This article discusses the features and options to import SDP users to your Cato account for secure remote access to the network.
User identity is a foundational element of zero trust and Cato makes it easy to import and manage users. Cato leverages your existing Identity Provider (IdP), which is a centralized service for managing user identities, and supports the ability to easily provision and synchronize the users to your account. The IdP is integrated with your Cato account and automatically imports and updates users.
This ensures that you have a single source of truth for user identity, and gives you consistent user identity across your environment.
Cato supports the following methods to import and create users:
-
Import users from an IdP via LDAP
-
Import users from an IdP via SCIM
-
Manually create users in the Cato Management Application
For more information about IdPs that Cato supports, see Using an Identity Provider for Your Cato Account.
You can provision users to your account with LDAP to synchronize the users from the IdP to Cato. Cato supports these IdPs for LDAP import:
-
Microsoft on-premise or Azure Active Directory (AD)
(Synchronize groups with LDAP protocol)
-
Okta
-
OneLogin (requires vLDAP)
-
Jump Cloud
For more information on how to configure LDAP provisioning with your IdP, see Provisioning Users With LDAP.
-
Domain name
-
Login DN or Bind DN and associated password for authenticating to AD or the LDAP provider
-
Base DN: The starting point an LDAP server uses when searching for users authentication within your directory
-
Configure inbound firewall rules to allow Cato to connect to on-premise AD or Azure AD
The LDAP sync process occurs automatically, once every 24 hours, at 0:00 GMT. Any updates to users, or deleted users or different group memberships in the IdP are synced to your account.
Cato provides the ability to improve security while importing users via LDAP between your AD and Cato, and move from LDAP to LDAPS. Cato uses TLS (SSL) to secure the LDAP connection.
Steps to configure LDAPS for your Cato account:
-
Enable LDAPS on the IdP (such as AD).
-
In the Cato Management Application, enable encryption for LDAP user provisioning.
-
Cato attempts to connect to the IdP over port 636.
For cloud-based IdPs, such as Azure AD or Okta, Cato only supports LDAPS because these flows go over the public Internet (which is inherently not secure).
Cato never imports or synchronizes the passwords for IdP user accounts.
LDAP is a long established technology and practice for importing users.
SCIM defines a standard for exchanging identity information across different cloud app vendors and lets you sync the relevant identity data between your IdP and your Cato account.
Cato supports the following IdPs:
-
Azure AD
-
Okta
-
OneLogin
-
OneWelcome
-
Immediately synchronize users from the IdP to your Cato account.
-
Updates or changes to group membership or user profiles are updated in near real time
-
Integrate the IdP to your Cato account without configuring any in-bound firewall rules
-
SCIM is widely supported by IdP vendors, and is easy to integrate with your account
You can also create users manually in the Cato Management Application. Manually creating users is often used for specific situations, and it is not a scalable solution because it requires ongoing manual effort to manage the user identity lifecycle.
For more information about manually creating users, see Working with Users.
-
Importing users with SCIM is generally a better solution than importing users with LDAP:
-
SCIM is near real-time, and any changes in the directory service are automatically and quickly synced to your Cato account.
-
LDAP automatically syncs with your account once every 24 hours.
-
-
SCIM is an easier, consistent, modern, and scalable way to manage identities from a centralized IdP to downstream applications.
-
We only recommend importing users with LDAP, when it's not possible to use SCIM.
0 comments
Please sign in to leave a comment.