Skip to content

Use OpenID Connect as an identity provider

You can set up Service-Provider-Initiated single sign-on with OpenID Connect (OIDC) identity providers.

Requirements

You must be an Enterprise Super Admin.

Warning

If you want to use federated sign-in as your sign-in option you must make sure that all your administrators are assigned to a domain and have an identity provider.

You must verify a domain first. See Verify a federated domain.

If you want to add OpenID Connect as an identity provider, you must do the following:

  • Configure your identity provider to allow Sophos Central to verify administrators.
  • Make sure that your identity provider accepts authorization requests from Sophos Central.
  • Give us the information we need to communicate with your identity provider. We need the following information:

    • Client ID
    • Issuer
    • Authz endpoint
    • JWKS URL

Authentication requests

We make implicit grant flow authentication requests to an OIDC identity provider. We don't request access codes using implicit flow. Your app integration settings for your identity provider must accept the following OAUTH requests with a callback to https://federation.sophos.com/login/callback.

GET …/oauth2/v1/authorize

<client_id> xxxxxxxxxxxxxxxxxxxxxxxxxx </client_id>
<scope>openid profile email</scope>
<response_type>id_token</response_type>
<redirect_uri>https://federation.sophos.com/login/callback</redirect_uri>
<login_hint> xxxxxxxxxxxxxxxxxxxxxxxxxx </login_hint>
<response_mode>form_post</response_mode>
<nonce> xxxxxxxxxxxxxxxxxxxxxxxxxx </nonce>
<state>xxxxxxxxxxxxxxxxxxxxxxxxxx</state>"

Set up Okta as an identity provider

If you want to add Okta as your identity provider, you must do as follows:

  • Set up an OIDC (OpenID Connect) Implicit application to use with Sophos Central.
  • Get the information we need to communicate with Okta.

Set up an app integration for Sophos Central

We recommend that you read the Okta documentation for more information on how to configure Okta application integrations. See the Okta help, Sign users in overview.

Note

These instructions give an overview of how to set up an app integration for Sophos Central in Okta.

To set up an app integration, do as follows:

  1. Sign in to your Okta account.
  2. Go to Applications.
  3. Click Create App Integration.

    Create App Integration.

  4. Click OIDC – OpenID Connect.

    OpenID Connect.

  5. Click Single-Page Application.

    Create App Integration.

  6. Click Next.

  7. Give a name for the app integration.

    You must give a unique name. For example "Sophos Central SSO 1".

  8. In Grant type choose Implicit hybrid.

  9. In Sign-in redirect URIs enter https://federation.sophos.com/login/callback.

    This authorizes authentication requests from Sophos Central.

    Callback URL.

  10. Click Save.

  11. Select your Sophos Central application and click General Settings.

    • Turn on Allow ID Token with implicit grant type.

      ID Token.

Get the information you need to add Okta as your identity provider

To get the information, do as follows:

  1. You need to know your Okta authorization domain. To find this do as follows:

    1. Go to Customizations and click Domain.
    2. Look for Custom URL Domain.
    3. Find Configured Custom Domain and make a note of it.

      You enter this information in Issuer when you set up Okta in Sophos Central Enterprise.

      Configured Custom Domain.

      This screenshot shows an example domain. login.pennitest.net.

      You also use this information to get the values for Authz endpoint and JWKS URL.

  2. Authz endpoint and JWKS URL are derived from your authorization domain.

    • Your Authz endpoint is your authorization domain and a standard path ending in authorize. The full path follows this format: https://{$Issuer}/oauth2/v1/authorize. To get help on finding your Authz endpoint, see authorize.

      Using the example domain the Authz endpoint is https://login.pennitest.net/oauth2/v1/authorize.

    • Your JWKS URL is your authorization domain and a standard path ending in keys. The full path follows this format: https://{$Issuer}/oauth2/v1/keys. To get help on finding your JWKS URL, see keys.

      Using the example domain the JWKS URL is https://login.pennitest.net/oauth2/v1/keys.

  3. Go to Applications and click Applications.

  4. Select your Sophos Central application.
  5. Look for Client Credentials.

    1. Find your Client ID. Make a note of it as you need this to set up Okta as your identity provider.

You can now add Okta as an identity provider. See Add an identity provider.

Use Google Workspace as an identity provider

We recommend that you read the following Google help pages: