Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO for modern auth and macOS, is it possible?

Nick Granville

We have been trying with no luck to find a way for macOS clients to SSO to our XG. Has anyone had any success with this?

Our macs are bound to AD and we have STAS which works great for Windows sessions but see no action on macOS logins.

As we are moving to modern authentication on the Windows side i'm wondering what the SSO to XG plan should be for this, I would happily move our macOS clients to Azure authetication with JAMF connect if I was certain there was a workable solution.

We have configured LDAPS to an Azure Managed Domain which we are using for captive portal which seems to work fine.

Sophos documentation seems limited on these areas, and sadly if we can't find a way forward I will be looking to move away from Sophos.

Thanks!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community!

    One reason for not seeing action on macOS logins could be the configured workstation polling settings on STA Collector.

    I'd suggest you use CAA(Client Authentication Agen) or Captive portal authentication for macOS devices. 

    Please reach out to Sophos Sales team for any POC related questions for your specific environment:

    Thanks,

  • 0 in reply to FormerMember

    Thanks, I will look into the polling settings. Any thoughts on Azure bound Windows devices, how do we ensure these get an SSO experience.

    The CAA is unfortunatley very poor, it does not allow SSO as faras I can see, it requires Java and is just a very poor user experience. I don't want my users to have to sign-in to a device and then sign in again for network access, and even if I did choose this route macOS would just throwe SSL errors or any service trying to make a connection until authenticated.

    Is there anything being activly developed for macOS / Sophos XG? If not it is likely I'll move on to another router and content filtering solution.

  • 0 in reply to Nick Granville

    The question is, what you actually using. 

    XG is a AD focused product. And MacOS can be integrated to AD, but most likely it sounds like you are not using AD at all? 

  • 0 in reply to LuCar Toni

    We are using AD however are moving towards Azure. STAS has been great but once we start to provision Windows devices with InTune they will be authenticating against Azure so we need to know what is possible XG wise, and if nothing find out what product can transparently / SSO authenticate against both AD and Azure.

    I can see some STAS sessions from macOS but not all so will look deeper into the agent / collector settings .

    Thanks!

  • 0 in reply to Nick Granville

    This is another part of the story of the future. More customer migrating to Azure and Azure itself does not offer a native "Authentication platform" beside Azure services, which offers LDAP. But this is not of great use for a firewall product. 

    The pain point is the authentication and the login. 

    Because a firewall is likely a product between the Client and the WAN. You want to authenticate this client and make sure, the user is logged in. As Azure does not provide this kind of information in a way, XG could use it nicely, its hard to authenticate the user AND make sure, he is still logged in. This is a challenge, which needs more work on Sophos Firewall end to integrate this environment. 

    Luckily, most customers i know, still use a hybrid AD on prem, to authenticate locally instead completely vs azure AD. Hence they can use all feature of Azure but still have a AD to use STAS etc for the Clients on prem (behind XG). 

Reply
  • 0 in reply to Nick Granville

    This is another part of the story of the future. More customer migrating to Azure and Azure itself does not offer a native "Authentication platform" beside Azure services, which offers LDAP. But this is not of great use for a firewall product. 

    The pain point is the authentication and the login. 

    Because a firewall is likely a product between the Client and the WAN. You want to authenticate this client and make sure, the user is logged in. As Azure does not provide this kind of information in a way, XG could use it nicely, its hard to authenticate the user AND make sure, he is still logged in. This is a challenge, which needs more work on Sophos Firewall end to integrate this environment. 

    Luckily, most customers i know, still use a hybrid AD on prem, to authenticate locally instead completely vs azure AD. Hence they can use all feature of Azure but still have a AD to use STAS etc for the Clients on prem (behind XG). 

Children
No Data