This article explains how to configure DTS Identity as the Single Sign-On (SSO) provider for users.
SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.
Configuring DTS Identity as the SSO provider simplifies authentication and enhances user experience. When you enable SSO for the account, users can log in to the Client by authenticating with their SSO credentials and do not need a different set of dedicated credentials.
Follow these steps to configure DTS Identity as an SSO Provider:
- Create an OIDC application in the DTS Identity console
- Configure the details in the Cato Management Application (CMA)
- Configure how DTS Identity is used in your account
In the DTS Identity console, create an application and identify the following values to enter into the CMA:
- OIDC config
- Client ID
- Client Secret
Note: Only users assigned to the application in the DTS Identity console can authenticate with SSO.
To create an application:
- In the DTS Admin Console, navigate to Applications.
-
Click Create Custom App.
- Add an Application name choose Web Application.
- Click Create Application.
-
On the OIDC / OAuth tab, in the Client credentials section, set the Token endpoint auth method to Client Secret (Post).
-
In the Login section, add these URIs to the Sign-in redirect URIs field:
- https://auth.catonetworks.com/oauth2/broker/code/dts
- https://auth.us1.catonetworks.com/oauth2/broker/code/dts
- https://auth.in1.catonetworks.com/oauth2/broker/code/dts
- https://auth.jp1.catonetworks.com/oauth2/broker/code/dts
- https://auth.catonetworks.com/endsession/
- https://auth.us1.catonetworks.com/endsession/
- https://auth.in1.catonetworks.com/endsession/
- https://auth.jp1.catonetworks.com/endsession/
- https://sso.proxy.catonetworks.com/auth_results
- https://sso.via.catonetworks.com/auth_results
- https://sso.ias.catonetworks.com/auth_results
- Copy and save the Client ID, Client Secret, and OIDC config so they can be entered into the CMA.
- Click Save changes.
In the CMA, enter the details for the DTS application you created in the previous step:
- OIDC config is the Well-Known URL
- Client ID
- Client Secret
To configure DTS and an SSO provider:
- In the CMA, from the navigation menu, click Access > Single Sign On.
- Click New.
- Enter a Name to identify this integration.
- (Optional) To configure DTS as your default SSO provider, enable the Default toggle. If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
- Enter the Well-Known URL and Client ID you created in Step 1.
- Click Edit Client Secret and enter the value you created in Step 1.
- Click Apply.
You can choose to allow users, Cato Management Application admins, or both to authenticate with SSO using DTS.
You can also configure how long the Cato authentication token is valid for. The Token validity settings define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must re-authenticate when the duration you define in Days or Hours (since they last logged in) has been reached.
The Always Prompt options means that users must always authenticate to the Client.
- For authentication with the Embedded Browser, DTS Identity is supported only from Windows Client v6.7 and higher. For authentication with the external browser, there is no limitation. For more information, see Configuring the Authentication Policy for Cato Clients.
- Reauthentication is not supported for DTS Identity versions lower than version 5.
0 comments
Article is closed for comments.