This article explains how to configure Single Sign-On (SSO) for users in your account and the subdomain for the Cato Management Application and the clientless SDP Portal.
The Access > Single Sign-On screen lets you choose one Single Sign-On (SSO) provider for your account. You can choose to use this SSO provider to authenticate users to clientless SDP, Cato Clients, and admins to the Cato Management Application.
Cato supports these SSO providers:
-
Microsoft Azure (see Configuring Azure SSO for Your Account
-
Okta (see Configuring Okta SSO for Your Account
-
Google (not supported for clientless SDP, see Configuring Google SSO for Your Account)
-
OneLogin
You can choose different SSO authentication settings for users in your account. You can let users only authenticate with the SSO provider, or only with the Cato user credentials, or you can let users choose to authenticate with either option.
The Cato Management Application uses the SSO provider username (admin's email address) as part of the authentication process. Make sure that you use the same email address for the Cato Management Application admin and the SSO provider account.
Note
Note: You can choose different authentication settings for SDP users, clientless SDP, and for Cato Management Application admins, but they all use the same SSO provider.
For more about enabling SSO authentication for Cato Management Application admins, see Configuring Authentication Settings for Administrators.
You can create a custom subdomain for your account so that it's easy for the users to identify the login window for your company. The same subdomain is used for the Cato Management Application and the clientless SDP Portal. See below, Configuring the Cato Subdomain .
Important: Make sure that you configure the SSO app in Azure and Okta before you configure them as the SSO provider for your account. For more information, see:
Use the Single Sign-On window to configure the SSO provider to authenticate users for your account. You must have admin permissions to configure the SSO settings in Microsoft Azure and Okta. For more about configuring Azure and Okta SSO, see the relevant Microsoft and Okta documentation.
When you disable Single-Sign-On, then users can only authenticate with Cato user credentials.
You can choose to configure which domains are allowed to authenticate with SSO. Restricting access based on specific domains provides increased security for your account.
As a best security practice, we recommend that the duration for the SSO Token validity is set to a maximum of 30 days. For more about SSO token behavior, see SSO Session Behavior for Windows SDP Client.
Using SSO with Always Prompt
For additional security, you can enable the Always Prompt feature, so that the end-users are always required authenticate to the IdP when they connect to the Cato Cloud. This also includes when they are disconnected from the Cato Cloud, for example, the Client moves from one PoP to another.
Configure the maximum amount of time that a device is allowed to be continuously connected to the Cato Cloud before the end-user is forced to re-authenticate. When Always Prompt is enabled, when the end-user disconnects, and connects again, they have the full time duration before they are forced to authenticate.
When disconnecting, there is a two minute grace period where the end-user remains authenticated, if they reconnect to the Cato Cloud.
To configure the SSO provider settings for the account:
-
From the navigation menu, select Access > Single Sign-On.
-
Select Enable Single Sign-On.
Continue with one of the SSO provider settings in steps 3 - 5.
-
For Azure, configure the settings for Azure as the Identity Provider.
-
From the Identity Provider drop-down menu, select Microsoft Azure.
-
Click Microsoft Credentials.
A new browser tab opens with the Azure login screen where you can configure the Azure SSO settings.
-
Click Save.
-
-
For Okta, configure the settings for Okta as the Identity Provider.
-
From the Identity Provider drop-down menu, select Okta.
-
Enter these settings from your Okta account: Client ID, Okta Domain prefix and suffix.
-
Click Edit Client Secret and enter the Okta Client Secret password.
-
-
For Google, from the Identity Provider drop-down menu, select Google.
-
For OneLogin, configure the settings for OneLogin as the Identity Provider.
-
From the Identity provider drop-down menu, select OneLogin.
-
Enter these settings from your OneLogin account: Client ID, OneLogin Domain prefix and suffix.
-
Click Edit Client Secret and enter the Client Secret for your OneLogin account.
-
-
To only allow SSO users from specific domains to access your account:
-
In the Allowed domains section, click
and in the pop-up window enter a domain. For example: myportal.com.
-
To enter additional domains, click
and enter the domain.
-
-
Select Allow login with Single Sign-On for one or more types of users in your account:
-
SDP Client users (set the Token validity settings)
-
Clientless SDP users
-
Cato Management Application admins
-
-
To disable SSO and only allow authentication with the Cato user credentials, clear Enable Single Sign-On.
-
Click Save. The SSO settings are configured for your account.
Use the Single Sign On window to configure the subdomain for the Cato Management Application and the clientless SDP Portal. You can also see the URL for each login window.
The Cato subdomain doesn't support Top Level Domains (TLDs) such as sample.com. You can use letters and numbers in the subdomain. Even though, dashes are a valid character in the subdomain, they are not valid for the SDP Users Portal URL.
Note
Note: When you change the subdomain for the account, all logins to the Cato Management Application and the SDP User Portal must use the new subdomain.
To configure the subdomain for the account:
-
From the navigation menu, click Access > Single Sign-On.
-
In the Cato Subdomain section, enter the Subdomain for the account.
-
Click Save.
Admins can log in to the Cato Management Application using the URL that includes the subdomain for your account, https:/<subdomain>.cc.catonetworks.com
.
If admins log in with the URL https://cc.catonetworks.com
, then there is an extra window to identify the subdomain.
To log in to the Cato Management Application with a subdomain:
-
From an Internet browser, go to the Cato Management Application
https:/<subdomain>.cc.catonetworks.com
.The screenshot below shows the URL for the subdomain sample.
-
In the login window, enter the username and password.
-
Click Log In.
The Cato Management Application opens with the subdomain.
Comments
0 comments
Please sign in to leave a comment.