This article explains how to configure Azure as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.
For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.
With the Cato Single Sign-On (SSO), you can allow Cato users to use their existing Identity Provider (IdP) credentials without the need for dedicated credentials from Cato Networks.
After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.
Cato SSO supports these Client operating systems:
-
Windows
-
macOS
-
iOS
-
Android
Before you establish trust with Azure, make sure that you complete these prerequisites:
-
You must have administrator privileges to Azure
-
For LDAP, Azure must be synchronized with your user directory in your Cato account
- For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients
-
For iOS and Android, only users who were imported from your organization to Cato using Directory Services or SCIM provisioning are able to use SSO.
-
- The Profile for each Azure user must have a valid Email address.
This section explains how to use the Cato Management Application to enable SSO with Microsoft Azure AD or Office 365.
For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.
If you are using Directory Services and you need to modify a SDP user's mobile phone number for advanced authentication, you must modify the phone number in Active Directory only.
To configure SSO with Microsoft for your account:
-
From the navigation menu, select Access > Single Sign-On.
-
Select Enable Single Sign-On.
-
From the Identity Provider drop-down menu, select Microsoft Azure.
-
Click Microsoft Credentials.
A new browser tab opens with the Azure login screen where you can configure the Azure SSO settings.
-
To only allow SSO users from specific domains to access your account:
-
In the Allowed domains section, click
and in the pop-up window enter a domain. For example: myportal.com. -
To enter additional domains, click
and enter the domain.
-
-
Select Allow login with Single Sign-On for one or more types of users in your account:
-
SDP Client users (set the Token validity settings)
-
Clientless SDP users
-
Cato Management Application admins
-
-
Click Save. The Azure SSO settings for your account are configured
|
Issue |
Probable Cause |
Resolution |
|---|---|---|
|
AADSTS50105: The signed in user is not assigned to a role ... |
Azure Active Directory Application settings for Cato application not configured correctly. |
|
|
User enters credentials and is returned to the login page without authenticating |
The Profile for this Azure user doesn't have a valid Email address. |
Add the valid email address to the Azure Profile for this user. |
Comments
0 comments
Please sign in to leave a comment.