Cato Networks Knowledge Base

Understanding Expiring Session for SDP Users

SDP users are authenticated to the Cato Cloud for the duration of the SSO or MFA session. When the session expires, users are disconnected from the Cato Cloud and must re-authenticate in order to reconnect. The Cato Management Application lets you configure the duration of the authentication token for the Cato Client, when the token expires so does the session.

A message appears in the Windows notification area when the session is about the expire. A notification also appears in the Cato Client and gives users the option to re-authenticate. This means SDP users can re-authenticate to the Client without disconnecting from the Cato Cloud and interrupting the session.

Note

Note: For accounts that are set to Never-off/Always-on, when the SSO or MFA session expires the end-users can't connect to the Internet. When end-users click Reconnect, they will re-authenticate and be able to use the Internet.

To provide the best SDP user experience, the message behavior depends on the duration of the SSO or MFA token that you configured in the Cato Management Application in one of the following screens:

  • SSO token (entire account) - Access > Single Sign-On

  • MFA token (entire account) - Access > Client Access > Authentication

  • MFA and SSO token (individual SDP user) - Access > Users > {user name} > User Configuration > Authentication
    The MFA and SSO token settings for individual users take precedence and override the account settings.

When the message is shown to the user, the message is continuously shown and counts down until the token and the session expires. If users click Reconnect, they re-authenticate and the message disappears. If users do not click Reconnect, when the session expires they are disconnected.

Token Expiration Settings in the Cato Management Application

Message Behavior in the Cato Client

48 hours (or more)

Message is shown 24 hours before the token expires

Less than 48 hours, and more than 24 hours

Message is shown 12 hours before the token expires

24 hours (or less)

Message is shown 2 hours before the token expires

Prerequisites

  • The expiring session message is supported from Windows Client v5.3 and higher

Sample Expiring Session for an SDP User

In this example, an SDP user authenticates to the Cato Client with SSO.

  1. The SSO session will expire in 1 day.

  2. A message appears in the Cato Client: This session expires in 1 Days..

  3. At a convenient time, the SDP user clicks Reconnect, and then re-authenticates to the Cato Client.

    The Client reconnects to the Cato Cloud with no disruption to the SDP user.

session_exp__notification.png

Was this article helpful?

1 out of 2 found this helpful

Comments

4 comments

  • Comment author
    Matthew Sutton

    When set to never-off, does the client prevent web access until it is re-authenticated?

    0
  • Comment author
    Yaakov Simon
    • Edited

    Matt,

    Yes - when the Clients are set to Never-off/Always-on, when the SSO or MFA session expires the end-users can't connect to the Internet. When end-users click Reconnect, they will re-authenticate and be able to use the Internet.

    I added a note to this article so that it is more clear.

    Yaakov

    0
  • Comment author
    Kevin Lybaart

    Any idea when this option is pushed to the macOS clients?
    When 'always on' is active for macOS it sometimes takes a while before the new authentication process is started (as the tunnel can't shut down, function is more restrictive); re-authenticating on forehand is a much desired wish for macOS users.

    0
  • Comment author
    Community Manager The chief of community conversations. Community manager

    Hello Kevin!

    My apologies that your question has not been addressed before now.  This feature is targeted for release in macOS client v5.2.

    Your second point sounds like material for an RFE.  However, if you could elaborate a bit more on the use case, I would be happy to do some research into this before we consider the RFE route.

    Kind Regards,

    Dermot Doran

    0

Please sign in to leave a comment.