Cato Networks Knowledge Base

Search

Unifying SSO for VPN and Clientless SDP Users

Overview

As of March 2021, Cato offers Single Sign-On (SSO) support for these types of users:

  • Cato Management Application admins (configured in Access > Single Sign-On)
  • Clientless SDP users (configured in Access > Single Sign-On)
  • Client SDP (VPN) users (configured in Global Settings > VPN Settings > Single Sign-On)

To simplify and improve our support for SSO, we are unifying the SSO provider settings for VPN users to the Access > Single Sign-On window.

This article lists the different scenarios to help customers understand the process to migrate the SSO settings for Azure and Okta as the Identity Provider (IdP) for the account.

 

Okta Users

The following table lists each scenario according to the Okta IdP for Client and Clientless SDP, and actions required to ensure consistency of service. The SSO settings for Cato Management Application admins are the same as Clientless SDP users.

VPN SSO

Clientless SDP SSO

Actions Required

Comments

Disabled

Disabled
  • No action required
  • No impact on account

Okta

Okta
  • Verify that the same set of users are assigned to Groups in Okta for both the Client and Clientless SDP Cato apps.
  • See Okta Allowed Domains below
  • See Okta Group Settings below

Okta

Disabled
  • Please use the Cato application available in the Okta Integration Network (OIN) for your Client SDP users. Example guidelines of how to configure the Cato application within Okta can be found in this article.
  • Once configured, please contact Cato Support so that we can migrate your existing settings to the Access > Single Sign-On window within the Cato Management application.
  • The VPN Settings > Single Sign-On window will be removed from your Account during this change. All existing functionality will be preserved.
  • See Okta - Manually Migrating to Unified SSO below

Okta Allowed Domains

When you use Okta as the IdP for SSO, you set the domains that are allowed to log in to Cato in the VPN Settings > Single Sign-On window.

Cato will automatically migrate these settings to the Access > Single Sign-On window and combine the Allowed Domains for VPN and Access SSO.

Okta Group Settings

Until now, there are different Cato apps in Okta for Client and Clientless SDP to provide SSO. If you have different groups for the Client (VPN) and the Clientless SDP app, the settings for the Clientless SDP app will take precedence after the migration.

Important: Before the migration, make sure that the groups in the Client (VPN) Cato app are the same as the Clientless SDP Cato app. Otherwise, there may be can be authentication errors and possible security risks.

Okta - Manually Migrating to Unified SSO

For accounts that configured Okta as an IdP only for VPN SSO, we cannot automatically migrate the VPN SSO settings to the Access > Single Sign-On window. These accounts will continue to use the legacy VPN Settings > Single Sign-On window for the Okta settings.

The Allowed Domain settings are migrated to the Access > Single Sign-On window.

We recommend that you transfer all the VPN users to the Cato app that is available in the Okta marketplace. For more information, see Configuring Okta SSO for Your Account.

Then you can contact Support to remove the legacy VPN Settings > Single Sign-On window.

Azure Users

The following table lists each scenario according to the Azure IdP for Client and Clientless SDP, and actions required to ensure consistency of service. The SSO settings for Cato Management Application admins are the same as Clientless SDP users.

VPN SSO

Clientless SDP SSO

Actions Required

Comments

Disabled

Disabled
  • No action required
  • No impact on account

Azure

Azure
  • Verify that the same set of users are assigned to Groups in Azure for both the Client and Clientless SDP Cato apps.
  • See Azure Group Settings below
  • See Azure - End Users Authenticate to an SSO Window below

Azure

Disabled
  • No action required
  • See Migrating the VPN SSO Settings below

Azure

Azure (no consent for SDP SSO)
  • No action is required on your part unless you intend to configure Azure as the SSO provider for Clientless SDP before we announce the SSO Unification.
  • If this is required, verify that the same set of users are assigned to Groups in Azure for both the Client and Clientless SDP Cato apps.
  • See No Consent for Azure SDP below
  • See Migrating the VPN SSO Settings below

Azure Group Settings

Until now, there are different Cato apps in Azure for Client and Clientless SDP to provide SSO. If you have different groups for the Client (VPN) and the Clientless SDP app, the settings for the Clientless SDP app will take precedence after the migration.

Important: Before the migration, make sure that the groups in the Client (VPN) Cato app are the same as the Clientless SDP Cato app. Otherwise, there may be can be authentication errors and possible security risks.

 

Azure - End Users Authenticate to an SSO Window

In addition, when attempting to either connect to the User Portal (MyVPN) or SDP client using Azure SSO, your users will be presented with an additional Azure authentication step. Users are now required to enter their Cato email address in a pop-up window, as shown below:

813cdf84-3d64-457a-b535-8b20cab26125.png

Migrating the VPN SSO Settings

The migration process automatically copies the SSO settings for the IdP from the VPN Settings > Single Sign-On window to the Access > Single Sign-On window. No interaction is required on your part.

No Consent for Azure SDP

Some accounts selected Azure as the SSO provider in the Access window but never logged in to Azure to authorize access for Cato. In this scenario, the account impact is the same as if SDP SSO was disabled.

 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.