Under Review

stop requiring Implicit Grant for SSO integration

Implicit Grant type flow sends tokens over HTTP before any confirmation with the client occurs.  This method has been deprecated by many organizations due to the unnecessary risk.  There is a better way with Authorization Code Grant.  This is the method recommended by OAuth.

This page https://docs.sophos.com/central/partner/help/en-us/Help/SettingsAndPolicies/SophosSignin/OpenIDConnectIDP/index.html#use-google-workspace-as-an-identity-provider  was updated in 2023 and still states that the old, broken method is a requirement.

Does this indicate that Sophos is no longer performing any development or maintenance to support federated Central logon?  If it is being abandoned, the customers should be properly advised.