The Definitions & Users > Authentication Services > Global Settings tab lets you configure basic authentication options. The following options are available:
Create users automatically: When this option is selected, Sophos UTM on AWS will automatically create a user object whenever unknown users of a configured backend group successfully authenticate against one of the various authentication services supported by Sophos UTM on AWS. For example, if you configure a RADIUS backend group and you add this group as a member to one of the roles defined on the Management > WebAdmin Settings > Access Control tab, Sophos UTM on AWS will automatically create a user definition for RADIUS users who have successfully logged in to WebAdmin.
Note – To use the Sophos Transparent Authentication Suite, you need to enable the automatic user creation for STAS.
Automatic User Creation for Facilities: Automatic user creation can be enabled or disabled for specific services. Users are only created for enabled services. This option is not available—and automatic user creation is disabled for all facilities—when the Create users automatically option is not selected.
Those user objects are also needed to grant access to the User Portal of Sophos UTM on AWS. In addition, for all user objects created automatically an X.509 certificate will be generated. Note, however, that automatic user creation will fail in case of an email address conflict, for the user definition to be created automatically must not have configured an email address that is already present on the system. All email addresses must be unique within the system because they are used as identifiers for X.509 certificates.
Important Note – Authentication (i.e., the action of determining who a user is) and authorization (i.e., the action of determining what a user is allowed to do) for users whose user object was created automatically are always done on the remote backend server/directory service. Therefore, automatically created user objects in Sophos UTM on AWS are useless if the corresponding backend server is not available or if the user object has been deleted on the remote site.
Note also that except for Active Directory Single Sign-On (SSO) Sophos UTM on AWS caches user authentication data it has retrieved from a remote authentication server for 300 seconds. For this reason, changes made to the remote user settings will only take effect after the cache has expired.
Every time Sophos UTM on AWS gets a user request, e.g., http, from a yet unknown user and authentication is required, the Sophos User Authentication (SUA) writes an entry to the authentication cache. Over time, in environments with frequently changing users it can be reasonable to empty the cache from time to time. Also, if you want to force an immediate new authentication for all users. Use the button Flush Authentication Cache to empty the authentication cache.
An authentication is valid for 300 seconds. During this time, other authentication requests by the same user are looked up directly in the cache. This technique takes load off backend authentication services like eDirectory.
Note – Flushing the cache does not affect users that are remotely logged on.