Problem

You have applications that require SAML Single Log Out (SLO), or you wish to enable this functionality from the PortalGuard IdP. 

Solution

Follow the steps below to configure SLO within PortalGuard.

Quick Navigation

• Requirements

• Restrictions

• Configuration

• Updated PortalGuard Metadata with SLO Information

Requirements

• PortalGuard version 5.4 or later

• PortalGuard SQL Backend

  • PortalGuard SQL Backend Configuration and Requirements

• Service Providers MUST support the SLO Protocol

  • Those that do not can be excluded from the SLO-specific requests.

Restrictions

• SLO only works with SAML or Shibboleth-based Service Providers.  SAML SLO cannot interoperate with other SSO protocols.  Namely, SLO cannot log users out of websites that utilize CAS, WS-Fed, or OAUTH for SSO.

Configuration

1. Navigate to the PortalGuard server and open the Identity Provider Configuration Editor and click on the 'General IdP Settings' button.

2. Navigate to the SAML SLO tab and check the 'Enable SAML Single Log Out (SLO) Checkbox.

   • Open

     

     Note: It is recommended that you leave the default values. However, hovering over any of the labels with blue text will present additional information about each setting. 

3. Save these changes. 

4. From the main Identity Provider Configuration Editor window, navigate to the SAML Websites tab and select the Relying Party configuration for which you wish to enable SLO. Either double-click the selection or click the 'Edit' button to edit the configuration. 

5. Navigate to the Single Log Out tab and check the box labeled 'Service Provider Supports the SAML Single Log Out (SLO) protocol'.

   1. Open

      

6. If you have the URL to the metadata for this Service Provider, click the 'Get from Metadata' button and enter the URL when prompted. If possible, PortalGuard will attempt to parse the metadata and pull the SLO settings automatically.  You will see a confirmation prompt if this attempt is successful:

7. If the metadata is not accessible, or otherwise unable to be parsed, you must manually enter the necessary SLO information.  

• For the 'Redirect Endpoint', you will need the Service Provider's SLO URL for the 'HTTP Redirect' binding.  Only the 'HTTP Redirect' method is supported.  An example of this line in a Service Provider's metadata follows for reference:

  • <md:singlelogoutservice Location="https://service.example.org/Shibboleth.sso/SLO/Redirect"
          Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

    • In this case, you would input the 'Location' value for the 'Redirect Endpoint'. 

• For the 'Signing Cert File', you will need to extract the entire x509 certificate from the Service Provider's metadata and save it to a new file:

  • Search the metadata file for the xz509Certificate' element.  This element should contain a base64 encoded certificate - typically beginning with 'MII...' and ending with '='.  

  • Copy this entire string to a new file, and add the following:

    • The first line of the file should be ''-----BEGIN CERTIFICATE-----"

    • The last line of the file should be "-----END CERTIFICATE-----"

If the Service Provider requires SLO to terminate its logon session, but you do not want to log the user out of other websites, you can enable the 'Suppress SLO Propogation' checkbox.  

• NOTE: This setting only works for SP-Initiated SLO.  If the user clicks a logout link from a PortalGuard page (IdP-Initiated), this setting is ignored and the SP will be contacted via SLO.

1. Save the changes to the Relying Party. 

2. Click the 'Apply to Identity Provider' button and then 'Sync' to submit the changes to the running instance of PortalGuard. 

3. Still on the PortalGuard server, edit the following file in an administrative Text Editor (e.g. Notepad++):

   • c:\inetpub\PortalGuard\_layouts\images\pg\js\pg_custom.js

4. Search for 'g_bUseSingleLogout' and set the variable to 'true' - it will be set to 'false' by default:

5. Save the change. 

6. Edit the following file in an administrative text editor:

   • c:\inetpub\PortalGuard\PG_Custom_dotNET_Text.inc

7. Change the value of the 'PG_RSRC_TIME' variable on line #5 to an updated date/timestamp format:

   • This will immediately invalidate browser caches of the older JS files, prompting the SLO functionality to register immediately. 

8. Save the file. 

9. Edit the following file in an administrative text editor:

   • c:\inetpub\PortalGuard\web.config

10. Locate the 'SignoutWhiteList' element and add a new line with the base URL of each SLO-enabled Service Provider:

    • In this case, two websites - google.com and webapp.acme.com - were added.  Now, PortalGuard will honor any SLO requests to come from these sites. 

11. Save the changes to this file. 

12. Launch an administrative CMD and run 'iisreset' for the changes to take effect. 

13. Test SLO!

Updated PortalGuard Metadata with SLO Information

Once SLO is enabled within the 'General IdP Settings' and applied to the Server, PortalGuard's metadata will update to include the 'SingleLogoutService' information.  This metadata file can be provided to the SP for configuration purposes once SLO is enabled. 

• The URL structure for accessing your PortalGuard metadata is : https://YOUR.PG.SERVER/sso/metadata.ashx