Forum Discussion

Naoki's avatar
Naoki
Meteor
2 months ago

"400 Bad Request" Error Occurs with Okta SSO - Unable to Log in to VPN

I configured SSO authentication with Okta as the IdP for the Cato VPN Client, but when attempting to connect to the VPN, I receive a '400 Bad Request' error and cannot log in.

Setup:
"Single Sign-On" has been configured in CMA
"Cato Portal" configured in Okta
A VPN connection has been attempted using the Cato Client
During authentication, the following error message appears:

Error Message:
"400 Bad Request"

What I have tried:
I found the following information in Okta's Knowledge Base, but I was unable to locate the corresponding setting in the Cato Portal

Make sure that the redirect_uri, http://localhost:8080/authorization-code/callback is registered as an allowed Sign-in redirect URI in Open ID Client for the application being used

[Reference link]
(https://support.okta.com/help/s/article/The-redirect-uri-parameter-must-be-an-absolute-URI?language=en_US)

Question:
If anyone has encountered and resolved this issue, I would appreciate any insights on key configuration points or possible solutions.

Additional Information:
I am using Okta's free Developer edition (https://developer.okta.com/login/) for testing.

 

  • Based on our investigation, it appears that the issue is caused by the authentication policy settings in Okta.

    When we changed the authentication policy in the Cato Portal to "Password Only," the connection was successful. However, we would like to enable two-factor authentication with "Password + Okta Verify."

    If anyone has expertise in Okta authentication policy settings, we would appreciate any advice on the appropriate configuration.

  • Hi Noaki san, 

    Can I check if you have reach out to OKTA to check further on this matter?

    Thank you.

    • Naoki's avatar
      Naoki
      Meteor

      Hi michaelsaw,

      No, I have not contacted Okta yet.

      Since this issue remains unresolved, I set up an Okta Developer environment again for further testing. (It seems that Okta authentication policies are not the cause.)

      When attempting to log in to the VPN from the Cato Client, the following error occurs:

      Error Message: "400 Bad Request"  
      Identity Provider: Unknown, Error Code: login_required  

      However, if I first log in to the Okta Dashboard via "Go to Homepage" and then retry the VPN login from the Cato Client, SSO succeeds, and the status shows "Connected."

      It may be related to the IdP token, but we have not been able to identify the exact cause yet.

      Here are the current Cato SSO settings:

      - Allow login with Single Sign-On: Enabled  
      - Sign in with Windows credentials: Enabled (User selection)  
      - Token validity: Always Prompt  
      - Force re-authenticate after: 1 Day  

      I would appreciate your advice on any settings that should be reviewed or potential causes.

      Best regards,