Online Help

This help article applies to CloudShell 9.3. To see the latest, click here.

Configuring Single Logout (SLO)

SSO/SLO configuration is available with CloudShell Premium Tier.

Single logout (SLO) invalidates CloudShell single sign-on (SSO) sessions and redirects the logging out user to their defined logout page. If your CloudShell deployment includes multiple domains, where each domain uses a different logout page, each one of your users will be redirected to their respective logout page.

Note: SLO must be used in conjunction with SSO.

In this article:

Creating an SSL certificate

The first step is to create an SSL certificate, which you will need to install on all CloudShell Portal machines.

To create an SSL certificate:

  1. In your personal store, create an SSL certificate with a private key. Use the following script and update the settings:

    makecert.exe -n "CN=My Company Development Root CA,O=My Company, OU=Development,L=Quali,S=NY,C=US" -pe -ss My -sr LocalMachine -sky exchange -m 120 -a sha1 -len 2048 -r

  2. Export the certificate.

    1. Right-click the certificate folder and select Export>All Tasks.

    2. Omit the private key from the export.

    3. Select the DER CER format.

  3. Export the certificate to all CloudShell Portal machines.

    1. Right-click the certificate and select Export>All Tasks>Export.

    2. In the Certificate Export Wizard, select No, do not export the private key.

    3. Select DER encoded binary X.509 (.CER).

    4. Browse for the .cer certificate file and complete the wizard.

Configuring SAML SLO on each CloudShell Portal

Perform the following procedure on each CloudShell Portal machine.

To configure SAML SLO for CloudShell Portal:

  1. Make sure SSO is configured. For details, see Configuring Single Sign-On (SSO).
  2. Disable the requireSsl flag by adding the following code to the web.config file.



    <cookieHandler requireSsl="false" name="CloudShellAuthFederation"/>



    Note: The requireSsl flag only applies to websites that do not use HTTPS. If HTTPS is used, perform the steps in the Configuring SAML SLO for CloudShell Portal in SSL mode section and carry on with the configuration process.

    Important: The web.config file is overridden during a CloudShell patch or version upgrade. Therefore, make sure to keep a backup copy of the file, and after upgrade, replace the file's <> section with the one in the backup version.

  3. In the Kentor.config file, do the following:

    1. In the <kentor.authServices section, set the following properties (if the section is missing, add it).

      • entityId: CloudShell Portal (service provider). IP address or DNS name, and port if CloudShell Portal is note using the default (8080). For example: ""
      • returnUrl: Logout page URL

      For example:

      <?xml version="1.0" encoding="utf-8"?>

      <kentor.authServices entityId=""



    2. Under the <identityProviders> section, set the following:
      • entityId: Identity provider issuer
      • logoutUrl: Identity provider SLO URL

      For example:


      <add entityId=""





    3. Download the certificate you previously created to the ~\QualiSystems\CloudShell\Portal\Certificates folder, install it and point to it under the <signingCertificate section:

      <!--<signingCertificate fileName="C:\work\trunk\drop\CloudShell\Portal\onelogin_publickey.der"/>-->

      <signingCertificate storeLocation="LocalMachine" storeName="My" findValue="quali-john" x509FindType="FindBySubjectName"/>

    4. In the Kentor.config file, add a section that will point to the newly created certificate. For example:


      <!--add fileName="V:\Users\john.d\my-certificate.pfx" />-->

      <add storeName="My" storeLocation="LocalMachine" findValue="54nb76caaa0018v67dd8h217jc7h1i9" x509FindType="FindBySerialNumber" use="Signing" />


  4. Configure your identity provider. This typically includes setting the SLO logout page URL, CloudShell Portal issuer (for example: "") and .cer certificate file.

  1. Restart Quali Server and CloudShell Portal IIS services.
  2. Log in to CloudShell Portal with your Idp user.
  3. Log out of CloudShell Portal.

    You are redirected to the defined logout page.

Configuring SAML SLO for CloudShell Portal in SSL mode

If CloudShell Portal is running in SSL mode (HTTPS), you will need to perform several additional configurations to enable SLO.

To configure SAML SLO to work in HTTPS:

  1. In your identity provider, update all SLO logout URLs to be in https mode. For example: "".
  2. In the Kentor.config file, in the <kentor.authservices section, update the entityId and returnUrl URLs to be in https mode. For example:

  3. Restart the CloudShell Portal web site in IIS Manager.

    If you get a "Keyset does not exist" error message, it means that your IIS user is unable to access the private key. Grant the user read access and try again.

  4. Open the C:\Program Files (x86)\QualiSystems\CloudShell\Portal\customer.config file and set the CustomAbsoluteLoginPage and CustomAbsoluteLogoutPage to be in https mode. For example:

  5. In the web.config file, remove the requireSsl key or change its value to "true", since the default is to use SSL cookies: