When implementing Azure Conditional Access for the Cato Portal application to restrict Single Sign-On (SSO), the Cato Client shows the error message "You cannot access this right now" due to the Conditional Access policy not meeting the configured requirements.
- Azure SSO is configured as the authentication method in CMA.
- Azure Conditional Access applies to restrict source IP addresses (location) or the Cato Portal application.
- Both embedded or external browsers.
These steps can be followed to troubleshoot SSO issues related to Azure Conditional Access:
- Understand the SSO Process Flows for Initial Authentication for SSO authentication:
- During the initial Cato Client connection, SSO authentication occurs directly between the Client and the IdP outside the tunnel. Azure will see the Client's ISP IP address in the authentication request.
- In cases where Always-On is enabled for the user or when SSO re-authentication takes place after the Cato token expires, SSO authentication between the Client and the IdP occurs inside the tunnel via the PoP. Azure will see the Cato PoP IP address in the authentication request.
- Access Azure Sign-in logs under Conditional Access to analyze Failure events. The logs will include the client's source IP address for each authentication attempt. Use the 'show details' option under the Conditional Access tab for further insights into the failure.
- Verify the Conditional Access Policy configuration, including the Cato Portal application and the Cato PoP IP range as excluded items. You may want to verify that the Policy is correctly configured and that it allows the correct source IP addresses and application for SSO authentication to be successful.
- It may be possible that the Cato Portal application isn't detected correctly by the Conditional Access policy due to permission restrictions with Microsoft Azure. If that is the case, you will see a successful authentication followed by a failure as shown below.
If the Conditional Access Policy includes location (user's source IP address), define the IP address or IP range based on the Always-On configuration of the user:
- Users with Always-On disabled (on-demand) will use the client's ISP IP address during authentication and the PoP's IP address for re-authentication.
- Users with Always-On enabled will use the PoP's IP address in both authentication and re-authentication requests. The initial authentication (after Cato install) can also be forced to use the Cato tunnel by enabling the InitialAlwaysOn registry key as explained in Installing Windows Clients and Always-On.
If the Conditional Access Policy includes a block-all policy excluding the Cato Portal application, go to the Cato Portal application permission settings in Azure and click Grant admin consent which will add the necessary permissions to the application to allow Conditional Access policy matching.