Azure AD SSO WebAdmin / API permissions

HI Cougz, below permissions should be sufficient 

Attaching pdf which covers common/popular configuration -- I hope it would help. Azure AD SSO for Webadmin console UI login-v2.1.pdf

Please keep posted and share your experience. 

Hi,

thanks for the PDF.

Can you also comment on the other observations I've made so far? Is this logging behaviour of access_server to be expected?

Also, why are there log files other than WebAdmin, e.g. /log/oauth_sso_captive.log ? Does OAuth2 also work for captive portal?

Kind regards,

cougz

Hi Cougz,

OAuth2 (SSO) is not supported for the Captive Portal. It is in our roadmap. Please ignore the captive portal log files (those are placeholders for future support). 

Logout behavior: Currently, we don't delete the authentication token (cookies) when the user clicks the logout button from SFOS. Deleting token and authentication material will log out the user from all the Azure (Microsoft) apps that the user may not want. 

Hi,

thanks!

I hope Sophos is aware that Azure AD supports logout URI's for apps? This way the user will not be logged out from all Azure apps, only from this specific app where logout URI was called.

So if cookies are not removed upon logout, when will reauthentication be needed? E.g. Sophos ZTNA requires reauthentication after 7 days.

Kind regards,

cougz

The token is valid for 7 days (same as ZTNA). 

Could you please share some use cases or downsides of not supporting the logout URLs (logging out from a specific app)?

Hi,

one downside would be lack of functionality of the "Logout" button in XG WebAdmin. It basically does nothing except terminating the  associated tomcat session, if I understood it right so far.

It only makes sense to send the log out to Azure AD also. Applications should always be able to handle logout requests.

Kind regards,

cougz

Hi,

one downside would be lack of functionality of the "Logout" button in XG WebAdmin. It basically does nothing except terminating the  associated tomcat session, if I understood it right so far.

It only makes sense to send the log out to Azure AD also. Applications should always be able to handle logout requests.

Kind regards,

cougz