Keeper SSO Connect & SCIM
Troubleshooting and support for Keeper SSO Connect and SCIM
Keeper SSO Connect
SSO Login: Unable to Parse the SAML Response from the IDP
Typically, this means you need to update your SAML signing certificate. Follow the guide below for step by step instructions:
https://docs.keeper.io/en/sso-connect-cloud/certificate-renewal
To maintain your connection, IdP Metadata must be updated directly within the Keeper Admin Console. If your organization requires all administrators to sign in via SSO and the current Metadata has expired, preventing Console access, please contact Keeper Enterprise Support. Our team will assist you in manually updating the XML file to restore access.
Enterprise SSO Users Unable to Login
For security reasons, Keeper will prevent Enterprise users outside of an SSO node from logging in with a federated identity provider. If you have users unable to login with SSO, please ensure that the user is provisioned to the node within the Keeper Admin Console to the SSO-enabled node. To move a user into an SSO node, edit the user and select the node from the dropdown.
Enterprise End-User's Email Changed
If your user's email has changed in your identity provider, you can simply add an alias to the user's identity in Keeper. This can be accomplished using the enterprise-user command. For example:
enterprise-user --add-alias [email protected] [email protected]This command will only allow aliases to be created with reserved domains. To learn more about Keeper Commander, visit the documentation.
Enterprise Domain is Changing or Has Changed
If your company is migrating users to a new email domain, Keeper supports enterprise-wide domain aliases to make the transition seamless. Open a support ticket to request a domain alias.
SSO User Asked for Master Password
If you have an SSO user being asked to enter a Master Password:
Ensure that the user has been provisioned to an SSO-enabled node
SSO Cloud SP Cert Update
The SSO Connect Cloud SP Cert has been renewed. If you have enabled strict SP certificate checking on your Identity Provider, you may need to update the Keeper cert in your IdP.
Login to Admin Console > SSO node > Provisioning > SSO Cloud > "Export SP Cert
Upload the cert to your IdP "SP Certificate" or "SP Signing Certificate" section.
Notes:
This only affects Identity Providers where strict SP cert validation is enabled.
This will not affect environments running the Automator service.
Customers using Okta and Single Logout (SLO) may need to update the SP certificate.
SSO to Master Password Migration
To migrate SSO users to a native master password login, follow the steps below:
Ensure the user has a recovery method (such as a Recovery Phrase) configured before starting the migration.
Move the user to a "Non-SSO" node within the Admin Console.
Direct the user to the login screen and have them follow the "Forgot Master Password" workflow to set their new password.
Master Password to SSO Migration
To migrate native master password users to SSO login, follow the steps below:
Ensure the user is assigned to the Keeper Security Password Manager enterprise application within your Identity Provider (IdP).
Move the user into an SSO-enabled node within the Keeper Admin Console.
Upon their next login, the user will be prompted for their master password one final time to bridge the account. From that point forward, they will authenticate exclusively via SSO.
SSO Cloud Certificate Update
Keeper's SSO Certificate expires annually in August. The new cert is available by logging into the Admin Console. If you need to update the Keeper SP Certificate, see the step by step instructions here.
SSO Connect On-Prem Certificate
Customers running SSO Connect On-Prem must renew SSL certificates on an annual basis. The date depends on when your SSL certificate is expiring. If you are receiving an SSL certificate error, please renew your cert by following the instructions here.
SCIM Provisioning (Auotmated Provisioning)
General SCIM Provisioning Issues With Teams and Users
Ensure that you have assigned users or groups to the correct SAML application in your IdP.
When you invite a user from the Identity Provider or assign a user into a group that has been provisioned, the IdP will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning).
After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
]Note: The next version of the Keeper Automator service (v3.0) will support the dynamic approvals of teams and team-user assignments. Read more about the Keeper Automator service.
SCIM Team User Assignment Delays
In Keeper, a team that is provisioned must generate the necessary public/private encryption key pair for that team. Similarly, when a user is assigned to a team, the team private key is encrypted with the public key of the user. This way, a user who is assigned team folders in the Keeper vault is able to decrypt the necessary folder keys and record keys. Since Keeper is a zero knowledge platform, this transaction must occur from one of the authenticated client device applications, such as the Admin Console, Vault, Commander CLI or Automator tools.
When a team or a team-user assignment is provisioned through SCIM, the team creation and the user team assignment goes into a "pending queue". This queue is then processed by the authenticated client side application that either creates the necessary team keys and shares the private keys with the intended users.
Currently, team creation and team-user assignment occurs when:
The Admin logs in to the Keeper Admin Console UI
The Commander CLI "team-approve" command is run
The Keeper Automator service is deployed (version 3.2+)
If you need to quickly clear out your pending Team and Team-User assignments, please run the following steps on a periodic basis:
Install the Keeper Commander CLI
Log in to Keeper Commander using
keeper shellRun the following commands:
SCIM Provisioning Errors
SCIM enforces reserved domains on any provisioning request. If you receive an error like "This domain cannot be used for SCIM provisioning" or "Use a different email domain" from SCIM provisioning, This means that you need to request domain reservation for the email domain that is being provisioned.
Read more about domain reservation
Commander Scripting or Coding questions
Please see the Keeper Commander troubleshooting page.
Contact Us
If you need help, please open a support ticket in our ServiceNow system.
If you need to speak to our support team, simply make the request and we will schedule it during enterprise hours. Please be patient as we coordinate the call.
Emergency Support
If you're a enterprise customer having an emergency and need urgent support, use our ServiceNow support portal. On the support form, select the option "This is an emergency, outage, or other time-sensitive issue which requires immediate assistance".
Feature Requests
We love hearing from Enterprise customers. Send your feature requests to: [email protected].
Join our Slack Workspace
Join our Slack Workspace to post questions, feedback or receive new beta versions.
Last updated
Was this helpful?