Seamless SSO with External vs. Embedded Browser – Conditional Access & Compliance Issues

Arben

Hi Community,

I'm currently testing Seamless SSO with Cato and ran into an issue that I’d appreciate some input on.

When using an external browser for authentication, Conditional Access (CA) policies work as expected, and compliant devices are recognized. However, when trying to authenticate via the embedded browser, the device fails to report compliance, which leads to failed Conditional Access checks.

My questions are:
Is Seamless SSO currently supported when using the external browser flow with full Conditional Access and device compliance evaluation?
Is there any official support or workaround for enabling embedded browser authentication with Conditional Access and device compliance checks?
For example, is there any roadmap item or setting that might allow the embedded browser to pass device compliance state?

I’ve reviewed the official SSO guide, but it doesn’t address this specific scenario.

Thanks in advance for any insights or guidance!

 

bizzle90

Hey Arben,

Thank you for the questions!

We have not officially implemented Entra CA with the embedded browser functionality as of yet.

However, I am checking internally, and I can indeed see that multiple requests have been raised with our Product Management team to address this issue. 

My understanding is that our embedded browsers needs some slight tweaks and improvements, as it currently does not pass through the CA data (i.e., device compliance) as expected.

As you have already noted, using the external browser is the current workaround for the moment, until we can fully integrate the final solution with the embedded browser.

If not already done so, I would also kindly ask that you reach out to your Customer Success Manager or our Customer Success team to raise an RFE.

I hope this helps!