This article explains improvements to the Single Sign-On (SSO) workflow for Windows Clients 5.0 or higher and macOS Clients version 4.5 (and higher).
Windows Client version 5.0 introduces an improved SSO authentication workflow that enhances the user experience to log in directly to the Client.
What was the behavior before?
For versions prior to 5.0 when users attempted to use an SSO provider to authenticate to the Cato Cloud, a new instance of their default browser (e.g. Mozilla Firefox, Google Chrome) opened to continue the authentication workflow.
What is the behavior now?
Starting with Windows Cato Client 5.0, the SSO workflow is now completely within the Client. When users attempt to use a configured SSO provider for the account, a new in-Client browser window is opened to continue the authentication workflow.
-
When your end-user clicks the 'Use Corporate Identity' button within the Windows Cato Client, they are provided with a Window to choose their SSO provider.
-
After selecting the SSO provider configured for the account (e.g. Microsoft), users are prompted to enter the email address or log in.
-
Once the user information is confirmed, the Identity provider workflow opens within the same window. This workflow should be familiar to your end-users, the example below shows SSO authentication with Microsoft.
-
After the user successfully authenticates with the SSO Identity provider, the Client window automatically closes and the user is now securely connected to the Cato Cloud.
To add a new user to the Windows Client v5.0
-
In the Client, from the navigation pane, click Users.
-
In the Manage Users window, click Add User.
-
Enter your email and press Continue.
-
If you are using the same credentials in multiple Cato Accounts, you would be asked to also enter the relevant account's Subdomain.
-
Enter the Email and Password, or select the SSO provider.
-
For SSO, authenticate to the Identity provider (the example below is for Microsoft).
-
To add additional profiles.
You can add multiple users to the Cato Client. Enter the subdomain for the account, and then authenticate with SSO or the username and password.
To add a new user to the macOS Client v5.0:
-
In the Client, from the navigation pane, click Users.
-
In the Manage Users window, click Add User.
-
Enter your email and click Continue.
-
If you are using the same credentials in multiple Cato Accounts, you are asked to also enter the relevant account's subdomain.
-
Enter the Email and Password, or select the SSO provider.
-
For SSO, authenticate to the Identity provider (the example below is for Microsoft).
As part of SSO enhancements for the Cato Client, and following the best security practices for the Apple macOS, the macOS requires the end user to provide additional consent to allow SSO authentication. With the new SSO behavior, first time that the user uses SSO to authenticate to the Client, the macOS opens the following pop-up window:

After the user clicks Open CatoClient, he authorizes the SSO authentication for Client.
For some browsers, such as Chrome, when you select the Always allow option, the macOS never shows this pop-up window again. However, for browsers (such as Safari), the Always allow options is ignored.
The following Client versions support browser based SSO authentication:
-
macOS version 4.5.x
-
macOS version 5.0 with External Browser Authentication
This section shows instructions for end users how to complete the browser based SSO authentication.
-
If necessary, open the Client and add a new user with the Corporate Identity.
Otherwise, connect the Client to the VPN.
-
In the SSO corporate identity window, select the SSO provider.
-
Select the SSO provider, and then log in with the provider username and password. The OS opens the following pop-up window:
-
For browsers such as Chrome and Firefox, select the Always allow option to let the OS always use SSO for the Client. This prevents this pop-up window from opening in the future.
-
Click Open CatoClient. The user is authenticated and connects to the VPN.
2 comments
This seems like a step backward on Windows. When properly configured for Seamless Single Sign-on, the external browser will complete authentication using Passthrough authentication. I haven't seen the internal browser behave this way yet. The internal browser requires the user complete a separate authentication process with email address, password, and if configured, MFA.
Hello Regis.
My apologies that your comment has only been responded to now. I'm curious about your observation because I would have thought not leaving the Cato Client application to perform SSO login would be a more elegant solution and I thought it worked as described in the article. I use the client on macOS and I don't seem to get the same user experience as you have described here. I suggest that you open a Support ticket with us for us to take a closer look at what you are seeing.
Kind Regards,
Dermot Doran (Cato Networks Community Manager)
Please sign in to leave a comment.