This article explains how to configure Azure as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.
For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.
With the Cato Single Sign-On (SSO), you can allow Cato users to use their existing Identity Provider (IdP) credentials without the need for dedicated credentials from Cato Networks.
After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.
Cato SSO supports these Client operating systems:
-
Windows
-
macOS
-
iOS
-
Android
Before you establish trust with Azure, make sure that you complete these prerequisites:
-
You must have administrator privileges to Azure
-
For LDAP, Azure must be synchronized with your user directory in your Cato account
- For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients
-
For iOS and Android, only users who were imported from your organization to Cato using Directory Services or SCIM provisioning are able to use SSO.
-
- The Profile for each Azure user must have a valid Email address.
This section explains how to use the Cato Management Application to enable SSO with Microsoft Azure AD or Office 365.
For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.
If you are using Directory Services and you need to modify a SDP user's mobile phone number for advanced authentication, you must modify the phone number in Active Directory only.

To configure SSO with Microsoft for your account:
-
From the navigation menu, select Access > Single Sign-On.
-
Select Enable Single Sign-On.
-
From the Identity Provider drop-down menu, select Microsoft Azure.
-
Click Microsoft Credentials.
A new browser tab opens with the Azure login screen where you can configure the Azure SSO settings.
-
To only allow SSO users from specific domains to access your account:
-
In the Allowed domains section, click
and in the pop-up window enter a domain. For example: myportal.com.
-
To enter additional domains, click
and enter the domain.
-
-
Select Allow login with Single Sign-On for one or more types of users in your account:
-
SDP Client users (set the Token validity settings)
-
Clientless SDP users
-
Cato Management Application admins
-
-
Click Save. The Azure SSO settings for your account are configured
Issue |
Probable Cause |
Resolution |
---|---|---|
AADSTS50105: The signed in user is not assigned to a role ... |
Azure Active Directory Application settings for Cato application not configured correctly. |
|
User enters credentials and is returned to the login page without authenticating |
The Profile for this Azure user doesn't have a valid Email address. |
Add the valid email address to the Azure Profile for this user. |
Note
Note: Using Windows CLI to install the Cato Client with SSO enabled, isn’t supported from Windows Client v5.2 and higher.
You can use Windows CLI to install the Cato Client for Windows with parameters that adjust the Client behavior to your organization needs. If installed without any parameters, the Client launches using the default settings.
When used, the SSO parameter installs the Client for Windows to automatically connect on boot with the window minimized. The installed Client will only allow authentication with SSO, and will hide other authentication options (such as user credentials or import from file).
To install an SSO-enabled Client for Windows:
Use either of the following methods for installing SSO-enabled Clients:
-
Running the installation file with parameters:
-
MSI -
msiexec /i CatoNetworksSetup2_0_0_1.msi sso=force
-
EXE -
CatoNetworksSetup2_0_0_1.exe /Vsso=force
-
-
Adding registry keys:
-
Force SSO only authentication -
HKLM\SOFTWARE\CatoNetworksVPN\"Authentication"="sso only"
-
Connect on boot -
HKLM\SOFTWARE\CatoNetworksVPN\"ConnectOnBoot"="1"
-
Start minimized -
HKCU\SOFTWARE\CatoNetworksVPN\"start_minimized"="1"
-
Comments
0 comments
Please sign in to leave a comment.