Question about OKTA (Active Directory) password reset/change integration with Sophos Safeguard product Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmbkqaq&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Henrik LemosHenrik Lemos 

Question about OKTA (Active Directory) password reset/change integration with Sophos Safeguard product

Hi folks,

Our company uses the Sophos Safeguard product line for whole disk encryption on our corporate Windows workstations and laptops (windows 7). This whole disk encryption system holds and issues user certificates (within itself) whenever a user password is changed using the standard password reset feature available on domain joined computers (press ctrl+alt+del, select change password). At present it is vital that local and remote users only change their password while connected to the corporate network.

If they fail to do this (change password using standard tool while connected to LAN/VPN)... the Sophos  system requires manual intervention to re-lign user encryption certificates with the AD user account.

At present using OKTA to change AD mastered account passwords "breaks" Sophos certificates as well. At least in the default configuration.

Is there a setting, or integration available, that will enable us to use the OKTA AD mastered account password recovery/reset features... and NOT break Sophos at the same time?
James FloresJames Flores (Okta, Inc.)
Hi Henrik,

This sounds like a question best answerd with the help of Sophos. The current integration (AD reset via Okta) untilzies the Okta AD agent installed on your local server to update/reset passwords. It sounds like in order for Sophos to work the password reset must be initiated from the local computer rather than via a third party AD agent. A good question for Sophos would be, "Is it possible for Sophos to complete it's cert updates based on a password update event on the server rather than from the user's computer?" 
John FryJohn Fry
There's an API fpr Sophos that could potentially be utilised: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_7_m_eng_api.pdf?la=en

This would require some intervention I imagine with OKTA Pro Services. 

I know this request has been done with other systems and Sophos SafeGuard.