Azure AD SSO WebAdmin / API permissions

Hi,

what API permissions do I need for the Azure AD app?

I have reduced it up to the following permissions, seems to work:

Would that be fine?

What I noticed so far:

- on every successful SSO, access_server will log: [OTP_AUTH]: (otp_handle_prepare_authentication_request): Password is NULL

- after logging out and logging in again, identity provider and XG will sometimes re-use the UPN of the previous login. I find that odd, I would expect the Azure AD login page to appear again. This happens sporadically, also. Might be browser or cookie issue, they should be deleted upon logout. I do not have the same issue with other applications set up on Azure AD identity provider.

Apart from that, looks good so far.

Kind regards,

cougz

Parents

0 SPandya over 1 year ago

HI Cougz, below permissions should be sufficient

Attaching pdf which covers common/popular configuration -- I hope it would help. Azure AD SSO for Webadmin console UI login-v2.1.pdf

Please keep posted and share your experience.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 cougz over 1 year ago in reply to SPandya

Hi,

thanks for the PDF.

Can you also comment on the other observations I've made so far? Is this logging behaviour of access_server to be expected?

Also, why are there log files other than WebAdmin, e.g. /log/oauth_sso_captive.log ? Does OAuth2 also work for captive portal?

Kind regards,

cougz
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jubin over 1 year ago in reply to cougz

Hi Cougz,

OAuth2 (SSO) is not supported for the Captive Portal. It is in our roadmap. Please ignore the captive portal log files (those are placeholders for future support).

Logout behavior: Currently, we don't delete the authentication token (cookies) when the user clicks the logout button from SFOS. Deleting token and authentication material will log out the user from all the Azure (Microsoft) apps that the user may not want.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cougz over 1 year ago in reply to Jubin

Hi,

thanks!

I hope Sophos is aware that Azure AD supports logout URI's for apps? This way the user will not be logged out from all Azure apps, only from this specific app where logout URI was called.

So if cookies are not removed upon logout, when will reauthentication be needed? E.g. Sophos ZTNA requires reauthentication after 7 days.

Kind regards,

cougz
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 cougz over 1 year ago in reply to Jubin

Hi,

thanks!

I hope Sophos is aware that Azure AD supports logout URI's for apps? This way the user will not be logged out from all Azure apps, only from this specific app where logout URI was called.

So if cookies are not removed upon logout, when will reauthentication be needed? E.g. Sophos ZTNA requires reauthentication after 7 days.

Kind regards,

cougz
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Jubin over 1 year ago in reply to cougz

The token is valid for 7 days (same as ZTNA).

Could you please share some use cases or downsides of not supporting the logout URLs (logging out from a specific app)?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cougz over 1 year ago in reply to Jubin

Hi,

one downside would be lack of functionality of the "Logout" button in XG WebAdmin. It basically does nothing except terminating the associated tomcat session, if I understood it right so far.

It only makes sense to send the log out to Azure AD also. Applications should always be able to handle logout requests.

Kind regards,

cougz
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel