Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Keeper Connection Manager SAML configuration with Google Workspace
The first step regardless of installation method is to configure your SAML 2.0 identity provider using Google Workspace.
(1) Login to Google Workspace
Visit the Apps > Web and Mobile Apps screen.
(2) Select "Add App" and select "Add Custom SAML App".
Enter an application name and description. You can also upload a Keeper Connection Manager logo. The image logo is here:
Click Continue.
(3) Download the metadata.xml file
...and then click Continue
(4) Configure the SAML Settings
Update 3 fields: ACS URL, Entity ID and Name ID format.
The ACS URL needs to start with your Keeper Connection Manager domain followed by "/api/ext/saml/callback
".
The Entity ID is just the Keeper Connection Manager domain.
The Name ID format must be EMAIL
Click Continue.
(5) Assign group membership (Optional)
You can now assign Group Membership to the Keeper Connection Manager application, which is optional. If you would like to assign a group, make sure that the "App Attribute" is groups
(lowercase). Then click FINISH.
Google Group to Keeper Connection Manager Group mapping is through the Group Name. If the Keeper Connection Manager contains a Group that has the name corresponding to the Google Group Name, the user will receive all Keeper connections assigned to that user group.
(6) Enable Access
After creating the SAML app, it is not yet active for all users. To enable access, click on View details and turn the application ON.
The Google Workspace side of the setup is complete. Note if you change anything, you need to re-download a new metadata.xml file.
Instructions for authenticating users with a SAML 2.0 / SSO Identity Provider
Keeper Connection Manager can be configured to authenticate users with any SAML 2.0 compatible identity provider. Users can be forced to login with SAML, or you can make SAML an optional login link from the login page as shown below.
Run the reconfigure
command listed below and press enter to accept all the pre-populated selections until you get to the SAML prompt.
Make sure you have transferred your metadata XML file onto the KCM server first.
Select Local metadata file (option 1). Enter the proper path where the XML file is located.
Remote metadata file (option 2) is easiest if you can get a URL that points to your idP's metadata XML file (Azure provides this).
Instructions for setting up your identity provider and retrieving the XML metadata are found in the guides blow. Any SAML 2.0 identity provider is compatible.
Enter your SAML IdP URL.
When asked about signed requests, if unsure, select no.
Enter your SAML entity ID, and then the group attribute (this must match to your IdP's group attribute).
Next, you're asked if you want SAML as the default login process. If you want SAML login to be an option (link) on the login page, select no. If you want SAML as the only possible method of authentication, select yes.
Answer yes when asked if you want user accounts created automatically. If you select no, you'll need to create each account manually within KCM.
SSO Configuration is complete!
If you installed Keeper Connection Manager using the Docker Compose Install method, this does not come preconfigured with SAML support. The instructions for activating SAML are below:
(1) On the local instance, stop the containers.
(2) Edit the docker-compose file
Using the custom docker method requires modification of docker-compose.yml file to add SAML support. As root, edit your docker-compose.yml
file and find the "guacamole
" section.
Create a volume mount for sharing the metadata.xml file with the container. If you already have a shared volume for this purpose, you can use that one. There is also another section needed which needs SAML environmental variables. A sample file is listed below.
Notes:
Replace "/var/lib/guac_home" with the local path to your volume
Replace "https://demo.lurey.com" in 2 spots with your Keeper Connection Manager login URL
Only use this SAML group attribute if you're using Azure. Other identity providers will use a different Group attribute ID.
If you want ALL users to login with SAML, then remove the ADDITIONAL_GUACAMOLE_PROPERTIES line. As written, it will give users the choice of password or SAML login.
(3) Create the local folder volume if it doesn't exist yet
(4) Copy the metadata.xml file from your local computer (downloaded from step 8 above) into the location of the volume mount referenced in the guacamole section of the docker-compose file.
(5) Restart the containers
Configuration is complete.
Once you have activated the SAML module, there will be a new "Sign in with SAML" link on the login screen of the application as seen below:
Keeper Connection Manager SAML configuration with OneLogin
The first step regardless of installation method is to configure your SAML 2.0 identity provider.
