how to enable SFOS authentication with different UPN and SamAccountName

Question

I have learned how to support UPN or multi UPN configuration with local Host / DNS registrations on the Firewall directly. I have configured that successfully on the firewall. Sophos Firewall: Authentication Multi UPN configuration 
 But as written in my comments in that Recommended Read, we're having difficulties, as we currently have a SamAccountName (SAM) in our AD like 
 username (which is username\domain) 
 Now with migration to O365 we need UPN authentication 
 name.surname@domain.com 
 This does not work for firewall authentication. It only works when the SAM is identical the UPN-Part before the @ 
 So we must have: SAM=name.surname and UPN=name.surname@domain.com only then it works. 
 We need the original SAM so we don't mess up with other internal system logins but we need the additional UPN for O365. 
 We don't want the users to use different logins for Firewall and Windows / O365. 
 The current situation is a showstopper. GiuseppeI as author of the article, is it possible that can you help here?

LuCar Toni · Answer

It depends on the way, you perform the authentication. 
 The endpoint (sync User ID) will notice this issue right away: It will see the difference between UPN and SAMAccountname. Then Endpoint will send those values separate: SAMAccountname + Domain. 
 You have to be mindful about the situation, that you will get new users: domain.local\user will be on SFOS: user @domain.local user.name@domain.com will be: user.name@domain.com Even if the user is in AD the same, the SAMAccountname could be different. 
 SFOS will use for all Authentication beside Heartbeat always the SAMAccountname and "simply add the domain" of the configured AD Server. For example: Samaccountname: user Domain in SFOS configured under Authentication Server: domain.com User on SFOS: user@domain.com 
 SFOS is not aware of the UPN, and will not use the UPN. Most customers i know will simply add the new Domain (domain.com) as a new AD Server to the firewall. This will utilize the Authentication - As stated above: It does not matter, what the UPN is for the firewall, as long as the AD Server sends an "Allowed", we will add the Domain Name to the user. For the most authentications or transitions to a different UPN, you will not change this behavior at all: We still use the old authentication. 
 To create the same AD server with another AD Domain: Sophos Firewall: Create multiple AD Server entities in SFOS for multi domains 
 It highly depend on the way you want to authenticate. User Portal for example can work with Domain or the simple SAMAccountname alone. SFOS here will split up and search: It will use the first part (before the Domain @) and use it against the AD Servers.

how to enable SFOS authentication with different UPN and SamAccountName

Top Replies