SSO Authentication for SDP Users with Cato

This article explains how the Cato Client lets SDP users authenticate with Single Sign On (SSO) and connect to the network.

Overview

Configuring SSO for your account simplifies authentication and enhances the user experience. With SSO, three components work together to verify the identity of the user so they can connect to the network.

  • Firstly, the user identifies themselves with their SSO credentials.
  • Secondly, your IdP acts as the authentication system to validate the user's credentials.
    • The same IdP tenant can be used with multiple Cato accounts
  • Thirdly, Cato integrates with your IdP to let the user sign into the Client and connect to the network.

The SSO authentication process is dependent on generating and validating unique tokens that are shared between your IdP and Cato.

Understanding SSO Tokens Used for SSO Authentication

For SSO authentication, the Client relies on two encrypted SSO tokens to validate the SDP user is authenticated and allowed to connect to the network.

  • IdP Token: This is generated by your IdP after a SDP user authenticates with their SSO credentials.

  • Cato Token: This token is generated by the PoP after the Client receives a successful validation response from the IdP. This token is used by Cato to verify the SDP user has been authenticated so that the Client can maintain a connection to the Cato Cloud. The Cato token is stored on a device and the validity duration is set in the Cato Management Application.

    After the Cato token expires, the PoP checks if the IdP token is valid. If the Client receives a successful validation response from the IdP, the PoP generates a new Cato token, and the Client remains connected to the Cato Cloud. If both the Cato token and the IdP token have expired, the Client disconnects from the Cato Cloud. The Client only reconnects when it receives a new IdP token after the SDP user re-authenticates.

You can configure how the Cato Token expires:

  • Duration: You select the time period the Cato Token is valid for. During this time period, the token remains valid if a user disconnects the Client. 
  • Always Prompt: The Cato Token expires after a user disconnects the Client. You can select the time period the Cato Token is valid for if the user does not disconnect.  

The table below explains the Client connection status when each token expires:

IdP Token Status

Cato Token Status

Connection Status

Valid

Valid

Client is connected

Expired

Valid

Client is connected until the Cato token expires

Valid

Expired

  1. Client checks with the IdP if the IdP Token is valid. Depending on your SSO configuration, this check can be made automatically or is initiated by the SDP user

  2. IdP sends successful validation response

  3. Client sends successful validation response to PoP

  4. PoP generates new Cato token and sends it to the Client

  5. Client remains connected

Expired

Expired

  1. Client checks with the IdP if the IdP Token is valid. Depending on your SSO configuration, this check can be made automatically or is initiated by the SDP user

  2. IdP sends a failed validation response

  3. Client disconnects

Sample SSO Process Flows for Initial Authentication

This section provides examples of an SDP users using SSO to authenticate to the Client and connect to the network.

Initial Authentication

This process flow explains what happens when a SDP user is authenticating to the Client for the first time.

  1. In the Client, the SDP user clicks Add user.

    1. The PoP generates a screen for the SDP user to enter their email address

    2. The PoP associates the email address with a Cato account. The Client displays the authentication options configured for the account.

  2. The SDP user clicks the SSO option, and the Client displays a browser (either in the Client or an external browser) so the user can enter the IdP login and MFA credentials.

    • The IdP validates the SDP user's credentials. SSO authentication occurs directly between the Client and the IdP outside the tunnel.

  3. If the credentials are valid, the IdP sends a success response with the IdP token to the PoP.

  4. The PoP confirms the validity of the token directly with the IdP.

  5. If the token is valid, the PoP generates the Cato token and sends it to the Client.

    1. The Client stores the Cato token on the device

    2. The SDP user is authenticated, and the Client connects to the network

Authentication with Always-On Enabled

This process flow explains what happens with a SDP user with Always-On enabled authenticates to the Client.

  1. The device is turned on and boots up.

  2. The Client checks if the Cato token on the device is valid.

    1. If the Cato token is valid, the Client connects

    2. If the Cato token has expired, the Client checks if the IdP token is valid

      1. If the IdP token is valid, the Client sends a successful validation response to PoP. The PoP creates a new Cato token, and the Client connects

      2. If the IdP token has expired, the Client does not connect. The Client displays the authentication options configured for the account. The Client only connects after the SDP user has re-authenticated. SSO authentication between the Client and the IdP occurs inside the tunnel via the PoP.

Was this article helpful?

0 comments

Add your comment