Cato Networks Knowledge Base

Using Windows Identity Agents for User Awareness with Azure AD and SCIM (EA)

  • Updated

This article explains how to enable the Cato Identity Agent for User Awareness and provide the ability to identify users behind a site.


Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to

This feature will be available starting from Jan. 30, 2023.

Overview of Identity Agent Based User Awareness

Knowing the user identity is a key component of Zero Trust Network Architecture (ZTNA) - it is essential to identify the user at any point in time, control user access, and monitor user activity. The Identity Agent for User Awareness identifies Windows users behind a Socket, or in Office Mode. It uses the framework of the Cato SDP Client to get the user information and regularly reports this identity to the PoP (about every 30 seconds). Any change in the IP address is immediately detected and reported.

The Client is installed on the device and runs in the background (without establishing a tunnel) and it provides the Cato Cloud with the user identity (no action is required by the user).


  • Cato Client requirements:

    • Supported from Windows Client v5.4 and higher

    • No SDP licenses are required for the users and the Client doesn't need to connect to the network

Overview of Implementing Cato's Identity Agent for User Awareness Solution

This is a high-level overview of the process to implement Identity Agent for User Awareness in your account:

  1. Provision users to your account over SCIM using the Cato Management Application (Access > Directory Services > SCIM).

  2. After provisioning the users and user groups is completed, create rules and policies that include them.

    • Install the Client on the devices for the relevant users. Once the user logs in to the device, the Client starts reporting the identity to the Cato Cloud every 30 seconds.

    • Azure domain joined users are identified.
  3. Assign SDP licenses to users and user groups:

    • Assign SDP licenses to all provisioned users

    • Select the user groups and users that are assigned SDP licenses

Working with Users in Policies for Your Account

You can add users to policies in the Cato Management Application, such as firewall or network rules.

  • Users refer to individuals that are identified with User Awareness, and aren't using the Client to connect to the network over an encrypted tunnel. Users don't require an SDP license to be identified with User Awareness.

  • SDP Users use the Cato Client to connect to the network, and require an SDP license.

We recommend that you use user groups in the various Security and Network policies. When using a user group, the policy will apply to users connecting behind the Socket or remotely with the Client.

If you need to create policies for specific users (and not for user groups), make sure to include the items for the user and the SDP user as the Source for the rule. This makes sure that the policies always apply to that person no matter where they are connecting from.

For EA, any existing user groups are automatically updated to include the SDP user and user entity for each individual.

Enabling the Identity Agent for User Awareness

Enable your account to identify the SCIM provisioned users with Cato's Identity Agent.


To enable the identity agent:

  1. From the navigation menu, select Access > User Awareness.

  2. Select the Identity Agent section.

  3. Enable the identity agent for your account.

    The toggle is green toggle.png when enabled.

  4. Click Save.

Assigning SDP Licenses to SDP Users (SCIM Provisioning)

In the IdP, define the groups and users that are synced to your Cato account. After the initial sync is completed, all users are then created in the Cato Management Application.

For EA, Cato will automatically create user entities for all SDP users, so that you can use them in policies whether or not they are in the office. For more information, see above Working with Users in Policies for Your Account.

For accounts that have SDP users and User Awareness users, define the user groups and SDP users that are assigned an SDP license. All other user groups and users can use the Client as an Identity Agent, but not for remote access.

You can choose how SDP licenses are assigned in your account:

  • Assign SDP license to all users provisioned from the IdP

  • Select specific user groups and users that are assigned SDP licenses


To assign licenses to specific SDP users and groups:

  1. In the Cato Management Application, from the navigation menu select Access > Directory Services and click the SCIM tab.

  2. Click Apply SDP license to selected group.

  3. From the drop down menu, select User Group or SDP User, and then add the items that you are assigning an SDP license to.

  4. Click Save.

Known Limitations

  • For Windows Client v5.5 and earlier - the User Awareness Agent doesn't support multiple users that are simultaneously logged in to a Windows device.

    • When a user is logged in to Windows, and a different user logs in to the device (Start menu > Switch user), both users are currently logged in to the device. The agent identifies only one of the users for this device.

    • When a user logs out of the Windows device, and a second user logs in, then the agent identifies the second user for this device.

  • When SDP users are authenticated to the Client, the identity is immediately acquired, and the Identity Agent report timestamp in the Client is not relevant.

Was this article helpful?

0 out of 0 found this helpful



Article is closed for comments.