SCIM Provisioning with Okta

This article explains how to use the Okta SCIM app to automatically sync users from your Okta account to your Cato account.

Capabilities Supported

Cato Networks delivers a next generation secure networking architecture that eliminates the complexity, costs, and risks associated with legacy IT approaches based on disjointed point solutions. From Single Sign-On (SSO) to user provisioning, Okta's Cato integration handles user access and groups throughout the user's lifecycle, including:

  • Create and remove users in the Cato Management Application

  • Sync users and attributes from Okta to the Cato Management Application

  • Create users

  • Update user attributes

  • Deactivate users

  • Group push

  • Users can authenticate with email or UPN depending on your Okta configuration.

Requirements

Make sure that before you use the Okta SCIM app, you have admin permissions in Okta to configure user provisioning.

Known Limitations

  • Importing Cato users or groups to Okta isn’t supported

  • Nested groups provisioning are not supported

  • SCIM is supported on accounts that use Email as the User ID only (you can confirm this setting with Cato Support)

  • You can provision users with either LDAP or SCIM (not both)

  • Removing a user from the IdP application doesn't remove it from the Cato Management Application, it disables the user

  • Group Linking isn’t supported

  • SCIM sync overrides existing LDAP groups with the same name. For more information, see How SCIM Sync Overrides Existing LDAP Groups

Configuring Automatic User Sync to Cato

You can use the Cato SCIM app that is available in Okta to connect and sync users from your Okta account to your Cato account. In the Cato Management Application, enable SCIM provisioning for your account.

In your Okta account, add the Cato SCIM app and then configure the settings to connect to your Cato account. Then you can define the Okta groups and users that are synced and Okta immediately initiates the automatic user sync.

The status of users in your Identity Provider (IdP) are automatically synced to your Cato account. For example, when you disable users in the IdP, they are synced to your Cato account as disabled.

Note

Note: If necessary, you can edit the attribute mapping to meet the specific requirements of your organization. See below, Schema Discovery.

Configuring the Cato Management Application for the SCIM App

In the Cato Management Application, enable SCIM Provisioning and copy the URL and token to a text file. You will enter these settings in the Cato SCIM app that you configure in your Okta account.

To connect Cato Management Application to the SCIM App:

  1. In the Cato Management Application, from the navigation menu select Access > Directory Services and click the SCIM tab.

    SCIM.png
  2. Select Enable SCIM Provisioning to set your account to connect to the SCIM app.

  3. Click Save.

  4. Copy and paste the SCIM URL and token to blank text file.

    1. In Base URL, click the copy icon copy.png to copy the SCIM URL to the clipboard and then paste it in the text file.

    2. In Bearer Token, click the copy icon copy.png to copy the unique account token to the clipboard and then paste it in the text file.

Adding the Cato SCIM App in Okta

Add the Cato SCIM app from the Okta app store and then set the app to automatically sync users to Cato. Enter the SCIM Provisioning URL and token that you copied from the Cato Management Application.

To create the Cato SCIM app:

  1. Log in to your Okta account and go to the admin console.

  2. From the menu bar, click Applications > Applications.

    SCIM_Okta_AddApp.png
  3. Add the Cato SCIM app to your Okta account:

    1. Click Add Application.

    2. Search for the Cato Networks Provisioning and select the app. The app overview opens in a new window.

    3. Click Add. The Add Cato Networks Provisioning wizard opens.

      Okta_GeneralSettings.png
    4. Enter the Application label and configure the app settings.

    5. Click Next.

    6. Configure the settings for user authentication and credentials.

      Okta_SSO_SWA.png
    7. Make sure that Update application username on is set to Create and update.

    8. Click Done. The Cato SCIM app is added to your account.

  4. Click the Provisioning tab, and the Integration window opens.

  5. Click Configure API Integration.

  6. Select Enable API Integration.

    SCIM_Okta_Integratoin.png
  7. Configure Okta to integrate with your Cato account:

    1. In Base URL, paste the URL that you copied from the Cato Management Application.

    2. In API Token, paste the token that you copied from the Cato Management Application.

  8. Click Test API Credentials to make sure that the Cato SCIM app can connect to your Cato account.

  9. Click Save.

Configuring the SCIM App for Provisioning

Configure the settings in the SCIM app to provision users to your Cato account. For more about the SCIM attributes, see below Schema Discovery.

To configure the SCIM app to provision users:

  1. In the new SCIM app, click the Provisioning tab.

  2. From the Settings section, select To App.

  3. Configure the Provisioning to App settings, click Edit.

  4. Select Enable for these options:

    • Create Users

    • Update User Attributes

    • Deactivate Users

  5. Click Save.

Syncing VPN Users to Your Cato Account

After the SCIM app can connect to your account, assign the users that you are syncing to Cato. Then you can continue with the next section to add groups to app.

To provision individual users to your Cato account:

  1. In the Cato SCIM app, click the Assignments tab.

    SCIM_Okta_Assign.png
  2. Assign the people and groups that you are adding to the SCIM app to sync to your Cato account:

    1. Click Assign and select People.

    2. For the person, click Assign.

    3. Click Save and Go Back.

    4. Repeat the previous steps for all the people or groups, and then click Done.

    The users are synced from Okta to your Cato account.

Syncing Okta Groups to Your Cato Account

You can assign groups in Okta with users that you are syncing to Cato. Then create or assign the Okta Push Groups to the SCIM app and the app syncs the groups and the associated users to your Cato account.

To provision Okta groups to you Cato account:

  1. Assign the groups that you are adding to the SCIM app to sync to your Cato account:

    1. In the Assignments section, click Assign and select Groups.

    2. For the group, click Assign.

    3. Click Save and Go Back.

    4. Repeat the previous steps for all the groups, and then click Done.

  2. Go to the Push Groups section.

  3. Select Push Groups > Find groups by name.

  4. Enter the name for the Okta Push Group and select the group.

    SCIM_Okta_PushGroup.png
  5. If you need to add more Push Groups, click Save & Add Another, otherwise click Save. The app syncs the groups and associated users to your Cato account.

Assigning SDP Licenses

In the IdP, define the groups and users that are synced to your Cato account. After the initial sync is completed, all users are then created in the Cato Management Application and visible on the Users Directory page .

You can then assign SDP licenses to users, for more information, see Assigning SDP Licenses to Users.

Schema Discovery

You can use the Attribute Mappings in the Provisioning tab of the app to configure the SCIM attributes. The Apply on setting for the attributes is Create and update.

Attribute

Cato VPN User Attribute

Username

userName

Configure the email option in the Sign On settings for the Okta app

Given name

givenName

user.firstName

Family name

familyName

user.lastName

Primary email

email

user.email

Display name

displayName

user.displayName

Primary phone

primaryPhone

Attribute type - expression

(user.primaryPhone != null && user.primaryPhone != '') ? user.primaryPhone : ''

Primary phone type

primaryPhonetype

Attribute type - expression

(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ''

Understanding Events for SCIM Provisioning

The Cato Management Application generates events whenever users and groups are blocked because they fail to meet the requirements of the Client Connectivity Policy.

Each hour, the Cato Management Application sends email alerts that summarize the SCIM provisioning actions (success or failure).

The following table explains the different events.

Event Type

Action

Description

SCIM Provisioning

Success

The action to sync the users or groups to your account with the SCIM app succeeded.

SCIM Provisioning

Failure

The SCIM app failed to sync the IdP with your account. The event message explains the reason for the sync failure.

SCIM Provisioning

Disabled

A disabled user in the IdP was successfully synced and disabled in your Cato account.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment