Configuring KeyCloak SSO for CMA Admins

This article explains how to configure KeyCloak as the Single Sign-On (SSO) provider for Cato Management Application (CMA) admins.

SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.

Overview

Configuring KeyCloak as the SSO provider simplifies authentication and enhances security for CMA admins. When you enable SSO for the account, admins can only use the KeyCloak credentials to log in to the CMA.

Make sure that the email for the CMA admin is the same as the email address in KeyCloak.

This integration is not supported for remote access with the Cato Client.

Configuring KeyCloak as an SSO Provider

Follow these steps to configure KeyCloak as an SSO provider:

  1. Add Cato as a KeyCloak client in your KeyCloak admin console

  2. Enter the details of your KeyCloak Host in the CMA

Step 1: Add Cato as a KeyCloak Client

In the KeyCloak admin console, add Cato as a Client.

This procedure refers to the KeyCloak console, which is subject to change. To read the latest KeyCloak documentation, see Managing Resource Servers.

To add Cato as a KeyCloak client:

  1. In KeyCloak, go to Clients > Create Client.

  2. In the General settings tab, enter the basic settings including a client id. You will need the client id to integrate with Cato later.

    keycloak_general.png

  3. In the Capability config tab, make sure Client authentication is enabled.

    keycloak_capability_config.png

  4. In the Login settings tab, enter the following URIs in the Valid redirect URIs field:

    keyCloak_login_settings.png

    • https://sso.via.catonetworks.com/auth_results

    • https://sso.ias.catonetworks.com/auth_results

    • https://169.254.255.254/auth_results

    • https://auth.catonetworks.com/oauth2/broker/code/keycloak

    • https://auth.us1.catonetworks.com/oauth2/broker/code/keycloak

    • https://auth.catonetworks.com/endsession/*

    • https://auth.us1.catonetworks.com/endsession/*

  5. Click Save to create the client.

  6. Go to the Client area and click the client you just created.

  7. Go to the Credentials tab and copy the Client Secret. You will need this value later to integrate with Cato.

    keycloak_client_secret.png

Step 2: Configure KeyCloak as your SSO Provider

In the Cato Management Application, enter the unique details for your KeyCloak account. The URL for your account is the beginning of the URL you use to access KeyCloak, until the Realm name, and with the protocol prefix removed.

For example, if the URL you use to get to KeyCloak is https://keycloak.example.com/realms/myRealm/.well-known/openid-configuration, you would enter keycloak.example.com/realms/myRealm as your KeyCloak URL below.

keycloak_cma_config.png

To configure KeyCloak as your SSO provider:

  1. In the Cato Management Application, from the Navigation menu, click Access > Single Sign On.

  2. Click New.

  3. From the Identity Provider drop-down menu, select KeyCloak.

  4. Enter a Name to identify this integration.

  5. Enter your KeyCloak URL without the protocol prefix and only up until your realm name.

  6. Enter the Client ID and Client Secret that were created in step 1.

  7. Enable the Default toggle to use KeyCloak as the SSO provider for CMA admins.

  8. Click Apply.

Was this article helpful?

0 out of 0 found this helpful

0 comments