Configuring SSO and the Subdomain for the Account

The Access > Single Sign-On screen lets you choose one Single Sign-On (SSO) provider for your account. You can choose to use this SSO provider to authenticate users to Cato Clients, Browser Access, and admins to the Cato Management Application.

For a list of supported SSO providers, see Single Sign-On.

You can choose different SSO authentication settings for users in your account. You can let users only authenticate with the SSO provider, or only with the Cato user credentials, or you can let users choose to authenticate with either option.

For Cato Management Application admins, the SSO provider username (admin's email address) is used as part of the authentication process. Make sure that you use the same email address for the Cato Management Application admin and the SSO provider account.

You can configure multiple SSO providers for your account. For more information, see Configuring Multiple Identity Providers.

Use the Single Sign-On window to configure the SSO provider to authenticate users for your account. You must have admin permissions to configure the SSO settings in Microsoft Azure and Okta. For more about configuring Azure and Okta SSO, see the relevant Microsoft and Okta documentation.

When you disable Single-Sign-On, then users can only authenticate with Cato user credentials.

You can choose to configure which domains are allowed to authenticate with SSO. Restricting access based on specific domains provides increased security for your account.

As a best security practice, we recommend that the duration for the SSO Token validity is set to a maximum of 30 days. For more about SSO session behavior, see SSO Session Behavior for Windows SDP Client.

Using SSO with Always Prompt

For additional security, you can enable the Always Prompt feature, so that the end-users are always required authenticate to the IdP when they connect to the Cato Cloud. This also includes when they are disconnected from the Cato Cloud, for example, the Client moves from one PoP to another.

Configure the maximum amount of time that a device is allowed to be continuously connected to the Cato Cloud before the end-user is forced to re-authenticate. When Always Prompt is enabled, when the end-user disconnects, and connects again, they have the full time duration before they are forced to authenticate.

Note

Note: When disconnecting, there is a two minute grace period where the end-user remains authenticated, if they reconnect to the Cato Cloud.

Use the Single Sign-On window to configure the SSO provider to authenticate users for your account. You must have admin permissions to configure the SSO settings in Microsoft Azure and Okta. For more about configuring Azure and Okta SSO, see the relevant Microsoft and Okta documentation.

When you disable Single-Sign-On, then users can only authenticate with Cato user credentials.

You can choose to configure which domains are allowed to authenticate with SSO. Restricting access based on specific domains provides increased security for your account.

Use the Single Sign On window to configure the subdomain for the Cato Management Application and the clientless SDP Portal. You can also see the URL for each login window.

The Cato subdomain doesn't support Top Level Domains (TLDs) such as sample.com. You can use letters and numbers in the subdomain. Dashes are valid only when the account is first created (the subdomain initially matches the account name). If you later attempt to edit the subdomain, dashes are no longer allowed, and you'll receive an error message.