You can configure multiple identity providers (IdPs) to provision and authenticate users with SSO in your account. This article explains how to configure more than one IdP in your account.
If your organization manages users across multiple IdPs, they can all be integrated with Cato so that you do not need to combine your users into a single tenant. You can provision users from multiple IdPs (or multiple tenants from the same IdP), configure multiple SSO providers and then map which users authenticate with each provider.
When a user signs into the Cato Client, or Browser Access, they are only presented with the SSO provider configured for them.
Company ABC uses Microsoft Azure as its IdP and has merged with company XYZ which uses Okta as its IdP. Both companies use Cato as their remote access solution. Instead of migrating all users from one IdP to another, the company starts to provision users from both Azure and Okta and configures them both as SSO authentication methods for remote users. Configuring multiple IdPs ensures all users can authenticate in the Cato Client without migrating any data.
Follow these steps to configure multiple IdPs:
-
Configure multiple SCIM directories
-
Configure multiple SSO providers to your account
-
Map directories to an SSO provider
On the Access > Directory Services page, click New to add more than one SCIM directory to provision users from multiple sources. For more information on how to provision users with SCIM, see SCIM User Provisioning. The UPN and Object ID must be unique across all SCIM Directory Services.
You can add more than one identity provider to be used in your account. The provider designated as the Default is used by admin to sign into the CMA. Multiple SSO providers are not supported for Admin to sign into the CMA.
To add multiple SSO providers to your account:
-
From the navigation menu, select Access > Single Sign-On.
-
Click New.
The Add Authentication Method panel opens.
-
Select the identity provider you want to add and add a name.
-
(Optional) To make this identity provider the default provider for your account, enable the Default toggle.
-
Add the Authentication Details of the identity provider. Each provider has different configuration requirements. For more information on how to configure an identity provider, see the configuration article for the identity provider.
Note: If your identity provider is Azure, click Apply and then click Save. Then edit the entry for the Setup Microsoft Consent link to be enabled.
-
Select Allow login with Single Sign-On for one or more types of users in your account:
-
SDP Client users (set the Token validity settings)
-
Clientless SDP users (set the Cookie type)
-
Cato Management Application admins
-
-
Click Apply and then click Save.
On the User Authentication page, you can define the default authentication method for your users. If you select SSO, by default the All Directory Services option is selected. With this configuration, all users authenticate with the default SSO provider. You can change this configuration and map which directory should use each SSO provider.
On the Additional Settings tab you can configure the browser (embedded or external) that is used for authenticating in the Client and the Re-authentication prompt. For more information, see Configuring the Authentication Policy for Cato Clients.
To map directories to an SSO provider:
-
From the navigation menu, select Access > User Authentication.
-
Click the Default Method dropdown and select SSO.
-
Choose Selected Directory Services.
-
Click New.
The New Directory Service SSO Provider panel opens.
-
Click the Directory Services dropdown and choose the provisioning method of the users you want to map.
-
Click the Single Sign On Provider dropdown and choose the provider to be used.
-
Click Apply and then click Save.
You can disable an identity provider that is no longer needed in your account. After the identity provider is disabled, it cannot be used by users to sign into the Cato Client.
There is no impact on users if multiple identity providers are configured for your account. After a user enters their email address to sign in, the Client displays the sign-in page of the SSO provider mapped to the user.
0 comments
Article is closed for comments.