Configuring Azure SSO for Your Account

This article explains how to configure Azure as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.

For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.

Configuring Single Sign-On

With the Cato Single Sign-On (SSO), you can allow Cato users to use their existing Identity Provider (IdP) credentials without the need for dedicated credentials from Cato Networks.

Overview of SSO with Your Cato Account

After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.

Cato SSO supports these Client operating systems:

Windows
macOS
iOS
Android
Linux

Preparing to Configure SSO with Azure

Before you establish trust with Azure, make sure that you complete these prerequisites:

You must have Global Administrator or Privileged Role Administrator privileges to Azure
For LDAP, Azure must be synchronized with your user directory in your Cato account
For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients
- For iOS and Android, only users who were imported from your organization to Cato using LDAP or SCIM provisioning are able to use SSO.
The Profile for each Azure user must have a valid Email address.

Enabling SSO with Microsoft Azure AD or Office 365

This section explains how to use the Cato Management Application to enable SSO with Microsoft Azure AD or Office 365.

To identify users, Cato requires consent to access user's data. As part of the configuration process, an administrator must grant the Cato SSO application access to data on behalf of your users. This does not provide admin rights on the Azure tenant. For more information, see the Microsoft documentation.

Granting tenant-wide admin consent for Cato requires you to sign in to Azure as a user authorized to give consent on behalf of the organization (a Global Administrator or Privileged Role Administrator). For more information, see the Microsoft documentation.

For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.

To configure SSO with Microsoft for your account:

From the navigation menu, select Access > Single Sign-On.
Select Enable Single Sign-On.
From the Identity Provider drop-down menu, select Microsoft Azure.
Click Microsoft Credentials.

The Permissions requested pop up window is displayed.
In the Permissions requested pop up window, click Accept.
Select Allow login with Single Sign-On for one or more types of users in your account:
- SDP Client users (set the Token validity settings)
- Clientless SDP users
- Cato Management Application admins
Click Save. The Azure SSO settings for your account are configured

Troubleshooting Azure SSO Connections

Issue	Probable Cause	Resolution
AADSTS50105: The signed in user is not assigned to a role ...	Azure Active Directory Application settings for Cato application not configured correctly.	Access your account in the Microsoft Azure portal. In the menu, click Azure Directory Services. In the sub menu, under MANAGE, click Enterprise applications. In the sub menu, under MANAGE, click All applications. In the right panel, in the applications list, click Cato Cloud. In the sub menu, under MANAGE, click Properties. In the right panel, in the parameter User assignment required?, click No. Using the client, reauthenticate to the Cato VPN.
User enters credentials and is returned to the login page without authenticating	The Profile for this Azure user doesn't have a valid Email address.	Add the valid email address to the Azure Profile for this user.