You must have OneLogin developer account.
Configure OneLogin
Log in to the Dashboard, and click Administration. Then Applications > Add App.
Search for SAML, and select SAML Test Connector (IdP).
When prompted, change the Display Name of your app. Enter an application name and description. You can also upload a Keeper Connection Manager logo. Click save.
Go to the Configuration tab, Update 3 fields: Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL with your KCM server URL and /api/ext/saml/callback on the end as shown below.
Click on the More Actions dropped-down menu. Select SAML Metadata to download and save the .XML file.
Under the Users tab on the top, find the users that need to log in using SSO, click into them and on the applications tab on the left, add the new SAML application to them.
Configuration of Keeper Connection Manager Authentication methods
Keeper Connection Manager SAML configuration with Microsoft Azure
The first step regardless of installation method is to configure your SAML 2.0 identity provider using Microsoft Azure.
(1) In Azure, go to Enterprise Applications and Create a new application.
(2) Give the Enterprise Application a name, and then select "non-gallery" application.
(3) Set up Single Sign On with SAML.
(4) Configure for SAML
(5) Set up the SAML properties to point Azure to your Keeper Connection Manager installation URL:
(6) To support Azure Group to Keeper Connection Manager User Group mappings, you can add a Group claim by editing the Attributes & Claims then adding a Group Claim.
When prompted, you can decide whether the group claim is always sent, or only for specific groups or assigned users. If unsure, choose all groups.
For hybrid environments, if the group originates from on-prem AD, you may need to change the display name of the security group.
If you would like to automatically mapp group assignments in the identity provider to Keeper Connection Manager Groups, ensure that the saml-group-attribute
parameter is defined to match the Identity Provider Group Attribute. The name of the Group in Keeper Connection Manager needs to match this identifier exactly in order for the mapping to work.
Azure Group to Keeper Connection Manager Group mapping is unique. KCM will not show a list of the members of a group, however, group member users will have access to any connections that are assigned to the group.
(7) Assign users and/or groups to the Keeper Connection Manager application, as you would normally do with any SAML connected app.
(8) Copy the URL of the App Federation Metadata and paste it into the prompt on your KCM server.
(9) Add the KCM Logo
From the "Properties" screen of the Enterprise Application, upload the KCM logo. The file can be downloaded below.
Here's how the logo will look:
Keeper Connection Manager SAML configuration with Okta
The first step regardless of installation method is to configure your SAML 2.0 identity provider using Okta.
(1) In Okta, go to Admin > Applications > Create App Integration and select SAML 2.0. Click Next.
(2) Give the Enterprise Application a name and upload the logo file linked below then click Next.
The image logo is here:
(3) Configure the SAML Settings
The SAML configuration should match the format as seen below:
Replace demo3.lurey.com
with the URL of your Keeper Connection Manager domain.
Ensure the full path appears, e.g. https://DOMAIN/api/ext/saml/callback
For the Audience URI, use the path to the Login screen (remove the trailing slash). For example, https://demo3.lurey.com
Scroll down to the Group Attribute Statements. To send the group attribute, set the name to "groups
", and the name format to "Basic
". If you would like ALL groups assigned to the user to be sent to Keeper Connection Manager, select the "Matches regex
" with a value of ".*
"
Click Next.
(4) In the Feedback section, make the selections as appears below.
Okta Group to Keeper Connection Manager Group mapping is through the Group Name. If the Keeper Connection Manager contains a Group that has the name corresponding to the Okta Group Name, the user will receive all Keeper connections assigned to that user group.
(5) Assign users and/or groups to the Keeper Connection Manager application, as you would normally do with any SAML connected app.
(6) Download the Okta Metadata file and save to your local machine as metadata.xml
The location of the metadata file depends on your version of the Okta interface. In this example there is a link called "Identity Provider metadata" on the application page. There may also be a text box that contains the metadata which you can copy and paste into a local file on your computer.
The metadata XML file could also be linked in the Sign On tab > SAML Signing Certificate section under "Actions".
