Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=SSO-Microsoft-ADFS

Use Microsoft AD FS as an identity provider

You can add Microsoft AD FS as an identity provider.

You can use Microsoft AD FS to verify the identities of your administrators and users when they sign in to Sophos Central products. You need to add Microsoft AD FS as an identity provider to do this.

Requirements

You must be a Super Admin.

Warning

If you want to use federated sign-in as your sign-in option you must make sure that all your administrators and users are assigned to a domain and have an identity provider.

You must verify a domain first. See Verify a federated domain.

AD FS is a service provided by Microsoft on Windows Server. It allows you to authenticate using existing Active Directory credentials.

If you want to use AD FS as an identity provider, you must do the following:

  • Ensure you have an AD FS server.
  • Ensure that your Sophos Central administrators and users are in the Active Directory forest that you want to use for authentication.
  • Ensure that the emails in the forest match those assigned to your administrators and users in Sophos Central.
  • Get consent and authorization from your AD admin to use your organization's AD with Sophos Central.
  • Find your Microsoft AD FS metadata URL.

Microsoft AD FS metadata URL

You need to know your Microsoft AD FS metadata URL before adding Microsoft AD FS as an identity provider. To find this, do as follows:

  1. Go to Federation Metadata Explorer.
  2. Follow the on-screen instructions to get your AD FS metadata.
  3. Make a note of your Microsoft AD FS metadata URL as you need this to set up AD FS as an identity provider.

You can now add AD FS as an identity provider. See Add the identity provider (Entra ID/Open IDC/ADFS).

For general help on Microsoft AD FS, see AD FS help.

Add Sophos Central as a Relying Party Trust in Microsoft AD FS

In AD FS, you can add Sophos Central as a Relying Party Trust so AD FS can accept claims from Sophos Central.

Before you begin, ensure you've set up a federated sign-in in Sophos Central. See Set up Federated sign-in.

To add Sophos Central as a Relying Party Trust, do as follows:

  1. In Microsoft AD FS, open Server Manager.
  2. Click Tools and select AD FS Management.
  3. Under Actions, click Add Relying Party Trust.
  4. In Welcome, select Claims Aware.
  5. In Select Data Source, select Enter data about the relying party manually and click Next.
  6. In Specify Display Name, enter a name and click Next.
  7. In Choose Profile, select AD FS profile and click Next.
  8. In Configure Certificate, click Next.

  9. In Configure URL, do as follows:

    1. Select Enable support for the WS-Federation Passive protocol.

    2. Enter the Sophos Central callback URL in Relying party WS-Federation Passive protocol URL.

      To find the callback URL, do as follows:

      1. In Sophos Central, go to Global Settings > Federated identity providers.
      2. Select your identity provider and copy the URL in Callback URL.

    3. Click Next.

  10. In Configure Identifiers, enter your entity ID in Relying party trust identifier, click Add, and click Next.

    To find the entity ID, do as follows:

    1. In Sophos Central, go to My Products > General Settings > Federated identity providers.
    2. Select your identity provider and copy the ID in Entity ID.

  11. (Optional) In Configure Multi-factor Authentication Now?, configure multi-factor authentication if required.

  12. In Choose Issuance Authorization Rules, select Permit all users to access this relying party and click Next.
  13. In Ready to add trust, retain the default settings and click Next.

  14. In Finish, select Open the Edit Claim Rules dialog for this claims provider trust when the wizard closes and click Close.

    The Edit Claim Rules dialog appears.

  15. In Edit Claim Rules, in Issuance Transform Rules, click Add rule.

    The Add Transform Claim Rule Wizard opens.

  16. In Choose Rule Type, in Claim rule template, select Send LDAP Attributes as Claims and click Next.

  17. In Configure Claim Rule, do as follows:

    1. In Claim rule name, enter a name for the rule.
    2. In Attribute store, select Active Directory.

    3. In Mapping LDAP attributes to outgoing claim types, map the attributes as shown in the following table:

      LDAP Attribute Outgoing claim type
      E-mail-Addresses Name ID
      Given-Name Given Name
      Surname Surname
      E-mail-Addresses E-mail Address

    4. Click Finish.

You can now add Microsoft AD FS as an identity provider. See Add the identity provider (Entra ID/Open IDC/ADFS).