SDP users are authenticated to the Cato Cloud for the duration of the SSO or MFA session. When the session expires, users are disconnected from the Cato Cloud and must re-authenticate in order to reconnect. The Cato Management Application lets you configure the duration of the authentication token for the Cato Client, when the token expires so does the session.
A message appears in the Windows notification area when the session is about to expire. A notification also appears in the Cato Client and gives users the option to re-authenticate. This means SDP users can re-authenticate to the Client without disconnecting from the Cato Cloud and interrupting the session.
Note
Note: For accounts that are set to Always-on, when the SSO or MFA session expires the users can't connect to the Internet. Users still have 10 minutes of access after the MFA token expires. When users click Reconnect, they will re-authenticate and be able to use the Internet.
To provide the best SDP user experience, the message behavior depends on the duration of the SSO or MFA token that you configured in the Cato Management Application in one of the following screens:
-
SSO token (entire account) - Access > Single Sign-On
-
MFA token (entire account) - Access > Client Access > Authentication
-
MFA and SSO token (individual SDP users) - Access > Users > {user name} > User Configuration > Authentication
The MFA and SSO token settings for individual users take precedence and override the account settings.
When the message is shown to the user, the message is continuously shown and counts down until the token and the session expires. If users click Reconnect, they re-authenticate and the message disappears. If users do not click Reconnect, when the session expires they are disconnected.
Token Expiration Settings in the Cato Management Application |
Message Behavior in the Cato Client |
---|---|
48 hours (or more) |
Message is shown 24 hours before the token expires |
Less than 48 hours, and more than 24 hours |
Message is shown 12 hours before the token expires |
24 hours (or less) |
Message is shown 2 hours before the token expires |
In this example, an SDP user authenticates to the Cato Client with SSO.
-
The SSO session will expire in 1 day.
-
A message appears in the Cato Client: This session expires in 1 Days..
-
At a convenient time, the SDP user clicks Reconnect, and then re-authenticates to the Cato Client.
The Client reconnects to the Cato Cloud with no disruption to the SDP user.
7 comments
When set to never-off, does the client prevent web access until it is re-authenticated?
Matt,
Yes - when the Clients are set to Never-off/Always-on, when the SSO or MFA session expires the end-users can't connect to the Internet. When end-users click Reconnect, they will re-authenticate and be able to use the Internet.
I added a note to this article so that it is more clear.
Yaakov
Any idea when this option is pushed to the macOS clients?
When 'always on' is active for macOS it sometimes takes a while before the new authentication process is started (as the tunnel can't shut down, function is more restrictive); re-authenticating on forehand is a much desired wish for macOS users.
Hello Kevin!
My apologies that your question has not been addressed before now. This feature is targeted for release in macOS client v5.2.
Your second point sounds like material for an RFE. However, if you could elaborate a bit more on the use case, I would be happy to do some research into this before we consider the RFE route.
Kind Regards,
Dermot Doran
When using SSO and Never-off/ Always-on does the client now fully support using the Embedded Browser, or should this configuration still be set to use the External Browser? Thanks!
Hello Matt!
This should be supported now. Please open a Support ticket if this is not case.
Kind Regards,
Dermot
Does the session created by the Registration Code authentication expires?
If so when does it expires?
Please sign in to leave a comment.