Skip to content

Add an identity provider

This option may not be available to all customers yet.

You need to set up an identity provider to use federated sign-in.

Requirements

You must be a Super Admin.

  • You must verify a domain first. You can't set up an identity provider if you haven't verified a domain. See Verify a federated domain.

  • Check that you have the information needed to set up your identity provider.

Warning

If you want to use federated sign-in as your sign-in option, you must ensure that all your administrators and users are assigned to a domain and have an identity provider.

Add an identity provider

To add an identity provider, do as follows:

  1. Go to Global Settings > Federated identity providers.
  2. Click Add identity provider.

    Add an identity provider

  3. Chose an identity provider and enter the information needed.

  4. Turn on your identity provider.

Add Microsoft Azure AD as an identity provider

Before you add Azure AD as an identity provider, you must follow the instructions in Use Azure AD as an identity provider.

You must have a record of the Tenant ID for your Azure AD instance.

To add Microsoft Azure AD, do as follows:

  1. Go to Global Settings > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a name and description.
  4. Click Type and choose Microsoft Azure AD.
  5. Click Vendor and choose Microsoft Azure AD.

    Setting up Azure AD as an identity provider

  6. Enter your Tenant ID.

  7. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  8. Click Save.

  9. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Open ID Connect as an identity provider

Before you add Open ID Connect as an identity provider, you must follow the appropriate instructions in Use OpenID Connect as an identity provider.

We've used Okta as our example Open ID Connect provider in the images in these instructions.

To add Open ID Connect, do as follows:

  1. Go to Global Settings > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a name and description.
  4. Click Type and choose Open ID Connect.
  5. Click Vendor and choose your vendor.

    For example, Okta.

    Setting up Okta as an identity provider

  6. Enter the following information.

    • Client ID: This is the Client ID for your Sophos Central application in Okta.
    • Issuer: This is your Okta authorization domain.
    • Authz endpoint: This is https://$Issuer}/oauth2/v1/authorize.
    • JWKS URL: this is https://${Issuer}/oauth2/v1/keys.
  7. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  8. Click Save.

  9. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Microsoft AD FS as an identity provider

Before you add Microsoft AD FS as an identity provider, you must follow the instructions in Use Microsoft AD FS as an identity provider.

You must know your AD FS metadata URL.

To add Microsoft AD FS, do as follows:

  1. Go to Global Settings > Federated identity providers.
  2. Enter a name and description.
  3. Click Type and choose Microsoft AD FS.
  4. Click Vendor and choose your vendor.

    Setting up Microsoft AD FS as an identity provider

  5. Enter your AD FS metadata URL.

  6. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  7. Click Save.

  8. In Federated identity providers, select your identity provider and make a note of the following:
    • Entity ID.
    • Callback URL.
  9. Add your Entity ID and Callback URL to your AD FS configuration.
  10. In Sophos Central, go to Global Settings > Federation identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Back to top