Single Logout (SLO) Value-Added Module (VAM) Deployment Guide · CaptureLogoutURL Used for WsFederation or SAML to capture the reply or ACS/Logout URL value dynamically for the logout

Value-Added Module (VAM)

Single Logout (SLO) VAM Deployment Guide

VALUE-ADDED MODULE (VAM) – Single Logout (SLO) VAM Deployment Guide

SecureAuth www.secureauth.com 2

Copyright Information

©2020. SecureAuth® is a registered trademark of SecureAuth Corporation. SecureAuth’s Identity Platform software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation.

Document Revision History

Version Date Notes 1.0 19-March-2019 Initial draft 2.0 31-January-2020 Additional information added to documentation

For information on support for this module, contact your SecureAuth support or sales representative:

Email: [email protected] [email protected]

Phone: +1-949-777-6959 +1-866- 859-1526

Website: https://www.secureauth.com/support https://www.secureauth.com/contact

VALUE-ADDED MODULE (VAM) – Single Logout (SLO) VAM Deployment Guide

SecureAuth www.secureauth.com 3

Contents Product Overview ..................................................................................................................................................... 4

Architecture ............................................................................................................................................................. 4

Installation guidelines .............................................................................................................................................. 5

System prerequisites ............................................................................................................................................ 5

Installation ........................................................................................................................................................... 5

Configuration steps .............................................................................................................................................. 6

Related information ................................................................................................................................................. 7

Upgrade information ................................................................................................................................................ 7

VALUE-ADDED MODULE (VAM) – Single Logout (SLO) VAM Deployment Guide

SecureAuth www.secureauth.com 4

Product Overview The Single Logout (SLO) Value-Added Module (VAM) provides the SecureAuth® Identity Platform (formerly known as SecureAuth IdP) with the ability to log out of several service providers using a single logout request, by using the same multisession token. Once you log out of one service provider, it sends a logout request to the Managed Logout page for that realm.

This VAM is added to the SecureAuth Identity Platform appliance using an installer that supplements the appliance with all necessary files and modifies the configurations accordingly.

Architecture The Managed Logout page constructs a stack of frames for each of the service providers currently logged in with the same multisession token. It then creates an iframe for each of the service providers in the stack. Each of these iframes has a Restart page as the source URL. Each iframe clears out sessions, logs the user out of the SecureAuth realm, and sends a logout request to the corresponding service provider, as shown in the following image.

VALUE-ADDED MODULE (VAM) – Single Logout (SLO) VAM Deployment Guide

SecureAuth www.secureauth.com 5

Installation guidelines 1. Download the installer for the Single Logout VAM.

2. Create the Identity Platform realms or know which realms are set up for single logout (SLO) functionality.

System prerequisites SecureAuth Identity Platform version 9.0 or later. Using the SecureAuth Identity Platform Web Admin, either create new realms for this process or identify

those existing realms designated for single logout (SLO).

Installation The following is a list of files provided by SecureAuth in the ShareFile link. Copy these files to the SecureAuth realm folder (D:\Secureauth\SecureAuthXX):

../SecureAuthXX/AssertionConsumerService.aspx ../SecureAuthXX/AssertionConsumerService.aspx.vb ../SecureAuthXX/ManagedLogout.aspx ../SecureAuthXX/ManagedLogout.aspx.vb ../SecureAuthXX/Restart.aspx ../SecureAuthXX/Restart.aspx.vb ../SecureAuthXX/Authorized/SAML20IdPInit.aspx ../SecureAuthXX/Authorized/SAML20IdPInit.aspx.vb ../SecureAuthXX/Authorized/SAML20SPInit.aspx ../SecureAuthXX/Authorized/SAML20SPInit.aspx.vb ../SecureAuthXX/Authorized/WSFedProvider.aspx ../SecureAuthXX/Authorized/WSFedProvider.aspx.vb ../SecureAuthXX/Authorized/SAML20IdPInitACS.aspx ../SecureAuthXX/Authorized/SAML20IdPInitACS.aspx.vb ../SecureAuthXX/Authorized/SAML20LogoutService.aspx ../SecureAuthXX/Authorized/SAML20LogoutService.aspx.vb ../SecureAuthXX/Bin/SecureAuth.SingleLogout.dll. ../SecureAuthXX/Bin/MFC.SAML20.dll

VALUE-ADDED MODULE (VAM) – Single Logout (SLO) VAM Deployment Guide

SecureAuth www.secureauth.com 6

Configuration steps In the web.config, add the following keys in the <appSetting> section for each SecureAuthXX realm. <add key="SingleLogout" value="True" /> <add key="MultiSessionEnabled" value="True" /> <add key="SingleSessionEnabled" value="False" /> <add key="SSTokenName" value="SSToken" /> <add key="MSTokenName" value="MSToken" /> <add key="LogoutMethod" value="2" /> <add key="CaptureLogoutURL" value="True" /> <add key="LogoutUrl" value="https://URL" /> <add key="LogoutTokenExpiration" value="True" /> <add key="LogoutTokenExpirationTime" value="5" /> <add key="SignLogoutMessage" value="False" /> For more information about the keys, see the following table.

Key Description MultiSessionEnabled Used if there are multiple service providers, otherwise considered SLO. SingleSessionEnabled Used if there is only one service provider application. SSTokenName This is an arbitrary value used for the name of the single-session cookie.

If multiple realms share the same SSTokenName, the last realm from which the user authenticates will be the only session from which the user logs out.

MSTokenName This is an arbitrary value used for multisession cookie(s). Multiple realms can use the same MSTokenName to chain together SLO. More than one MSTokenName can exist per appliance.

LogoutMethod Directs the logout system to use a specific logout method (for example, SAML or WS-Federation) and how to use it (for example, HTTP-Redirect or POST). The service provider (SP) dictates what is used. Options are: Value="1": HTTP Redirect Value="1": SAML Post Value="2": SAML Redirect Value="3": WS-Federation

CaptureLogoutURL Used for WS-Federation or SAML to capture the reply or ACS/Logout URL value dynamically for the logout URL. The SP must provide these values in the initial login request for this feature to work.

LogoutUrl Used for a static URL if none is supplied by WS-Fed, or, for example, for SAML 2.0 systems. This is provided by the service provider.

LogoutTokenExpiration Use one of the following settings: True – The logout token configured for the realm (multisession or single

session) is set to expire at the given LogoutTokenExpirationTime. False – The logout token expires with the user’s browser session.

VALUE-ADDED MODULE (VAM) – Single Logout (SLO) VAM Deployment Guide

SecureAuth www.secureauth.com 7

Key Description LogoutTokenExpirationTime The time (in minutes) after creation the logout token expires when

LogoutTokenExpiration is set to True. SignLogoutMessage Directs the system to add a signature to the logout message.

Note: The Single Logout Configuration page only opens for realms to which the Single Logout module is installed

Multi-session SLO works only with realms that do not have the HTTP Redirect option in the Logout Method field on the configuration page.

Related information SecureAuth Identity Platform Administrator Guide SecureAuth Identity Platform Adaptive Authentication Guide Adaptive Authentication Best Practices Guide

Upgrade information Before upgrading SecureAuth software, open a Support ticket. The process of upgrading to a newer SecureAuth software version might cause the SecureAuth VAM to become invalid and stop working. When your site is ready to upgrade SecureAuth software, get started by creating a support ticket and selecting I have a question or issue regarding SecureAuth Value-Added Modules (VAMs) from the "Submit a request" list. A SecureAuth Tailoring engineer will contact you to evaluate and ensure that the VAM will work with updated SecureAuth software.