This article explains how to configure SecureAuth as the Single Sign-On (SSO) provider for users.
SSO relies on an encrypted token from Cato and your IdP to validate that the user is authenticated and allowed to connect to the network. For more details, see SSO Authentication for Users with Cato.
Note
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information about enabling the feature, contact your Cato Networks representative or send an email to ea@catonetworks.com.
Overview
Configuring SecureAuth as the SSO provider simplifies authentication and enhances user experience. When you enable SSO for the account, users can log in to the Client by authenticating with their SSO credentials and do not need a different set of dedicated credentials.
Configuring SecureAuth as an SSO Provider
Follow these steps to configure SecureAuth as an SSO provider:
Step 1: Create an OIDC application in the SecureAuth Administration Portal
Step 2: Configure the details in the Cato Management Application (CMA)
Step 3: Configure how SecureAuth is used in your account
Step 1: Creating an Application in the SecureAuth Administration Portal
In the SecureAuth Administration Portal, create an application through the process below, and identify the following values to enter into the CMA:
Client ID
Client Secret
To create an application:
In the SecureAuth admin portal, navigate to Internal Application Manager and click Add New Internal Application Manager.
Add an Application Name and Application Description.
-
Configure the following details:
Data Store: The data store you want to use to import your users from.
Allow every group in your selected data stores to access this application: Enabled
Authentication Policy: Default Policy
Realm Number: Any number on the list
Authentication User Redirect: Generic
Generic (HTTP/OAuth/OPenID/etc): OpenID Connect/OAuth2
Click Create Connection.
Click on the Go to Advanced Settings to finish the configuration for this application link.
On the Post Authentication tab, ensure Email 1 is selected for the User ID Mapping field.
-
In the OpenID Connect/OAuth 2.0 - Settings, configure the following details:
Enabled: True
Signing Cert: Select a valid certificate
Auto Accept User Consent: True
Enable User Consent: True
-
In the OpenID Connect/OAuth 2.0 - Scopes section, click the Discoverable check box for these scopes:
openid
profile
email
Click Save.
In the OpenID Connect/OAuth 2.0 - Clients section, click Add Client.
-
Configure the following details:
Name: Add a name for the Client
-
Allowed Flows:
Implicit: False
Hybrid: False
Client Credentials: False
-
In the OpenID Connect/OAuth 2.0 - Client RedirectURIs section, add these URIs:
Click Save.
Copy and save the Client ID and Client Secret so they can be entered into the CMA.
Click Back.
In the Open ID Connect Access / ID Token Claims section, set the value for sub to Email 1 and check the Discoverable checkbox.
Click Save.
Step 2: Configure SecureAuth as an SSO Provider
In the CMA, enter the details for the SecureAuth application you created in the previous step.
.png)
To configure SecureAuth as an SSO provider:
In the CMA, from the navigation menu, click Access > Single Sign On.
Click New.
From the Identity Provider drop-down menu, select SecureAuth.
Enter a Name to identify this integration.
-
(Optional) To configure SecureAuth as your default SSO provider, enable the Default toggle. If you are configuring multiple Single Sign-On providers, see Configuring Multiple Identity Providers.
In the Well-Known URL field enter:
https//<your SecureAuth tenant name>.identity.secureauth.com/SecureAuth50/.well-known/openid-configuration
Note: The Well-Known URL is case sensitive
Enter the Client ID you created in Step 1.
Click Edit Client Secret and enter the value you created in Step 1.
Click Apply.
Step 3: Configure How SecureAuth is Used in your Account
You can choose to allow users authenticate with SSO using SecureAuth.
You can also configure how long the Cato authentication token is valid for. The Token validity settings define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must re-authenticate when the duration you define in Days or Hours (since they last logged in) has been reached.
The Always Prompt options means that users must always authenticate to the Client.
Note: SSO for CMA Admins is not supported with SecureAuth.
.png)
To configure how SecureAuth is used in your account:
On the Access > Single Sign On page, define which users can authenticate with SSO and if necessary, define the Token validity, Cookie type, and Duration settings.
Click Save
0 comments
Please sign in to leave a comment.