This article explains how to use LDAP to import and sync OneLogin users and configure OneLogin as an SSO provider for Cato users.
This is a high-level overview of the process to configure and integrate OneLogin with your Cato account. After you configure OneLogin to synchronize users with Cato, you can also configure OneLogin as an SSO provider for users.
-
In OneLogin, configure the virtual LDAP settings.
-
In the Cato Management Application, add the OneLogin domain to your account.
-
Add the OneLogin domain controller to the domain.
-
In OneLogin, create an OpenID Connect application to allow Cato to use OneLogin to authenticate users.
-
Import the groups (OneLogin roles) to your account.
-
Select OneLogin as the SSO provider for users.
Note
Note: To use OneLogin as an SSO provider, you must configure LDAP sync between OneLogin and Cato. This requires that the VLDAP service is enabled on your OneLogin account.
To enable SSO and LDAP sync for OneLogin and your Cato account, use the Authentication window in OneLogin to enable virtual LDAP and disable multi-factor authentication (MFA). This window also has the Login DN settings that you use to configure the domain in the Cato Management Application.
VPN SSO requires that the OneLogin VLDAP service is enabled. If you are only using OneLogin for LDAP sync, then you don't need to enable VLDAP.
Due to a OneLogin limitation, each LDAP sync is limited to 500 users. For accounts with more than 500 users, run the LDAP sync multiple times.
To configure the virtual LDAP settings in OneLogin:
-
In OneLogin, from the menu bar, select Authentication > VLDAP.
-
For accounts that are using SSO, make sure that Enable VLDAP Service is enabled.
-
Clear Multi-factor authentication to disable MFA for your OneLogin account.
-
In Virtual distinguished name, copy the Virtual DN. You will enter the virtual DN inAdding a New Domain for OneLogin (below).
-
Click Save. The virtual LDAP settings are configured.
Add your OneLogin account to the Cato Management Application as a new domain in Directory Services. Then define the domain controller for this domain.
Use the Directory Services window to add a new domain to your account. Then configure the OneLogin LDAP settings for the domain.
To add a new OneLogin domain to Directory Services:
-
From the navigation menu, click Access > Directory Services.
-
From the LDAP section or tab, and click New.
The New Directory Service panel opens.
-
Enter the Name of the domain in the LDAP server.
-
Configure the OneLogin authentication settings in the LDAP Authentication Connection section in Login DN:
-
In Login DN, paste the virtual LDAP that you copied above in Configuring the Virtual LDAP Settings.
-
Change the cn to the email address for your OneLogin account.
-
In Base DN, paste the virtual LDAP and delete the cn and ou. The screenshot above shows these settings:
-
Login DN: cn=admin@samplenetworks.com,ou=users,dc=sample-networks,dc=onelogin,dc=com
-
Base DN: dc=sample-networks,dc=onelogin,dc=com
-
-
Enter the admin Password for your OneLogin account.
-
Enable Use SSL.
-
-
Click Save. The OneLogin domain is added to the Cato Management Application.
-
Click Test Connection to make sure that Cato can connect to your OneLogin account.
After you configure and save the OneLogin domain, configure the settings for the domain controller. Use the host setting that is appropriate for your OneLogin account:
-
US - ldap.us.onelogin.com
-
Europe - ldap.eu.onelogin.com
For more about the OneLogin host settings, see the OneLogin documentation.
To configure the domain controller:
-
From the LDAP section or tab, edit the domain for your OneLogin account.
-
From the Edit Directory Service navigation menu, select Domain Controllers.
-
From the drop-down window, select IP or Host.
-
Enter the OneLogin host for the US or for Europe and click Add.
Since SSL is enabled for the domain, the host uses port 636.
-
Click Save and Close. The domain controller is added to the OneLogin domain.
Create a new app in OneLogin that allows the Cato to use OneLogin to authenticate SDP users. Then configure it to connect to Cato.
Note
Note: There is a legacy Cato Networks app in the OneLogin marketplace which currently isn't supported. We recommend that you don't use this app.
Create a new Open ID Connect application in OneLogin.
Configure the OneLogin app to Cato to support SSO for the SDP users. Cato performs LDAP sync with OneLogin according to the roles and not according to the OneLogin groups.
For new SDP users with Windows Client v5.1 and higher, there is an additional Redirect URI to configure for the OneLogin app. This URI isn't required for earlier versions, or for existing users that are upgrading to the Windows Client v5.1 or higher.
To configure the app to connect to Cato:
-
From the left-hand navigation menu, select Configuration.
-
In Redirect URI's, enter these URIs:
-
https://sso.catonetworks.com/login
-
https://sso.via.catonetworks.com/auth_results
-
https://auth.catonetworks.com/oauth2/broker/code/onelogin
-
(for new SDP users Windows Client v5.1 and higher)
-
https://sso.ias.catonetworks.com/auth_results
-
https://169.254.255.254/auth_results
-
-
-
From the left-hand navigation menu, select SSO, and configure these SSO settings:
-
Set the Application Type to Web.
-
Set the Authentication Method to POST.
-
Copy the Client ID and the Client Secret. Paste these settings in the Configuring OneLogin as the SSO Provider for SDP Users section below.
-
-
Click Save.
-
Add the application to the relevant OneLogin users and roles.
-
Perform the initial LDAP sync. In the Cato Management Application, in the Directory Services screen, click Sync Now.
In the Cato Management Application, you can configure OneLogin as the global SSO provider for SDP users in your account.
To configure OneLogin as the SSO provider:
-
From the navigation menu, select Access > Single Sign-On.
-
Click New
-
From the Identity Provider drop-down menu, select OneLogin.
-
Enter a Name.
-
Enter these settings:
-
If you are configuring one Single Sign-On provider, enable the Default toggle. If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
-
Click Apply.
-
Select Allow login with Single Sign-On for one or more types of users in your account:
-
SDP Client users (set the Token validity settings)
-
Clientless SDP users (set the Cookie type)
-
Cato Management Application admins
-
-
Click Save. OneLogin is configured as the SSO provider for SDP users in your account.
0 comments
Article is closed for comments.