Save the resulting metadata.xml file by selecting "Save page as..." in your browser.
The Okta side of the setup is complete. Note if you change anything, you need to re-download a new metadata.xml file. Transfer this metadata.xml file to your KCM server machine.
This page documents the process of integrating PingIdentity with Keeper Connection Manager, which is also known as KCM. We will be adding SAML 2.0 application connectors between the two platforms.
Login as an Administrator for PingIdentity. From the PingIdentity menu, click Applications > Add Application
Give the Application a name such as "KCM," select SAML and Save.
Next, you'll encounter the SAML configuration. Select Manually Enter, then add the URL of your KCM server to the ACS URLs box as follows: https://<YOUR DOMAIN>/api/ext/saml/callback
Then add the URL of your KCM server to the Entity ID box as follows: https://<YOUR DOMAIN> and press Save.
Next, Edit Attribute Mappings. Since saml_subject is immutable, leave it as is. Add an attribute named EMAIL that has a Mapping of Username, and an attribute named groups that has a Mapping of Group Names.
Then Edit Configuration and scroll down to SUBJECT NAMEID FORMAT and select the option urn:oasis:names:to:SAML:1.1:nameid-format:emailAddress. And hit Save.
On the Overview section, verify that Access is for All Users (or the group you specified). Leave the Signon URL as the Default Signon Page. And Enable the Application by clicking the slider at the top of the application.
Download the Metadata file from the Configuration tab, and ensure that it is named to metadata.xml.
Ensure that all users are added with a Username that matches the email address of a user in your Keeper Connection Manager. **When you add users to Keeper Connection Manager use the matching email address, but leave the password blank.
Integrating Duo with Keeper Connection Manager for MFA
Keeper Connection Manager provides support for Duo as a second authentication factor, automatically verifying user identity with Duo after the user is initially authenticated. This integration utilizes the V4.
From the DUO Security Admin portal:
Select "Protect an Application"
Search for "Web SDK" (Do NOT select Keeper Security - this is for the Vault only)
Select Web SDK and click "Protect"
Capture the Client ID, Client Secret, and API Hostname
Provide these 3 configuration options as DUO_* environment variables in the keeper/guacamole
Docker image.
The image keeper/guacamole
section in the docker-compose.yaml file can be modified to support Duo using environment variables.
Requiring SSL/TLS Client Authentication with KCM
Keeper Connection Manager can be configured to require SSL/TLS client authentication.
To implement device-based access security with Keeper Connection Manager, this can be accomplished using NGINX client certificates. A client certificate is installed into the web browser of your user's approved devices, and the server will only accept communication from a device with the client certificate installed.
The steps to activate this advanced level of protection is described in the steps below.
(1) Create a Certificate Authority (CA) Key
Generate a CA Key with a strong auto-generated passphrase. Make sure to store the passphrase in your Keeper vault.
(2) Create a CA Certificate
A certificate is created with the CA Key. When answering the questions, you can leave the Common Name and Email empty. Save the information that you entered for Country, State, Locality, and Organization, because you may need these later when renewing the certificate.
Side Note: to analyze the certificate parameters, you can run the below command.
(3) Create a Client Key
For the end-user devices, a client key must be generated. You can decide if you would like to generate one key for all devices, or each user can generate their own key and request a certificate. The process is up to you. Generate a client key with a strong auto-generated passphrase. Make sure to store the passphrase in your Keeper vault.
(4) Create a CSR
For each Client Key, generate a CSR to create a signed certificate.
(5) Sign the CSR with the CA Key
You'll need to enter the CA passphrase from Step 1 to sign the request.
At this point, you now have a signed Client Certificate (client.crt).
(6) Convert the Client Certificate to PKCS#12
To import the certificate into a web browser, a pfx file in PKCS#12 is typically required. Generate the client.pfx file using the command below. A passphrase will be required. This passphrase will be provided to each of the users who need to install the certificate, so it should be used specifically for this purpose.
