This article explains how to configure Azure as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.
For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.
With the Cato Single Sign-On (SSO), you can allow Cato users to use their existing Identity Provider (IdP) credentials without the need for dedicated credentials from Cato Networks.
After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.
Cato SSO supports these Client operating systems:
-
Windows
-
macOS
-
iOS
-
Android
-
Linux
Before you establish trust with Azure, make sure that you complete these prerequisites:
-
You must have Global Administrator or Privileged Role Administrator privileges to Azure
-
For LDAP, Azure must be synchronized with your user directory in your Cato account
-
For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients
-
For iOS and Android, only users who were imported from your organization to Cato using LDAP or SCIM provisioning are able to use SSO.
-
-
The Profile for each Azure user must have a valid Email address.
This section explains how to use the Cato Management Application to enable SSO with Microsoft Azure AD or Office 365.
To identify users, Cato requires consent to access user's data. As part of the configuration process, an administrator must grant the Cato SSO application access to data on behalf of your users. This does not provide admin rights on the Azure tenant. For more information, see the Microsoft documentation.
Granting tenant-wide admin consent for Cato requires you to sign to Azure as a user authorized to consent on behalf of the organization (a Global Administrator or Privileged Role Administrator). For more information, see the Microsoft documentation.
For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.
To enable SSO, Cato requires the following permissions to be granted:
API Name | Claim value | Permission |
Microsoft Graph | View users' email address | |
Microsoft Graph | offline_access | Maintain access to data you have given it access to |
Microsoft Graph | openid | Sign users in |
Microsoft Graph | profile | View users' basic profile |
Microsoft Graph | User.Read | Sign in and read user profile |
This section explains how to configure SSO with Microsoft Azure from the Cato Management Application.
To configure SSO with Microsoft for your account:
-
From the navigation menu, select Access > Single Sign-On.
-
Select Enable Single Sign-On.
-
From the Identity Provider drop-down menu, select Microsoft Azure.
-
Click Save
-
Click Microsoft Credentials.
The Permissions requested pop up window is displayed.
Note: The Microsoft Credentials button may take a few seconds to become enabled.
-
In the Permissions requested pop up window, click Accept.
-
Select Allow login with Single Sign-On for one or more types of users in your account:
-
SDP Client users (set the Token validity settings)
-
Clientless SDP users
-
Cato Management Application admins
-
-
Click Save. The Azure SSO settings for your account are configured
Issue |
Probable Cause |
Resolution |
---|---|---|
AADSTS50105: The signed in user is not assigned to a role ... |
Azure Active Directory Application settings for Cato application not configured correctly. |
|
User enters credentials and is returned to the login page without authenticating |
The Profile for this Azure user doesn't have a valid Email address. |
Add the valid email address to the Azure Profile for this user. |
0 comments
Please sign in to leave a comment.