1 or later.

Make sure you've already set up Active Directory user groups and synced them with Sophos Central. See Set up synchronization with Active Directory.

Note

Primary user groups aren't synced from Active Directory, so users belonging to these groups won't be able to access resources. You must make sure users are also members of other AD groups.

Note

In ZTNA, we only support a single domain. We don't support multiple child domains within a single forest scenario.

  1. Sign in to Sophos Central.
  2. Go to My Products > ZTNA > Identity Providers.

  3. Click Add identity provider.

    Identity provider page.

Identity provider settings

Enter your identity provider settings as follows:

  1. Enter a name and description.
  2. In Provider, make sure Microsoft AD (on-prem) is selected.

Configure Active Directory (AD) settings

  1. Configure the following settings:

    1. Enter your primary AD server's host and port details. You can enter your secondary server's details if needed.

      Note

      The secondary server must belong to the same domain as the primary server. If your primary server isn't available, the secondary server will provide redundancy.

    2. Optional: Configure TLS and SSL settings.

      You can select one of the following options:

      • TLS Enabled: Uses TLS to protect the username and password information used to log in to the LDAP server.
      • Start TLS: Allows the LDAP server to listen on an unencrypted port (normally 389) for LDAP connections, and then switch to TLS.

      If you select Verify SSL certificate, you must upload your LDAP server's SSL certificate in one of the following formats: .pem, .crt, or .cer. The maximum certificate size is 10 KB.

      TLS and SSL settings.

Account and password

In Bind DN, enter your domain controller details and your Bind password.

For more information, see Find the Bind and Base distinguished names on the AD server.

Active Directory search

  1. Under User, enter your AD server details in Base DN. The advanced configuration is set to default, but you can change it if needed.

    User Base DN default advanced settings.

  2. Under User group, enter your AD user details in Base DN. The advanced configuration is set to default, but you can change it if needed.

Advanced Security Settings

  1. Optional: Turn on Captcha to ensure secure sign-in. This reduces the risk of a brute force attack on your directory.

  2. Optional: Turn on Email-based One Time Password so you can authenticate users with multi-factor authentication (MFA). Enter the following SMTP settings:

    1. SMTP server host: The SMTP server's IP address or hostname.
    2. SMTP port number: The port number you access the SMTP server on.
    3. SMTP email: The default email address bounce-back messages are sent to.
    4. Email subject: The subject line for the email containing the one-time password (OTP).
    5. If the SMTP server requires credentials to relay emails, you must enter the SMTP login and SMTP password.

    6. Optional: Configure TLS and SSL settings.

      You can select one of the following options:

      • TLS Enabled: Uses TLS to protect communication between the SMTP server and client.
      • Start TLS: Starts the negotiation between the SMTP server and the client to choose the encryption method.

      If you select one of the above options, you'll see the Verify SSL certificate option. If you select Verify SSL certificate, you must upload your SMTP server's SSL certificate in one of the following formats: .pem, .crt, or cer. The maximum certificate size is 10 KB.

Test Connection

Optionally, you can test the connection.

  1. To test the connection, do as follows:

    1. Assign your identity provider to a gateway. To do this, go to the Gateways page, click the name of your gateway, and click Edit. In Identity Provider, select the identity provider you just created.

      Assign IDP to gateway.

      Note

      If you haven't created a gateway yet, test your connection after you create your gateway and assign it to your identity provider.

    2. Go back to Identity Providers, and click the name of your new identity provider.

    3. Under Test Connection, select the gateway name, and optionally enter the username.

    4. Click Test Connection and make sure the connection is made.

      If you entered the username, you'll see which groups that user belongs to.

  2. Click Save.

Your users will now be able to authenticate through the AD server when they access resources behind the gateway.

Note

If you use Microsoft AD (on-prem) as your identity provider and you access resources hosted behind different ZTNA gateways, you're prompted to authenticate with each gateway the first time you access a resource. If you use other IdPs, once you've authenticated with any ZTNA gateway, you aren't prompted to authenticate again when you access resources hosted behind different gateways.

You can use Microsoft Entra ID (Azure AD) for user synchronization and as an identity provider.

Make sure you've already set up Microsoft Entra ID (Azure AD) user groups and synced them with Sophos Central.

  1. Sign in to Sophos Central.
  2. Go to My Products > ZTNA > Identity Providers.

  3. Click Add identity provider.

    Identity provider page.

  4. Enter your identity provider settings as follows:

    1. Enter a name and description.
    2. In Provider, ensure Microsoft Entra ID (Azure AD) is selected.

    3. Enter the Microsoft Entra ID (Azure AD) settings for Client ID, Tenant ID, and Client secret.

      If you set up Microsoft Entra ID (Azure AD) as described in this guide, you gathered these settings when you created the tenant. See Set up directory service.

    4. Click Test Connection and make sure the connection is made.

    5. Click Save.

    Add Identity Provider page.

If you're setting up Okta as an identity provider, your ZTNA gateway must be version 1.1 or later.

Before you can use Okta as your identity provider, you must create and configure a new Okta app integration with the right settings for use with ZTNA.

To do this, you do as follows:

  • Create an app integration.
  • Add the identity provider to ZTNA.

We assume here that you have user groups in Okta. If you don't, use Okta's tools to synchronize groups from your directory service to Okta. Make sure you've also synchronized your groups with Sophos Central.

Create an app integration

  1. In the Okta dashboard, go to Applications.

    Okta dashboard menu.

  2. Click Create App Integration.

    Okta Applications page.

  3. In Create a new app integration, do as follows:

    1. Select OIDC.
    2. Select Web Application.

    Okta new application.

  4. In New Web App Integration, do as follows:

    1. Enter a name.
    2. Select Client Credentials.
    3. Select Refresh Token.

    Okta new app integration.

  5. On the same tab, in Sign-in redirect URIs, enter the address where Okta will send the authentication response and token. This must be the gateway host FQDN followed by /oauth2/callback. For example:

    https://ztna.mycompany.net/oauth2/callback

    Okta redirect URI.

    Note

    If you set up a gateway on Sophos Firewall, you must add a new redirect URI in the following format: https://<gateway's external FQDN>/ztna-oauth2/callback.

  6. In Assignments, select Skip group assignment for now.

    Okta assignments.

  7. Open your new application. On the General tab, make a note of the Client ID and Client Secret. You'll need them when you set up Okta as your identity provider in Sophos Central.

    ZTNA app details.

  8. On the Okta API Scopes tab, set the permissions that are needed:

    • okta.groups.read
    • okta.idps.read

    You only need okta.idps.read if you're using AD Sync.

    Okta API Scopes tab.

  9. On the Assignments tab, click Assign > Assign to Groups. Select your existing group of users.

    Okta Assignments tab.

  10. On the Sign On tab, go to OpenID Connect ID Token and do as follows:

    1. Click Edit.
    2. Add a Groups claim expression. For more information, see Add a custom groups claim.
    3. Click Save.

    OpenID Connect ID Token.

Add the identity provider to ZTNA

  1. Sign in to Sophos Central.
  2. Go to My Products > ZTNA > Identity Providers.

  3. Click Add identity provider.

    Identity providers page in Sophos Central.

  4. Enter your identity provider settings as follows:

    1. Enter a name and description.
    2. In Provider, select Okta.

    3. Enter the Okta settings for Client ID, Client secret, and Issuer URI.

      These are the Okta settings noted earlier.

    4. Click Test Connection and make sure the connection is made.

    5. Click Save.

    Identity Provider Azure details.

Next, you set up a gateway.