Set up an identity provider

You can use Microsoft Entra ID (Azure AD) for user synchronization and as an identity provider.

Make sure you've already set up Microsoft Entra ID (Azure AD) user groups and synced them with Sophos Central.

1. Sign in to Sophos Central.

2. In the left menu, select ZTNA.

   

3. In Zero Trust Network Access, do as follows:

   1. In the left menu, select Identity Providers.
   2. Click Add identity provider.

   

4. Enter your identity provider settings as follows:

   1. Enter a name and description.
   2. In Provider, ensure Microsoft Entra ID (Azure AD) is selected.

   3. Enter the Microsoft Entra ID (Azure AD) settings for Client ID, Tenant ID, and Client secret.

      If you set up Microsoft Entra ID (Azure AD) as described in this guide, you gathered these settings when you created the tenant. See Set up directory service.

   4. Click Test Connection and make sure the connection is made.

   5. Click Save.

   

Before you can use Okta as your identity provider, you must create and configure a new Okta app integration with the right settings for use with ZTNA.

To do this, you do as follows:

• Create an app integration.
• Add the identity provider to ZTNA.

We assume here that you have user groups in Okta. If you don't, use Okta's tools to synchronize groups from your directory service to Okta. Make sure you've also synchronized your groups with Sophos Central.

Create an app integration

1. In the Okta dashboard, go to Applications.

   

2. Click Create App Integration.

   

3. In Create a new app integration, do as follows:

   1. Select OIDC.
   2. Select Web Application.

   

4. In OpenID Connect ID Token, do as follows:

   1. Click Edit.
   2. Add a Groups claim expression.
   3. Click Save.

   

5. In New web application integration, do as follows:

   1. Enter a name.
   2. Select Client credentials.
   3. Select Refresh token.

   

6. On the same tab, in Sign-in redirect URI, enter the address where Okta will send the authentication response and token. This must be the gateway host FQDN followed by /oauth2/callback. For example:

   https://ztna.mycompany.net/oauth2/callback

   

7. In Assignments, select Skip group assignments for now.

   

8. Open your new application. On the General tab, make a note of the Client ID and Client Secret. You'll need them when you set up Okta as your identity provider in Sophos Central.

   

9. On the Okta API Scopes tab, set the permissions that are needed:

   • okta.groups.read
   • okta.idps.read

   You only need okta.idps.read if you're using AD Sync.

   

10. On the Assignments tab, click Assign > Assign to groups. Select your existing group of users.

    

Add the identity provider to ZTNA

1. Sign in to Sophos Central. In the left menu, select ZTNA.

   

2. On the Zero Trust Network Access page, do as follows:

   1. In the left menu, select Identity Providers.
   2. Click Add identity provider.

   

3. Enter your identity provider settings as follows:

   1. Enter a name and description.
   2. In Provider, select Okta.

   3. Enter the Okta settings for Client ID, Client secret, and Issuer URI.

      These are the Okta settings noted earlier.

   4. Click Test Connection and make sure the connection is made.

   5. Click Save.