HomeEnterprise GuideUser Guides
Search…
Keeper SSO Connectâ„¢ Cloud
Overview
Admin Console Configuration
SSO Identity Providers
Device Approvals
Logout Configuration
User Provisioning
System Architecture
Security and User Flow
Migration from On-Prem
Links & Resources
Powered By GitBook
Logout Configuration
Configuration options for Single Logout (SLO) between Keeper and IdP
Different customers may have different desired behavior when a user clicks on "Logout" from their Keeper vault. There are two choices:

Option 1: Don't logout from IdP

    Clicking "Logout" from the Keeper Vault will just close the vault but stay logged into the Identity Provider.
    Logging into the Keeper Vault again will defer to the Identity Provider's login logic. For example, Okta has configurable Sign-On rules which allow you to prompt the user for their MFA code before entering the application. See your identity provider sign-on logic to determine the best experience for your users.

Option 2: Logout from IdP

    Clicking "Logout" from the Keeper Vault will also logout the user from the Identity Provider.
    This may create some frustration with users because they will also logout from any IdP-connected services.
    G Suite and some other identity providers don't handle this gracefully.
    Users would need to be directed to simply close the vault and not click "Logout" if they don't like this behavior.

How to Enable Single Logout (SLO)

    If your identity provider has a "Single Logout" option, then you can turn this feature ON from the identity provider configuration screen. For example, Okta has a "Single Logout" checkbox and they require that the "Keeper SP Certificate" is uploaded. After changing this setting, you will need to export the metadata from the IdP and import it back into the Keeper SSO configuration screen.

How to Disable Single Logout (SLO)

    If your identity provider has a "Single Logout" option, then you can turn this feature OFF from the identity provider configuration screen and upload the new metadata file into Keeper.
    If the IdP does not have a configuration screen on their user interface, you can just manually edit the IdP metadata file (screenshot below). In a text editor or vim, remove the lines highlighted below that represent the SLO values. Then save the file and upload the metadata into the Keeper SSO configuration screen.
​
​
Previous
Azure Functions
Next
User Provisioning
Last modified 11mo ago
Export as PDF
Copy link
Contents
Option 1: Don't logout from IdP
Option 2: Logout from IdP
How to Enable Single Logout (SLO)
How to Disable Single Logout (SLO)