Skip to content

Add an identity provider

You need to set up an identity provider to use federated sign-in.

Requirements

You must be a Partner Super Admin.

Warning

If you want to use federated sign-in as your sign-in option, you must ensure that all your administrators are assigned to a domain and have an identity provider.

  • You must verify a domain first. You can't set up an identity provider if you haven't verified a domain. See Verify a federated domain.
  • Check that you have the information needed to set up your identity provider.

Add an identity provider

To add an identity provider, do as follows:

  1. Go to Settings & Policies > Federated identity providers.
  2. Click Add identity provider.

    Add an identity provider.

  3. Choose an identity provider and enter the information needed.

  4. Turn on your identity provider.

    Note

    If you're editing an existing provider you can choose whether to continue using MFA or not.

Add Microsoft Entra ID (Azure AD) as an identity provider

Before you add Microsoft Entra ID (Azure AD) as an identity provider, you must follow the instructions in Use Microsoft Entra ID (Azure AD) as an identity provider.

You must have a record of the Tenant ID for your Microsoft Entra ID (Azure AD) instance.

To add Microsoft Entra ID (Azure AD), do as follows:

  1. Go to Settings & Policies > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a name and description.
  4. Click Type and choose Microsoft Entra ID (Azure AD).
  5. Click Vendor and choose Microsoft Entra ID (Azure AD).

    Setting up Microsoft Entra ID (Azure AD) as an identity provider.

  6. Enter your Tenant ID.

  7. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  8. Click Save.

  9. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Open ID Connect as an identity provider

Before you add Open ID Connect as an identity provider, you must follow the appropriate instructions in Use OpenID Connect as an identity provider.

We've used Okta as our example Open ID Connect provider in the images in these instructions.

To add Open ID Connect, do as follows:

  1. Go to Settings & Policies > Federated identity providers.
  2. Click Add identity provider.
  3. Enter a name and description.
  4. Click Type and choose Open ID Connect.
  5. Click Vendor and choose your vendor.

    For example, Okta.

    Setting up Okta as an identity provider.

  6. Enter the following information.

    • Client ID: This is the Client ID for your Sophos Central application in Okta.
    • Issuer: This is your Configured Custom Domain in Okta. It is https://${DOMAIN}.okta.com.
    • Authz endpoint: This is https://$Issuer}/oauth2/v1/authorize.
    • JWKS URL: this is https://${Issuer}/oauth2/v1/keys.
  7. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  8. Click Save.

  9. In Federated identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.

Add Microsoft AD FS as an identity provider

Before you add Microsoft AD FS as an identity provider, you must follow the instructions in Use Microsoft AD FS as an identity provider.

You must know your AD FS metadata URL.

To add Microsoft AD FS, do as follows:

  1. Go to Settings & Policies > Federated identity providers.
  2. Enter a name and description.
  3. Click Type and choose Microsoft AD FS.
  4. Click Vendor and choose your vendor.

    Setting up Microsoft AD FS as an identity provider.

  5. Enter your AD FS metadata URL.

  6. Click Select a domain and choose your domain.

    You can add more than one domain. You can only associate a user with one domain.

  7. Click Save.

  8. In Federated identity providers, select your identity provider and make a note of the following:

    • Entity ID.
    • Callback URL.
  9. Add your Entity ID and Callback URL to your AD FS configuration.

  10. In Sophos Central Partner, go to Settings & Policies > Federation identity providers, select your identity provider and click Turn on.

    Note

    You can't turn on your provider if you haven't finished setting it up or if you've given invalid information.

You can now set up your sign-in settings. See Sophos sign-in settings.