Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 6763 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory Integration with two-way-synchronization

lucakuehne

Hi!

Until now I worked with Sophos users on my XG, now I want an AD integration. I want a two-way-sync, so for example, if I change the password in the domain, I want to be able to login to the XG with the new password and and vice versa.

Does the Active Directory intgeration of the XG allow this?

Regards
Luca



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to giomoda

    Hi Giovani

     


    Check https://community.sophos.com/kb/en-us/123155 for instructions on how to integrate with AD and https://community.sophos.com/kb/en-us/123156 for instruction on Clientless SSO.

    But as you said yourself, this is SSO, and not the Active Directory integration, altought SSO uses AD...
    This is the plain AD:

     


    But it's not actually a two-way sync as nothing will ever be written at the AD by the XG.

    Okay, makes sense that it can't be a two way-sync. I just guessed it, because when I login with a AD-user into the userportal there was the "change password" option, but I didn't see the message, that this is not available for AD-users.

     


    When you integrate with AD the authentication always happens at AD, XG only forwards the authentication requests.

    Are you talking about SSO or the actual AD-integration here?

     

    Regards
    Luca

Children
  • +1 in reply to lucakuehne

    Hey, Luca.

    lucakuehne said:
    But as you said yourself, this is SSO, and not the Active Directory integration, altought SSO uses AD...

    SSO depends on AD for sure.

    Please, forgive me. I presumed you were talking about AD authentication with the purpose of getting SSO enabled 'cause that's what I usually see, but this is clearly not the case. For the sake of keeping things simple disregard any mention about SSO and let's keep this about AD for now.

    lucakuehne said:
    Okay, makes sense that it can't be a two way-sync. I just guessed it, because when I login with a AD-user into the userportal there was the "change password" option, but I didn't see the message, that this is not available for AD-users.

    That's right. Although available at the menu, for AD users it will not work. Everything regarding an AD user must be managed in AD. 

    lucakuehne said:
    Are you talking about SSO or the actual AD-integration here?

    Both. The only authentication that happens at the XG is local authentication.

     

    Regards,

    Giovani

  • 0 in reply to giomoda

    Hi, 

    lucakuehne
    Okay, makes sense that it can't be a two way-sync. I just guessed it, because when I login with a AD-user into the userportal there was the "change password" option, but I didn't see the message, that this is not available for AD-users.
     

     

    That's right. Although available at the menu, for AD users it will not work. Everything regarding an AD user must be managed in AD. 

     

    As far as i know, if you try to change the password, XG will notify you, it is not possible. This option is only available for XG local users.