This article explains how to configure ForgeRock as the only Single Sign-On (SSO) provider for users.
SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.
Configuring ForgeRock as your SSO provider simplifies authentication and enhances the user experience. With SSO configured for your account, users can log in to the Cato Client by authenticating with their SSO credentials and do not need a different set of dedicated credentials.
Follow these steps to configure ForgeRock as an SSO provider:
- Add an OIDC Client in ForgeRock
- Enter the details of your ForgerRock Host in the CMA
In the ForgeRock admin console, add an OIDC client.
This procedure refers to the ForgeRock console, which is subject to change.
To add Cato as a ForgeRock client:
- In ForgeRock, go to the Top Level Realm and under Applications > OAuth 2.0 > Clients, click Add Client.
-
In the Core tab, enter the basic settings, including a Client secret. You will need the Client secret to integrate with Cato later.
-
In the Redirect URIs field, enter the following Cato URIs:
For user SSO in the Client:
- https://sso.via.catonetworks.com/auth_results
- https://sso.ias.catonetworks.com/auth_results
- https://sso.proxy.catonetworks.com/auth_results
For admin SSO in the CMA:
- https://auth.catonetworks.com/oauth2/broker/code/forgerock
- https://auth.us1.catonetworks.com/oauth2/broker/code/forgerock
- https://auth.jp1.catonetworks.com/oauth2/broker/code/forgerock
- https://auth.in1.catonetworks.com/oauth2/broker/code/forgerock
- https://auth.us1.catonetworks.com/endsession/
- https://auth.catonetworks.com/endsession/
- https://auth.in1.catonetworks.com/endsession/
- https://auth.jp1.catonetworks.com/endsession/
- In the Scopes and Default Scopes fields, enter email, openid, and profile.
- In the Advanced tab, under the Token Endpoint Authentication Method field, make sure client_secret_post is selected.
- Click Save to create the ForgeRock client.
In the CMA, enter the details for your ForgeRock client you created in the previous step:
- Well-known URL
- Client ID
- Client Secret
To configure ForgeRock as your SSO provider:
- In the CMA, from the navigation menu, click Access > Single Sign On.
- Click New.
- From the Identity Provider drop-down menu, select ForgeRock.
- Enter a Name to identify this integration.
-
Enter your Well-known URL as follows:
https://<AM_HOST>:<PORT>/<AM_DEPLOYMENT_URI>/oauth2/.well-known/openid-configuration?realm=<REALM_PATH>
- Enter the Client ID and Client Secret that were created in step 1.
-
If you are configuring one Single Sign-On provider, enable the Default toggle.
If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
- Click Apply.
0 comments
Article is closed for comments.