This document covers how to setup Google LDP with Sophos Central.
This Recommended Read assumes that you have already users created in Google that you wish to grant access to.
Upon creation of an application (“credentials”) in Google, you’ll see a page like the screenshot below, make a note of the Client ID (highlighted in blue) as you will need it in step "3.3 Client ID".
Select from the drop down the domain your previously configured
Select a radio button indicating if the LDP will enforce MFA (1st option) or if Sophos will enforce MFA (2nd option)
After selecting one option, you should be able to Save and see your domain listed
At this point the LDP is ready for use with Sophos.
Note: Without users configured in the LDP and in Sophos Dashboard (under the People side bar menu), no one will be allowed to log in. If the user used for this configuration has access to the LDP (account created under the LDP), logging back will now require a Sign in with SSO button
Clicking Sign in with SSO should redirect you to the Google Authentication Screen.
Note if you are logged in, in the same browser, it may automatically log you in. To test this further you can use a private browsing window, so you can remain logged in.
Google provides you with a Download json link, that you can click and should provide you with the URLs for Authz and JWKS. We have found those URLs don’t work properly and you should use different versions of the URLs. If you have followed the document above, its unlikely you run into this problem but regardless, you may see the following, after authenticating with Google (and attempting to redirect back to Sophos).
If encountered, kindly recheck step 3.3 Step B: Configure OpenID connect Settings and ensure you have correctly input the following details:
NOTE: To edit an existing IdP, click its name in the IdP list, and click Edit in the screen that opens. Edit is a hyperlink, located just below Vendor in the top section of the screen.NOTE: To edit an existing IdP you may need to turn the IdP off, first