This article explains the options for how to add users to your Cato account so that they can securely connect to the network.
When users are added to your account, Cato can identify them, ensure they are authenticated (for example using SSO), and enforce policies based on their identity. You can provision users directly from your IdP using SCIM or LDAP. This ensures your IdP remains the central location for managing users and User groups. Any change to a user in your IdP is automatically synced with Cato (with SCIM provisioning this is reflected in real time, with LDAP provisioning this is reflected within 24 hours). You can also use the Cato Management Application to manually add users to your account.
When new users are created in your account, you can choose to send an email to introduce them to remote access with Cato.
After a user is added to your account, they can be assigned a license and added to policies. After you add a User to a policy, it will be enforced whether the user is located behind a site or remotely.
Cato supports provisioning users from your IdP with SCIM and LDAP as well as adding users manually.
This process explains how users are provisioned from your IdP, and then assigned licenses and added to policies so they can securely connect to the network.
-
In your IdP, define the users and/or groups to be provisioned to Cato.
-
Configure automatic user sync with Cato.
After users are synced they can be viewed from the Users Directory page and identified with User Awareness.
-
Assign licenses to required users
-
Apply polices to users
Policies are enforced wherever the user connects.
These are the IdPs that are support for provisioning users with SCIM:
-
Azure
-
Okta
-
One Login
For more information on how to configure SCIM provisioning for each IdP, see Provisioning Users with SCIM.
These are the IdPs that are supported for provisioning users with LDAP:
-
Azure
-
Okta
-
One Login
-
Jump Cloud
For more information on how to configure LDAP provisioning for each IdP, see Provisioning Users with LDAP.
Users can also be created manually by entering their name and email address. For more information about creating users manually, see Working with Users.
When a user is added to your account you can configure them to receive an email to introduce them to Cato. By default, users are not sent an onboarding email. You can choose to send these onboarding emails:
-
Onboarding email: There are two types of onboarding emails that users can receive. If enabled, these emails are automatically sent to users when they are created.
-
An email with a link to download the Cato Client. This is sent when a user is created in the Cato Management Application.
-
An email to notify the user their account is disabled. This is sent when a user is disabled in the Cato Management Application.
-
-
Registration code: Users enter a one-time code to activate their account. For more information, see Activating Users with a Registration Code.
-
Activation email: An email with a link for users to create their password for the Client. This is not sent automatically, but can be sent to individual users that authenticate with Username and Password (and MFA). Users that authenticate with SSO cannot be sent this email.
You can choose to send users an email containing details of the account and a link to download the Cato Client from the Client download portal.
To configure the onboarding email:
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab.
-
Set the Method to Onboarding Email.
-
To send emails with links to download the Client, select Send welcome email to new SDP users.
-
To let users know that their remote access is disabled, select Send email notifications to SDP users that are disabled in the account.
-
Click Save.
Users who authenticate with Username and Password (and MFA) are sent an email to create their password when they sign in to the Client. You can choose to resend this email to individual users. You can only send Activation emails to user with an SDP license.
Note
Note: Users on headless Linux devices must be sent an Activation email to sign in to the Client.
0 comments
Article is closed for comments.