(7) Add to NGINX Config
The keeper/guacamole-ssl-nginx
image can be configured to require SSL/TLS client authentication by specifying the CLIENT_CERTIFICATE_FILE
environment variable. A user will only be able to connect to the KCM instance of NGINX using their browser if their browser has access to a private key that is signed by this certificate.
This variable is similar to the CERTIFICATE_FILE
environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.
Example:
After updating the configuration, restart the containers.
(8) Test the configuration
Before installing the client certificate on the user's machine, load up the Keeper Connection Manager login screen to ensure that a 403 error is sent:
(9) Install the Client Certificate
For each end-user client device that will need access to Keeper Connection Manager, you will need to install the client certificate into the user's browser or machine. The installation of client certificates varies by platform.
On Windows
Double-click or right-click the client certificate (client.pfx) from Step 6 and enter the client certificate passphrase.
Restart the browser.
The next time Keeper Connection Manager is loaded, you can approve the certificate.
On Mac OS - Chrome
Import the client.pfx file by double-clicking or loading into the Keychain login Certificates section. In the "Trust" section of the certificate, mark as Always Trust.
Restart the browser and load the Keeper Connection Manager login screen to select the certificate.
On Mac OS - Firefox
Open Firefox > Preferences > search for Certificates and select Your Certificates tab. Click "Import" and select the client.pfx certificate file. Complete the import.
After successful import, the Keeper Connection Manager login screen will load.
Additional environment variables are also available to modify SSL/TLS auth behavior further:
This documentation will detail how to connect your Oracle Cloud environment to Keeper Security Connection Manager for the purpose of Single Sign-On.
Go to your Oracle Admin Console and navigate to the Identity Domains Overview page, then select Applications as depicted above.
Click on Add Application.
Select SAML as the application type.
Apply the appropriate settings to the Application Information as needed for your security posture. Click on Edit SSO Configuration. Download the Metadata and rename the file to metadata.xml. Set the Entity ID to the URL of your Connection Manager server. For example: https://kcm.somedomain.com. For the Assertion Consumer URL, add /api/ext/saml/callback to the end of the domain URL. For example: https://kcm.somedomain.com/api/ext/saml/callback. Next, set the Name ID Format to Email Address and the Name ID Value to Primary Email. Leave the Signed SSO setting as Assertion. Uncheck the box to Include Signing Certificate in Signature, and leave the Signature Hashing Algorithm as SHA-256.
Assign attributes for email as listed above mapped to the value User Name. Add another attribute for groups with the settings of Type Value Group Membership and a Condition of All groups.
Assign users and groups as appropriate to your SAML application. You'll need to assign at least one user for testing purposes.
Connection Manager Server Configuration
Upload the metadata.xml file to your KCM server and move it into the directory /etc/kcm-setup.
Run the reconfigure command after production hours on your Connection Manager server.
Say Y to the option when presented to setup SAML support.
Select 1 for Local Metadata file. Then input the path of your metadata file as /etc/kcm-setup/metadata.xml and press enter. Answer N to Does your SAML IDP require signed requests? Input your SAML entity ID as the URL of your Connection Manager instance. For example: https://kcm.somedomain.com. Then enter groups as the SAML group attribute.
Choose which setting best applies to your security posture with regard to the default authentication method. If you want Just-In-Time provisioning of users, then answer Y to Would you like user accounts to be automatically created for each successful login?
Click the SAML link to authenticate to the main sign on page.
Your user email address should display in the top right corner after authenticating.
Integrating TOTP based authentication for 2FA
Keeper Connection Manager provides support for TOTP as a second authentication factor, verifying the identities of enrolled users using authentication codes generated with the TOTP standard.
To enable TOTP add the following lines to the "environment" section of the "guacamole" service in the docker-compose.yml
file. Only the EXTENSIONS: totp
line is required, the rest are optional.
For example:
Keeper Connection Manager supports the use of 2FA with TOTP in addition to supporting SAML or OIDC authentication. If TOTP is configured along with SAML, the user will be prompted for 2FA after successfully authenticating with the identity provider.
The image keeper/guacamole
can be modified to support TOTP using environmental variables. See the TOTP_* variables defined in the .