# Logout Configuration

Different customers may have different desired behavior when a user clicks on "Logout" from their Keeper vault.  There are two choices:

### **Option 1: Don't logout from IdP**

* Clicking "**Logout**" from the Keeper Vault will just close the vault but stay logged into the Identity Provider.<br>
* Logging into the Keeper Vault again will defer to the Identity Provider's login logic.  For example, Okta has configurable Sign-On rules which allow you to prompt the user for their MFA code before entering the application.  See your identity provider sign-on logic to determine the best experience for your users.

### Option 2: Logout from IdP

* Clicking "**Logout**" from the Keeper Vault will also logout the user from the Identity Provider.
* This may create some frustration with users because they will also logout from any IdP-connected services.
* Users would need to be directed to simply close the vault and not click "Logout" if they don't like this behavior.

### How to Enable Single Logout (SLO)

* If your identity provider has a "Single Logout" option, then you can turn this feature ON from the identity provider configuration screen.\
  \
  For example, Okta has a "Single Logout" checkbox and they require that the "Keeper SP Certificate" is uploaded.  After changing this setting, you will need to export the metadata from the IdP and import it back into the Keeper SSO configuration screen.

### How to Disable Single Logout (SLO)

* If your identity provider has a "Single Logout" option, then you can turn this feature OFF from the identity provider configuration screen and upload the new metadata file into Keeper.<br>
* If the IdP does not have a configuration screen on their user interface, you can just manually edit the IdP metadata file (screenshot below).  In a text editor or vim, remove the lines highlighted below that represent the SLO values.  Then save the file and upload the metadata into the Keeper SSO configuration screen.

![Deleting the SingleLogoutService Field from Metadata](/files/-MKk57DOOVpGhfQTVJTC)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/sso-connect-cloud/logout-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.