Configuring Single Logout (SLO)
SSO/SLO configuration is available with CloudShell Premium Tier.
Single logout (SLO) invalidates CloudShell single sign-on (SSO) sessions and redirects the logging out user to their defined logout page. If your CloudShell deployment includes multiple domains, where each domain uses a different logout page, each one of your users will be redirected to their respective logout page.
Note: SLO must be used in conjunction with SSO.
In this article:
Creating an SSL certificate
The first step is to create an SSL certificate, which you will need to install on all CloudShell Portal machines.
To create an SSL certificate:
In your personal store, create an SSL certificate with a private key. Use the following script and update the settings:
makecert.exe -n "CN=My Company Development Root CA,O=My Company, OU=Development,L=Quali,S=NY,C=US" -pe -ss My -sr LocalMachine -sky exchange -m 120 -a sha1 -len 2048 -r
Export the certificate.
Right-click the certificate folder and select Export>All Tasks.
Omit the private key from the export.
Select the DER CER format.
Export the certificate to all CloudShell Portal machines.
Right-click the certificate and select Export>All Tasks>Export.
In the Certificate Export Wizard, select No, do not export the private key.
Select DER encoded binary X.509 (.CER).
- Browse for the .cer certificate file and complete the wizard.
Configuring SAML SLO on each CloudShell Portal
Perform the following procedure on each CloudShell Portal machine.
To configure SAML SLO for CloudShell Portal:
- Make sure SSO is configured. For details, see Configuring Single Sign-On (SSO).
Disable the
requireSsl
flag by adding the following code to the web.config file.<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" name="CloudShellAuthFederation"/>
</federationConfiguration>
</system.identityModel.services>
Note: The
requireSsl
flag only applies to websites that do not use HTTPS. If HTTPS is used, perform the steps in the Configuring SAML SLO for CloudShell Portal in SSL mode section and carry on with the configuration process.Important: The web.config file is overridden during a CloudShell patch or version upgrade. Therefore, make sure to keep a backup copy of the file, and after upgrade, replace the file's
<system.identityModel.services>
section with the one in the backup version.In the Kentor.config file, do the following:
In the
<kentor.authServices
section, set the following properties (if the section is missing, add it).entityId
: CloudShell Portal (service provider). IP address or DNS name, and port if CloudShell Portal is note using the default (8080). For example: "http://192.168.20.134:85/AuthServices"returnUrl
: Logout page URL
For example:
<?xml version="1.0" encoding="utf-8"?>
<kentor.authServices entityId="
http://192.168.30.27:6060/AuthServices
"returnUrl="
http://192.168.30.27:6060/
"><metadata>
- Under the
<identityProviders>
section, set the following:entityId
: Identity provider issuerlogoutUrl
: Identity provider SLO URL
For example:
<identityProviders>
<add entityId="
http://www.okta.com/exkdmzexSOj8bXgBB355
"signOnUrl="https://quali-john.okta.com/app/qualiorg672652_john_1/exkdmzexSOj8bXgBB355/sso/saml"
logoutUrl="
https://quali-john.okta.com/app/qualiorg672652_john_1/exkdmzexSOj8bXgBB355/slo/saml
"allowUnsolicitedAuthnResponse="true"
binding="HttpPost">
Download the certificate you previously created to the ~\QualiSystems\CloudShell\Portal\Certificates folder, install it and point to it under the
<signingCertificate
section:<!--<signingCertificate fileName="C:\work\trunk\drop\CloudShell\Portal\onelogin_publickey.der"/>-->
<signingCertificate storeLocation="LocalMachine" storeName="My" findValue="quali-john" x509FindType="FindBySubjectName"/>
In the Kentor.config file, add a section that will point to the newly created certificate. For example:
<serviceCertificates>
<!--add fileName="V:\Users\john.d\my-certificate.pfx" />-->
<add storeName="My" storeLocation="LocalMachine" findValue="54nb76caaa0018v67dd8h217jc7h1i9" x509FindType="FindBySerialNumber" use="Signing" />
</serviceCertificates>
Configure your identity provider. This typically includes setting the SLO logout page URL, CloudShell Portal issuer (for example: "http://192.168.20.134/AuthServices") and .cer certificate file.
To see a sample configuration using Okta, click here...- Log in to your Okta organization as a user with administrative privileges. If you don’t have an Okta organization, you can create a free Okta Developer Edition organization.
- Click Admin .
- Click the Add Applications shortcut .
- Click Create New App .
In the dialog that opens, select the SAML 2.0 option, then click Create.
In step 1 - General Settings, enter Example SAML Application in the App name field, then click Next.
In step 2 - Configure SAML, section A SAML Settings, paste the logout page URL in the Single sign on URL and Audience URI (SP Entity ID) fields.
In the Attribute Statements section, add the following two attribute statements:
- emailAddress: user.email
userName: user.login
- Click Next.
In step 3 - Feedback, select I'm a software vendor. I'd like to integrate my app with Okta then click Finish.
The Sign On section of your newly created “Example SAML Application” application is displayed. Right-click the Identity Provider metadata link, select copy and save it somewhere you'll remember.
- Right-click the Assignments section of the “Example SAML Application” application and select Open Link In New Tab (so that you can come back to the “Sign On” section later).
In the new tab that opens, click Assign button and select Assign to People.
In the Assign Example SAML Application to People dialog box, type your username into the search box and click the Assign button next to your username.
Verify your user's attributes and select Save and Go Back.
- Click Done.
- Restart Quali Server and CloudShell Portal IIS services.
- Log in to CloudShell Portal with your Idp user.
Log out of CloudShell Portal.
You are redirected to the defined logout page.
Configuring SAML SLO for CloudShell Portal in SSL mode
If CloudShell Portal is running in SSL mode (HTTPS), you will need to perform several additional configurations to enable SLO.
To configure SAML SLO to work in HTTPS:
- In your identity provider, update all SLO logout URLs to be in https mode. For example: "https://192.168.30.27/AuthServices/Acs".
In the Kentor.config file, in the
<kentor.authservices
section, update theentityId
andreturnUrl
URLs to be in https mode. For example:Restart the CloudShell Portal web site in IIS Manager.
If you get a "Keyset does not exist" error message, it means that your IIS user is unable to access the private key. Grant the user read access and try again.
Open the C:\Program Files (x86)\QualiSystems\CloudShell\Portal\customer.config file and set the
CustomAbsoluteLoginPage
andCustomAbsoluteLogoutPage
to be in https mode. For example:In the web.config file, remove the
requireSsl
key or change its value to "true", since the default is to use SSL cookies: