Cato Networks Knowledge Base

Search

Configuring Azure SSO for Your Account

  • Updated

This article explains how to configure Azure as the Single Sign-On (SSO) provider for SDP users, clientless users, and Cato Management Application admins in your account.

For more about enabling SSO for the account, see Configuring SSO and the Subdomain for the Account.

Configuring Single Sign-On

With the Cato Single Sign-On (SSO), you can allow Cato users to use their existing Identity Provider (IdP) credentials without the need for dedicated credentials from Cato Networks.

Overview of SSO with Your Cato Account

After a chain of trust is established between Cato, the IdP, and your company's user directory, Cato trusts the IdP for user authentication.

Cato SSO supports these Client operating systems:

  • Windows

  • macOS

  • iOS

  • Android

Preparing to Configure SSO with Azure

Before you establish trust with Azure, make sure that you complete these prerequisites:

  • You must have administrator privileges to Azure

  • For LDAP, Azure must be synchronized with your user directory in your Cato account

  • For manually created SDP users, SSO is supported for Windows v5.x, macOS v5.x, and Linux v5.x Clients

    • For iOS and Android, only users who were imported from your organization to Cato using Directory Services or SCIM provisioning are able to use SSO.

  • The Profile for each Azure user must have a valid Email address.

Enabling SSO with Microsoft Azure AD or Office 365

This section explains how to use the Cato Management Application to enable SSO with Microsoft Azure AD or Office 365.

For SDP Client users, when you configure the Token validity settings you define in Days or Hours the amount of time that users remain authenticated. Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) has been reached. The Always Prompt options means that users must always authenticate to the Client.

If you are using Directory Services and you need to modify a SDP user's mobile phone number for advanced authentication, you must modify the phone number in Active Directory only.

SSO_Azure.png

To configure SSO with Microsoft for your account:

  1. From the navigation menu, select Access > Single Sign-On.

  2. Select Enable Single Sign-On.

  3. From the Identity Provider drop-down menu, select Microsoft Azure.

  4. Click Microsoft Credentials.

    A new browser tab opens with the Azure login screen where you can configure the Azure SSO settings.

  5. To only allow SSO users from specific domains to access your account:

    1. In the Allowed domains section, click Domain_plus.png and in the pop-up window enter a domain. For example: myportal.com.

    2. To enter additional domains, click Domain_plus.png and enter the domain.

  6. Select Allow login with Single Sign-On for one or more types of users in your account:

    • SDP Client users (set the Token validity settings)

    • Clientless SDP users

    • Cato Management Application admins

  7. Click Save. The Azure SSO settings for your account are configured

Troubleshooting Azure SSO Connections

Issue

Probable Cause

Resolution

AADSTS50105: The signed in user is not assigned to a role ...

Azure Active Directory Application settings for Cato application not configured correctly.

  1. Access your account in the Microsoft Azure portal.

  2. In the menu, click Azure Directory Services.

  3. In the sub menu, under MANAGE, click Enterprise applications.

  4. In the sub menu, under MANAGE, click All applications.

  5. In the right panel, in the applications list, click Cato Cloud.

  6. In the sub menu, under MANAGE, click Properties.

  7. In the right panel, in the parameter User assignment required?, click No.

  8. Using the client, reauthenticate to the Cato VPN.

User enters credentials and is returned to the login page without authenticating

The Profile for this Azure user doesn't have a valid Email address.

Add the valid email address to the Azure Profile for this user.

Installing an SSO-Enabled Client for Windows

Note

Note: Using Windows CLI to install the Cato Client with SSO enabled, isn’t supported from Windows Client v5.2 and higher.

You can use Windows CLI to install the Cato Client for Windows with parameters that adjust the Client behavior to your organization needs. If installed without any parameters, the Client launches using the default settings.

When used, the SSO parameter installs the Client for Windows to automatically connect on boot with the window minimized. The installed Client will only allow authentication with SSO, and will hide other authentication options (such as user credentials or import from file).

To install an SSO-enabled Client for Windows:

Use either of the following methods for installing SSO-enabled Clients:

  • Running the installation file with parameters:

    • MSI - msiexec /i CatoNetworksSetup2_0_0_1.msi sso=force

    • EXE - CatoNetworksSetup2_0_0_1.exe /Vsso=force

  • Adding registry keys:

    • Force SSO only authentication - HKLM\SOFTWARE\CatoNetworksVPN\"Authentication"="sso only"

    • Connect on boot - HKLM\SOFTWARE\CatoNetworksVPN\"ConnectOnBoot"="1"

    • Start minimized - HKCU\SOFTWARE\CatoNetworksVPN\"start_minimized"="1"

     

Was this article helpful?

0 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.