CloudLock
With Privileged Access Service, you can choose single-sign-on (SSO) access to the CloudLock web application with IdP-initiated SAML SSO (for SSO access through the Admin Portal) or SP-initiated SAML SSO (for SSO access directly through the CloudLock web application) or both. Providing both methods gives you and your users maximum flexibility.
If CloudLock is the first application you are configuring for SSO through Privileged Access Service, read these topics before you get started:
CloudLock SSO requirements
Before you configure the CloudLock web application for SSO, you need the following:
-
An active CloudLock account with administrator rights for your organization.
-
An Assertion Consumer Service URL from CloudLock.
-
A signed certificate.
-
You can either download one from Admin Portal or use your organization’s trusted certificate.
Adding and configuring CloudLock in Admin Portal
Tip: It is helpful to open Delinea Admin Portal Application Settings and the CloudLock web application simultaneously to copy and paste content between the two browser windows. For information on how to access the CloudLock web application, see Configuring CloudLock for SSO.
To add and configure the CloudLock application in Admin Portal:
-
In Admin Portal, click Apps, then click Add Web Apps.
The Add Web Apps screen appears.
-
On the Search tab, enter the partial or full application name in the Search field and click the search icon.
-
Next to the application, click Add.
-
In the Add Web App screen, click Yes to confirm.
Admin Portal adds the application.
-
Click Close to exit the Application Catalog.
The application that you just added opens to the Settings page.
The description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a Certificate File for the latest information.
-
Configure the following:
| Field | Required or optional | Set it to | What you do |
|---|---|---|---|
| Assertion Consumer Service (ACS) URL | Required | Your CloudLock provided ACS URL. | Enter the ACS URL you received from CloudLock. For example, https://platform.cloudlock.com/gate/saml/sso/acme.com where acme.com is a customer-specific account name. |
| Download Identity provider metadata | Required | The Privileged Access Service automatically generates the content for this field. | Click the link to download the metadata file. Open the Identity provider metadata file in a text editor and copy the content. See Configuring CloudLock for SSO to complete the configuration. |
| Download Signing Certificate | Optional (the certificate is part of the Identity provider metadata) | The Privileged Access Service automatically generates the content. | If necessary, click the link to download the default Signing Certificate. The certificate content is automatically included as part of the Identity provider metadata. To use a certificate with a private key (pfx file) from your local storage, see below. If you replace the certificate, download the Identity provider metadata again and submit the new file to the CloudLock website (see above). |
Configuring CloudLock for SSO
The following steps are specific to the CloudLock application and are required in order to enable SSO for CloudLock. For information on optional Delinea Admin Portal configuration settings that you may wish to customize for your app, see Optional Configuration Settings.
To configure CloudLock for SSO:
-
In your web browser, go to your CloudLock login URL and sign in with your administrator account credentials.
-
Click Settings > Authentication and API and enable SAML Login.
-
Paste the content you copied from the Identity provider metadata field in Admin Portal > Application Settings to the CloudLock Identity provider metadata input field.
-
Click Submit to save the changes.
For More Information About CloudLock
For more information about configuring CloudLock for SSO, contact CloudLock Support.
CloudLock Specifications
Each SAML application is different. The following table lists features and functionality specific to CloudLock.
| Capability | Supported? | Support details |
|---|---|---|
| Web browser client | Yes | |
| Mobile client | No | |
| SAML 2.0 | Yes | |
| SP-initiated SSO | Yes | Users may go directly to the CloudLock URL and then use the Privileged Access Service SSO to authenticate. |
| IdP-initiated SSO | Yes | Users may use SSO to log in to CloudLock through the Admin Portal. |
| Force user login via SAML only | No | |
| Separate administrator login after SSO is enabled | No | |
| User or Administrator account lockout risk | No | Users can log in using other SSO methods, such as Office365. |
| Automatic user provisioning | No | |
| Multiple User types | Yes | |
| Self-service password | No | |
| Access restriction using a corporate IP range | Yes | You can specify an IP Range in the Admin Portal Policy page to restrict access to the application. |
