Cato Networks Knowledge Base

Configuring Okta SSO for Your Account

  • Updated

This article explains how to configure Okta as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.

For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.

Overview of SSO with Your Cato Account

After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.

Cato SSO supports these Client operating systems:

  • Windows

  • macOS

  • iOS

  • Android

Preparing to Configure SSO with Okta

Before you establish trust with Okta, make sure that you complete these prerequisites:

  • You must have administrator privileges to Okta

  • Okta must be synchronized with your user directory

  • For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients
    • For iOS and Android, only users who were imported from your organization to Cato using Directory Services or SCIM provisioning are able to use SSO

Configuring Okta as the SSO Provider

Add the Okta app for Cato Networks SSO, and then configure your Okta Client ID and Client secret. Then configure the Cato Management Application to use Okta as the SSO provider for your account.

For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.

To configure Okta as the SSO provider for your account:

  1. Enable the admin permissions for your Okta account, from the Okta portal menu bar click Admin.

  2. From the Okta Applications window, click Add Application and search for Cato Portal.

    Okta1.png
  3. Click Add.

  4. In the Add Cato Portal window, select these options:

    • Do not display application icon to users

    • Do not display application icon in the Okta Mobile App

      Okta2.png
  5. Click Done.

  6. In the Assignments tab, assign the People and Groups to the application.

  7. Click Assign.

  8. The Sign On > Settings window, shows the Client ID and the Client secret for your Okta account.

    Okta3.png

    Keep this window open, you need to copy the Client ID and Client secret to the Cato Management Application.

  9. Click Save. Okta is configured as an SSO provider for your Cato account.

  10. In a new tab or window, open the Cato Management Application.

  11. From the navigation menu, select Access > Single Sign-On.

  12. Select Enable Single Sign-On.

  13. From the Identity Provider drop-down menu, select Okta.

    SSO_Okta.png
  14. From the Okta window, copy these settings and paste them in the Cato Management Application:

    • Client ID

    • Client Secret

  15. Enter the Okta Domain prefix and suffix for your account.

  16. To only allow SSO users from specific domains to access your account:

    1. In the Allowed domains section, click Domain_plus.png and in the pop-up window enter a domain. For example: myportal.com.

    2. To enter additional domains, click Domain_plus.png and enter the domain.

  17. Select Allow login with Single Sign-On for one or more types of users in your account:

    • SDP Client users (set the Token validity settings)

    • Clientless SDP users

    • Cato Management Application admins

  18. Click Save. Okta is configured as the SSO provider for your account.

Notes for the SDP Portal

When you log in to the SDP Portal, choose to connect with Okta and then enter your Okta credentials. After you successfully log in to Okta, you are redirected to the SDP Portal and can select an SDP application.

Installing an SSO-Enabled Client for Windows

Note

Note: Using Windows CLI to install the Cato Client with SSO enabled, isn’t supported from Windows Client v5.2 and higher.

You can use Windows CLI to install the Cato Client for Windows with parameters that adjust the Client behavior to your organization needs. If installed without any parameters, the Client launches using the default settings.

When used, the SSO parameter installs the Client for Windows to automatically connect on boot with the window minimized. The installed Client will only allow authentication with SSO, and will hide other authentication options (such as user credentials or import from file).

To install an SSO-enabled Client for Windows:

Use either of the following methods for installing SSO-enabled Clients:

  • Running the installation file with parameters:

    • MSI - msiexec /i CatoNetworksSetup2_0_0_1.msi sso=force

    • EXE - CatoNetworksSetup2_0_0_1.exe /Vsso=force

  • Adding registry keys:

    • Force SSO only authentication - HKLM\SOFTWARE\CatoNetworksVPN\"Authentication"="sso only"

    • Connect on boot - HKLM\SOFTWARE\CatoNetworksVPN\"ConnectOnBoot"="1"

    • Start minimized - HKCU\SOFTWARE\CatoNetworksVPN\"start_minimized"="1"

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.