This article discusses how to configure different authentication settings for Cato Management Application CMA administrators.
To best fit the requirements of your organization, you can define the authentication methods for the CMA. These are the different methods:
-
SSO provider - Authenticate with the Single-Sign On (SSO) provider that is configured for the account in Access > Single-Sign On
-
Cato user credentials - Log in with the username (admin email) and password that you configure in the CMA
-
MFA - Admins are also required to use Multi-Factor Authentication (MFA) with an authentication app when they log in to the CMA
-
This option is enabled by default for new admins
-
For accounts created after December 10th 2023, MFA is always enabled for admins
-
-
MFA is only supported for Cato user credentials
-
We recommend that you configure only MFA or SSO authentication for CMA admin accounts to provide secure access and prevent account takeover and possible compromise.
For more about working with CMA admins, see Managing Administrators.
You can choose to allow Cato Management Application admins to use one or both of these methods to log in:
-
SSO with the Identity Provider (IdP) for the account (Access > Single Sign-On)
-
Username and password for the admin defined in the CMA (Account > Login Restrictions)
The Login Restrictions screen also shows if admins are allowed to log in with SSO.
The admin authentication settings are defined for all admins in the account.
To configure the authentication methods for CMA admins:
-
To allow admins to authenticate with SSO:
-
From the navigation menu, click Access > Single Sign-On.
-
In the Cato Management Application Admins section, select Allow login with Single Sign-On.
-
Click Save.
-
-
To allow admins to authenticate with username and password:
-
From the navigation menu, select Account > Login Restrictions.
-
In the Login Authentication Method for Cato Management Application section, select Allow login with Cato user credentials.
-
Click Save.
-
To provide additional security, you can configure admins to use Multi-Factor Authentication (MFA) when they log in to the CMA. MFA uses an authentication app (such as Google Authenticator) to generate secure One-Time-Passwords (OTP) that the admin enters as part of the login process. Otherwise, the admin can't authenticate and log in to the CMA.
Note
Notes:
-
MFA is only supported for Cato user credentials. When admins log in with SSO, you can't require them to enter an MFA code.
-
For accounts created after December 10th 2023, MFA is always enabled for admins that use Cato User Credentials authentication.
For accounts that support disabling MFA, After you create an admin, MFA is enabled by default for that admin. If MFA is enabled, the first time that the admin logs in to the CMA, he is redirected to a web page with a QR code. The admin uses the authentication app to scan the QR code and the CMA MFA is added to the authentication app.
You can reset the MFA permissions for an admin. After you reset the MFA permissions, the admin can no longer use the current authenticator app to log in to the CMA. The next time that the admin logs in to the CMA, he is redirected to a web page with a QR code. The admin uses the authentication app to scan the QR code and the CMA MFA is added to the authentication app.
0 comments
Please sign in to leave a comment.