Configuration options for Single Logout (SLO) between Keeper and IdP
Different customers may have different desired behavior when a user clicks on "Logout" from their Keeper vault. There are two choices:
- Clicking "Logout" from the Keeper Vault will just close the vault but stay logged into the Identity Provider.
- Logging into the Keeper Vault again will defer to the Identity Provider's login logic. For example, Okta has configurable Sign-On rules which allow you to prompt the user for their MFA code before entering the application. See your identity provider sign-on logic to determine the best experience for your users.
- Clicking "Logout" from the Keeper Vault will also logout the user from the Identity Provider.
- This may create some frustration with users because they will also logout from any IdP-connected services.
- G Suite and some other identity providers don't handle this gracefully.
- Users would need to be directed to simply close the vault and not click "Logout" if they don't like this behavior.
- If your identity provider has a "Single Logout" option, then you can turn this feature ON from the identity provider configuration screen. For example, Okta has a "Single Logout" checkbox and they require that the "Keeper SP Certificate" is uploaded. After changing this setting, you will need to export the metadata from the IdP and import it back into the Keeper SSO configuration screen.
- If your identity provider has a "Single Logout" option, then you can turn this feature OFF from the identity provider configuration screen and upload the new metadata file into Keeper.
- If the IdP does not have a configuration screen on their user interface, you can just manually edit the IdP metadata file (screenshot below). In a text editor or vim, remove the lines highlighted below that represent the SLO values. Then save the file and upload the metadata into the Keeper SSO configuration screen.