This article discusses the behavior of the Single Sign-On (SSO) authentication session regarding the IdP token and Cato token with the Windows Client.
End-users are authenticated to the Cato Client based on Cato's authentication token. The duration of this token is configured in the Cato Management Application. The duration of the IdP authentication token is based on the settings for the IdP. The starting time for these tokens is not synced, so even if they are set to the same duration, they usually expire at different times. When both tokens are expired, the user must re-authenticate to the IdP. For more about SDP user session expiration, see Understanding Expiring Session for SDP Users.
This article explains the Client behavior when the Cato token has expired, but the IdP token is still valid. This behavior is different depending on the Client version.
For all Client versions, as long as the Cato token is valid the user is authenticated (even if the IdP token has expired).
For accounts that set the Token validity setting to Always Prompt instead of Duration, the SDP user must authenticate to the IdP for each time they connect with the Client. The IdP token is ignored.
This section describes how the Client automatically re-authenticates when the Cato token expires and the IdP token is still valid for Windows Client v5.0 and higher.
10 minutes before the Cato token expires, the Client attempts to automatically re-authenticate with the IdP with no impact or messages to the end-user. When the IdP token is valid, the Client automatically re-authenticates and Cato generates a new SSO token based on the token duration settings for the account.
You configure the amount of time that the Cato token is valid in the Cato Management Application (Access > Single Sign-On). For more information about the user experience and expiring tokens, see Understanding Expiring Session for SDP Users.
If both tokens are expired, the end-user authenticates to the IdP and then a new Cato token is generated.
This is an example of the session behavior for Windows Client v5.0 and higher.
The user authenticates to the Client by entering the IdP credentials (username and password). The IdP generates an SSO token for the user.
A Cato token is generated with a duration of 10 days (based on the Single Sign On settings in the Cato Management Application).
10 days later - 10 minutes before the Cato token expires, the Client attempts to silently re-authenticate to the IdP token.
If the IdP token is valid, the Client automatically re-authenticates with no impact to the user (the session is not interrupted). The Cato token is valid for another 10 days.
If the IdP token is expired, the user is prompted to authenticate to the IdP, and then the Cato token is valid for another 10 days (the session is not interrupted).
If the user does not re-authenticate to the IdP, then the session expires after the remaining 10 minutes ends.
When the user's session is going to expire soon, the Client shows a message to users to let them easily re-authenticate. The goal of this message is to provide the best user experience, so the message behavior depends on the settings for the IdP and Cato token.
The following table explains the re-authentication experience for SDP users based on the different settings for the duration of the Cato and IdP token.
Please sign in to leave a comment.