Understanding Expiring Session for SDP Users

SDP users are authenticated to the Cato Cloud for the duration of the SSO or MFA session. When the session expires, users are disconnected from the Cato Cloud and must re-authenticate in order to reconnect. The Cato Management Application lets you configure the duration of the authentication token for the Cato Client, when the token expires so does the session.

A message appears in the Windows notification area when the session is about to expire. A notification also appears in the Cato Client and gives users the option to re-authenticate. This means SDP users can re-authenticate to the Client without disconnecting from the Cato Cloud and interrupting the session.

Note

Note: For accounts that are set to Always-on, when the SSO or MFA session expires the users can't connect to the Internet. Users still have 10 minutes of access after the MFA token expires. When users click Reconnect, they will re-authenticate and be able to use the Internet.

To provide the best SDP user experience, the message behavior depends on the duration of the SSO or MFA token that you configured in the Cato Management Application in one of the following screens:

  • SSO token (entire account) - Access > Single Sign-On

  • MFA token (entire account) - Access > Client Access > Authentication

  • MFA and SSO token (individual SDP users) - Access > Users > {user name} > User Configuration > Authentication

    The MFA and SSO token settings for individual users take precedence and override the account settings.

When the message is shown to the user, the message is continuously shown and counts down until the token and the session expires. If users click Reconnect, they re-authenticate and the message disappears. If users do not click Reconnect, when the session expires they are disconnected.

Token Expiration Settings in the Cato Management Application

Message Behavior in the Cato Client

48 hours (or more)

Message is shown 24 hours before the token expires

Less than 48 hours, and more than 24 hours

Message is shown 12 hours before the token expires

24 hours (or less)

Message is shown 2 hours before the token expires

Prerequisites

  • The expiring session message is supported from Windows Client v5.3 and higher

Sample Expiring Session for an SDP User

In this example, an SDP user authenticates to the Cato Client with SSO.

  1. The SSO session will expire in 1 day.

  2. A message appears in the Cato Client: This session expires in 1 Days..

  3. At a convenient time, the SDP user clicks Reconnect, and then re-authenticates to the Cato Client.

    The Client reconnects to the Cato Cloud with no disruption to the SDP user.

session_exp__notification.png

Was this article helpful?

1 out of 3 found this helpful

7 comments

  • Comment author
    Matthew Sutton

    When set to never-off, does the client prevent web access until it is re-authenticated?

  • Comment author
    Yaakov Simon
    • Edited

    Matt,

    Yes - when the Clients are set to Never-off/Always-on, when the SSO or MFA session expires the end-users can't connect to the Internet. When end-users click Reconnect, they will re-authenticate and be able to use the Internet.

    I added a note to this article so that it is more clear.

    Yaakov

  • Comment author
    Kevin Lybaart

    Any idea when this option is pushed to the macOS clients?
    When 'always on' is active for macOS it sometimes takes a while before the new authentication process is started (as the tunnel can't shut down, function is more restrictive); re-authenticating on forehand is a much desired wish for macOS users.

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Kevin!

    My apologies that your question has not been addressed before now.  This feature is targeted for release in macOS client v5.2.

    Your second point sounds like material for an RFE.  However, if you could elaborate a bit more on the use case, I would be happy to do some research into this before we consider the RFE route.

    Kind Regards,

    Dermot Doran

  • Comment author
    Matthew Sutton

    When using SSO and Never-off/ Always-on does the client now fully support using the Embedded Browser, or should this configuration still be set to use the External Browser? Thanks!

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Matt!

    This should be supported now.  Please open a Support ticket if this is not case.

    Kind Regards,

    Dermot

  • Comment author
    nkawano

    Does the session created by the Registration Code authentication expires?

    If so when does it expires?

Add your comment