Configuring Okta SSO for Your Account

This article explains how to configure Okta as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.

SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.

For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.

Overview of SSO with Your Cato Account

After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.

Cato SSO supports these Client operating systems:

Windows
macOS
iOS
Android
Linux

Preparing to Configure SSO with Okta

Before you establish trust with Okta, make sure that you complete these prerequisites:

You must have administrator privileges to Okta
Okta must be synchronized with your user directory.
For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients
- For iOS and Android, only users who were imported from your organization to Cato using Directory Services or SCIM provisioning are able to use SSO.

Known Limitations

On macOS devices, if the token expires and the device restarts, the Client does not re-authenticate automatically. The user must manually enter their password to re-authenticate.

Configuring Okta as the SSO Provider

Add the Okta app for Cato Networks SSO, and then configure your Okta Client ID and Client secret. Then configure the Cato Management Application to use Okta as the SSO provider for your account.

For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.

To configure Okta as the SSO provider for your account:

Enable the admin permissions for your Okta account, from the Okta portal menu bar click Admin.
From the Okta Applications window, click Add Application and search for Cato Portal.
Click Add.
In the Add Cato Portal window, select these options:
- Do not display application icon to users
- Do not display application icon in the Okta Mobile App
Click Done.
In the Assignments tab, assign the People and Groups to the application.
Click Assign.
The Sign On > Settings window, shows the Client ID and the Client secret for your Okta account.

Keep this window open, you need to copy the Client ID and Client secret to the Cato Management Application.
Click Save. Okta is configured as an SSO provider for your Cato account.
In a new tab or window, open the Cato Management Application.
From the navigation menu, select Access > Single Sign-On.
Click New.
From the Identity Provider drop-down menu, select Okta.
Enter a Name.
From the Okta window, copy these settings and paste them in the Cato Management Application:
- Client ID
- Client Secret
Enter the Okta Domain prefix and suffix for your account.
If you are configuring one Single Sign-On provider, enable the Default toggle. If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
Click Apply.
Select Allow login with Single Sign-On for one or more types of users in your account:
- SDP Client users (set the Token validity settings)
- Clientless SDP users (set the Cookie type)
- Cato Management Application admins
Click Save. Okta is configured as the SSO provider for your account.

Notes for the SDP Portal

When you log in to the SDP Portal, choose to connect with Okta and then enter your Okta credentials. After you successfully log in to Okta, you are redirected to the SDP Portal and can select an SDP application.