Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=SSO-federated

Add the identity provider (Entra ID/Open IDC/ADFS)

You need to set up an identity provider to use federated sign-in.

Requirements

You must be a Super Admin to use this feature.

  • You must verify a domain first. You can't set up an identity provider if you haven't verified a domain. See Verify a federated domain.

  • Check that you have the information needed to set up your identity provider.

Warning

If you want to use federated sign-in as your sign-in option, you must ensure that all your administrators and users are assigned to a domain and have an identity provider.

You can choose Microsoft Entra ID, OpenID Connect, or Microsoft AD FS as your identity provider to verify the identities of your administrators when they sign in. Refer to the following sections for the instructions on configuring your chosen identity provider.

Add Microsoft Entra ID as an identity provider

Before you add Microsoft Entra ID as an identity provider, you must follow the instructions in Use Microsoft Entra ID as an identity provider.

You must have a record of the Tenant ID for your Microsoft Entra ID instance.

To add Microsoft Entra ID, do as follows:

  1. Go to My Products > General Settings > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a name and description.
  4. Click Type and choose Microsoft Entra ID.

  5. Click Vendor and choose Microsoft Entra ID.

    Setting up Microsoft Entra ID as an identity provider.

  6. Enter your Tenant ID.

  7. Click Select a domain and choose your domain.

    You can add multiple domains, but each user can only be associated with a single domain.

  8. Click Save.

  9. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Open ID Connect as an identity provider

Before you add Open ID Connect as an identity provider, you must follow the appropriate instructions in Use OpenID Connect as an identity provider.

We've used Okta as our example Open ID Connect provider in the images in these instructions.

To add Open ID Connect, do as follows:

  1. Go to My Products > General Settings > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a name and description.
  4. Click Type and choose Open ID Connect.

  5. Click Vendor and choose your vendor.

    For example, Okta.

    Setting up Okta as an identity provider.

  6. Enter the following information.

    • Client ID: This is the Client ID for your Sophos Central application in Okta.
    • Issuer: This is your Configured Custom Domain in Okta. It is https://${DOMAIN}.okta.com.
    • Authz endpoint: This is https://$Issuer}/oauth2/v1/authorize.
    • JWKS URL: This is https://${Issuer}/oauth2/v1/keys.

  7. Click Select a domain and choose your domain.

    You can add multiple domains, but each user can only be associated with a single domain.

  8. Click Save.

  9. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Microsoft AD FS as an identity provider

Before you add Microsoft AD FS as an identity provider, you must follow the instructions in Use Microsoft AD FS as an identity provider.

You must know your AD FS metadata URL.

To add Microsoft AD FS, do as follows:

  1. Go to My Products > General Settings > Federated identity providers.
  2. Enter a name and description.
  3. Click Type and choose Microsoft AD FS.

  4. Click Vendor and choose your vendor.

    Setting up Microsoft AD FS as an identity provider.

  5. Enter your AD FS metadata URL.

  6. Click Select a domain and choose your domain.

    You can add multiple domains, but each user can only be associated with a single domain.

  7. Click Save.

  8. In Federated identity providers, select your identity provider and make a note of the following:

    • Entity ID.
    • Callback URL.

  9. Add your Entity ID and Callback URL to your AD FS configuration.

  10. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.