Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 1300 views
  • Users 0 members are here
Options
Suggested

Azure AD SSO WebAdmin / API permissions

cougz

Hi,

what API permissions do I need for the Azure AD app?

I have reduced it up to the following permissions, seems to work:

Would that be fine?

What I noticed so far:

- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL

- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.

Apart from that, looks good so far.

Kind regards,

cougz

Parents Reply Children
  • 0 in reply to SPandya

    Hi,

    thanks for the PDF.

    Can you also comment on the other observations I've made so far? Is this logging behaviour of access_server to be expected?

    Also, why are there log files other than WebAdmin, e.g. /log/oauth_sso_captive.log ? Does OAuth2 also work for captive portal?

    Kind regards,

    cougz

  • 0 in reply to cougz

    Hi Cougz,

    OAuth2 (SSO) is not supported for the Captive Portal. It is in our roadmap. Please ignore the captive portal log files (those are placeholders for future support). 

    Logout behavior: Currently, we don't delete the authentication token (cookies) when the user clicks the logout button from SFOS. Deleting token and authentication material will log out the user from all the Azure (Microsoft) apps that the user may not want. 

  • 0 in reply to Jubin

    Hi,

    thanks!

    I hope Sophos is aware that Azure AD supports logout URI's for apps? This way the user will not be logged out from all Azure apps, only from this specific app where logout URI was called.

    So if cookies are not removed upon logout, when will reauthentication be needed? E.g. Sophos ZTNA requires reauthentication after 7 days.

    Kind regards,

    cougz

  • 0 in reply to cougz

    The token is valid for 7 days (same as ZTNA). 

    Could you please share some use cases or downsides of not supporting the logout URLs (logging out from a specific app)?

  • 0 in reply to Jubin

    Hi,

    one downside would be lack of functionality of the "Logout" button in XG WebAdmin. It basically does nothing except terminating the  associated tomcat session, if I understood it right so far.

    It only makes sense to send the log out to Azure AD also. Applications should always be able to handle logout requests.

    Kind regards,

    cougz

Unfiltered HTML