"400 Bad Request" Error Occurs with Okta SSO - Unable to Log in to VPN

Question

I configured SSO authentication with Okta as the IdP for the Cato VPN Client, but when attempting to connect to the VPN, I receive a '400 Bad Request' error and cannot log in.

Setup:
"Single Sign-On" has been configured in CMA
"Cato Portal" configured in Okta
A VPN connection has been attempted using the Cato Client
During authentication, the following error message appears:

Error Message:
"400 Bad Request"

What I have tried:
I found the following information in Okta's Knowledge Base, but I was unable to locate the corresponding setting in the Cato Portal

Make sure that the redirect_uri, http://localhost:8080/authorization-code/callback is registered as an allowed Sign-in redirect URI in Open ID Client for the application being used

[Reference link]
(https://support.okta.com/help/s/article/The-redirect-uri-parameter-must-be-an-absolute-URI?language=en_US)

Question:
If anyone has encountered and resolved this issue, I would appreciate any insights on key configuration points or possible solutions.

Additional Information:
I am using Okta's free Developer edition (https://developer.okta.com/login/) for testing.

naoki · Answer

Based on our investigation, it appears that the issue is caused by the authentication policy settings in Okta.

When we changed the authentication policy in the Cato Portal to "Password Only," the connection was successful. However, we would like to enable two-factor authentication with "Password + Okta Verify."

If anyone has expertise in Okta authentication policy settings, we would appreciate any advice on the appropriate configuration.

michaelsaw · Answer

Hi Noaki san,&nbsp;Can I check if you have reach out to OKTA to check further on this matter?Thank you.

naoki · Answer

Hi michaelsaw,No, I have not contacted Okta yet.Since this issue remains unresolved, I set up an Okta Developer environment again for further testing. (It seems that Okta authentication policies are not the cause.)When attempting to log in to the VPN from the Cato Client, the following error occurs:Error Message: "400 Bad Request" &nbsp;Identity Provider: Unknown, Error Code: login_required &nbsp;However, if I first log in to the Okta Dashboard via "Go to Homepage" and then retry the VPN login from the Cato Client, SSO succeeds, and the status shows "Connected."It may be related to the IdP token, but we have not been able to identify the exact cause yet.Here are the current Cato SSO settings:- Allow login with Single Sign-On: Enabled &nbsp;- Sign in with Windows credentials: Enabled (User selection) &nbsp;- Token validity: Always Prompt &nbsp;- Force re-authenticate after: 1 Day &nbsp;I would appreciate your advice on any settings that should be reviewed or potential causes.Best regards,

michaelsaw · Answer

Hi Naoki san,&nbsp;Appreciate your efforts.Just to check, have you seen this KB from OKTA on the 400 error? https://support.okta.com/help/s/article/error-400-bad-request-when-redirecting-to-the-authorize-endpoint-with-no-error-description?language=en_USThere is a OKTA SSO KB from Cato.Can I check if you have reviewed this KB previously? https://support.catonetworks.com/hc/en-us/articles/11000926259613-Configuring-Okta-SSO-for-Your-AccountThank you.

naoki · Answer

Hi michaelsaw,Thanks for your reply.I have checked the KB for both Okta and Cato.The client_id values are exactly the same for both Okta and Cato.I have no idea what is causing the problem.

Forum Discussion

"400 Bad Request" Error Occurs with Okta SSO - Unable to Log in to VPN

7 Replies

Recent Discussions

Uptime for Wan Interface

What is the difference between App Control Rule "Allow + Tracking: Event Enable" and "Monitor"?

Use Case- Bypass internal application access through CATO when in office

Is there a way to restrict access to the WebUI?

LAN NGFW and Segmentation