This article explains the options for activating new SDP users.
When new SDP users are created for your account, you can choose emails that are used to introduce them to remote access with Cato. For accounts that use SSO authentication, by default, SDP users are not sent an onboarding email and are activated the first time that they authenticate with SSO.
For SDP users that don't authenticate with SSO, you can choose the following alternative methods to activate them:
-
Onboarding email - For username and password, new SDP users receive an email with a link to set up their authentication details
You can choose different email settings for users created in the Cato Management Application, and for ones imported with Directory Services.
-
Registration code - SDP users enter a one-time code to activate their account
The activation settings are for the entire account, and are applied to all SDP users.
When new SDP users are created in your account, the default setting is to not send them an onboarding email. You can choose to send SDP users an activation email containing details of the account, the SDP user's user name and a link to create their password and MFA where applicable. There are separate settings for SDP users created manually in the Cato Management Application, and for ones imported from an IdP. Alternatively, you can send SDP users a welcome email that links to the Client download portal.
To configure the onboarding email settings:
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab.
-
Set the Method to Onboarding Email.
-
Enable one or more of the following provisioning options:
-
Send activation email to set password and MFA to new SDP users created in the Cato Management Application
-
Send activation email to set password and MFA to new SDP users imported with Directory Services
-
-
To send emails with links to download the Client, select Send welcome email to new SDP users.
-
To let SDP users know that their remote access is disabled, select Send email notifications to SDP users that are disabled in the account.
-
Click Save. The settings for the invitation email method are configured.
The registration code method simplifies the activation process for new SDP users. Each user is assigned a one-time code that they use to register the Cato Client. Once the code is validated, the Cato Client is authenticated until an admin revokes the code or disables the SDP user in the Cato Management Application. SDP users can register multiple devices, with a separate code for each device.
You can also set the amount of time that the registration code is valid for until it expires. Afterwards, the SDP user needs a new registration code to authenticate the Cato Client for that device. For security reasons, registration codes can be valid for a maximum of 7 days.
Note
Note: Multi-Factor Authentication (MFA) is NOT supported for users that are provisioned with a registration code. Make sure that users in your account are not configured with MFA before you enable the registration code User Provisioning method.
This is a high-level overview of the process to implement the registration code to provision SDP users for your account. You can configure how long the registration code is valid before it expires. Once the code expires, it can't be used to authenticate the Cato Client. You then need to generate a new code for that user, see below Generating a Registration Code for Specific Users.
To implement provisioning all users with a registration code:
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab or section.
-
Set the provisioning Method to Registration Code.
-
In Registration Code expires after, set the time settings for how long the code is valid. Set when (value and either days or hours) the Registration Code expires. Maximum allowed time is 7 days and applies to all new users.
-
Download the registration codes and use an external solution to send the registration codes to the remote users.
This section explains how to generate and manage registration codes for the SDP users in your account. Each code is a combination of letters and numbers:
-
Codes are NOT case sensitive
-
To avoid confusion, the codes don't contain the following characters: 0, o, 1, I, L
You can also choose to send a code to new SDP users in the account the were NOT provisioned with the registration code method. Sending codes doesn't generate new codes for users that already have a code assigned to them.
When you use this feature to Generate Registration Code For New Users, the Cato Management Application generates codes for all SDP users that have never received a code. These users are new to the registration code provisioning method.
To generate a registration code for all new users:
-
From the navigation menu, click Access > Client Access.
-
Expand the User Provisioning section.
-
Click Generate Registration Code For New Users.
-
In the Warning confirmation window, click OK. A code is generated for all users that never had a code assigned to them.
Use the Cato Management Application to generate a registration code for specific users. For example, users that never had a code assigned to them, or a user whose code expired.
For users with multiple devices, for example laptop and mobile device, each device requires a separate code. Use the Generate Registration Code option to create multiple codes for specific users.
To generate a registration code for specific users:
-
From the navigation menu, click Access > Users.
-
Select one or more users.
-
Click Actions and then from the drop-down menu, click Generate registration code.
-
In the confirmation window, click OK. A new code is generated for these users.
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab or section.
-
Click Download Registration Codes, and save the CSV file.
The new registration code is included in the file.
You can download a CSV file that lists the registration codes for the SDP users. The file shows the following information for each user:
-
First and last name
-
Email address
-
Registration code
Once downloaded, you can save the CSV file to a directory on your computer.
You can use the Reset Password menu option to revoke registration codes and reset VPN access to your network for SDP users.
After you generate a new code for a user and it is successfully entered, the user is authenticated again to the Cato Client.
Note
Note: When revoking a user's registration code, as detailed below, new registration codes are not automatically generated. Select Generate invitation code from the Actions drop-down menu to generate a new code.
The Event Discovery window shows all the Registration Code events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.
You can learn more about using the Events screen in Analyzing Events in Your Network.
These are actions for the Registration Code event sub type:
|
Name |
Description |
|---|---|
|
Generated |
Registration code generated for a specific user |
|
Used |
Registration code is used to authenticate a user |
|
Revoked |
Registration code is revoked and no longer valid for the user |
Comments
0 comments
Please sign in to leave a comment.