This article explains how to configure PingOne as the Single Sign-On (SSO) provider for users.
SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.
Note
Note: Please contact feature-releases@catonetworks.com for more information about enabling and using this feature.
Configuring PingOne as the SSO provider simplifies authentication and enhances user experience. When you enable SSO for the account, users can log in to the Client by authenticating with their SSO credentials and do not need a different set of dedicated credentials.
Follow these steps to configure PingOne as an SSO Provider:
- Create an OIDC application in the PingOne console
- Configure the details in the Cato Management Application (CMA)
- Configure how PingOne is used in your account
In the PingOne console, create an application and identify the following values to enter into the CMA:
- OIDC Discovery Endpoint
- Client ID
- Client Secret
To create an application:
- Sign in to your PingOne console.
- In the environment you want use, navigate to Applications > Applications.
- Click on the + symbol to create a new application.
- Choose an Application Name and under Application Type choose OIDC Web App, and click Save.
- Click on the Application you created, on the Configuration tab, click the pencil icon.
-
Configure the following:
- Response Type: Check Code.
- Grant Type: Check Authorization Code and in the PKCE Enforcement drop-down, select Optional.
-
Add the following Redirect URIs:
- https://auth.catonetworks.com/oauth2/broker/code/pingone
- https://auth.us1.catonetworks.com/oauth2/broker/code/pingone
- https://auth.in1.catonetworks.com/oauth2/broker/code/pingone
- https://auth.jp1.catonetworks.com/oauth2/broker/code/pingone
- https://auth.catonetworks.com/endsession/
- https://auth.us1.catonetworks.com/endsession/
- https://auth.in1.catonetworks.com/endsession/
- https://auth.jp1.catonetworks.com/endsession/
- https://sso.proxy.catonetworks.com/auth_results
- https://sso.via.catonetworks.com/auth_results
- https://sso.ias.catonetworks.com/auth_results
- Click Save.
- Navigate to the Attribute Mappings tab and click the pencil icon.
-
Click Add and add an Email attribute with the PingOne Mapping Email Address.
- Click Save.
- On the Overview tab, copy and save the OIDC Discovery Endpoint URL so it can be entered into the CMA.
- On the Configuration tab, copy and save the Client ID and Client Secret so they can be entered into the CMA.
In the CMA, enter the details for the PingOne application you created in the previous step:
- OIDC Discovery Endpoint is the Well-Known URL
- Client ID
- Client secret
To configure PingOne as an SSO provider:
- In the CMA, from the navigation menu, click Access > Single Sign On.
- Click New.
- From the Identity Provider drop-down menu, select Ping One.
- Enter a Name to identify this integration.
- (Optional) To configure PingOne as your default SSO provider, enable the Default toggle. If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
- Enter the Well-Known URL and Client ID you created in Step 1.
- Click Edit Client Secret and enter the value you created in Step 1.
- Click Apply.
You can choose to allow users, Cato Management Application admins, or both to authenticate with SSO using PingOne.
You can also configure how long the Cato authentication token is valid for. The Token validity settings define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must re-authenticate when the duration you define in Days or Hours (since they last logged in) has been reached.
The Always Prompt options means that users must always authenticate to the Client.
0 comments
Article is closed for comments.