Instructions on SSO certificate renewal in July 2023
Please read this document, as it affects Enterprise customers who use Keeper SSO Connect Cloud with certain identity providers.
Note: Nothing needs to change on the Keeper side. Do NOT reconfigure your Keeper SSO settings. DO NOT delete anything. The only action you may need to take is updating Keeper's certificate on your identity provider.
On July 20, 2023 at 12:18 PST, Keeper's current Cloud SSO Certificate used for signing SAML requests is expiring. This is referred to as the Service Provider (SP) Certificate (Not the IdP Cert).
We have published a new Service Provider Certificate which is live and available for you to download. The certificate is embedded in the XML metadata file and also available as a direct download "Export SP Cert" from the Keeper Admin Console.
Customers using basic configuration in Azure, Okta, Google are NOT Affected.
If you use Keeper Automator alongside SSO Cloud, you are NOT Affected and you do not need to update the certificate, as this is handled by the cert you added to Automator.
If you are using SSO On-Prem you are NOT Affected.
If you are using ADFS with Cloud SSO Connect (without Automator), you are affected.
If you are using Ping Identity (without Automator), you are affected. Read instructions below.
If you use Okta with SLO (Single Logout) activated, you are affected. Read instructions below.
If you use JumpCloud (without Automator), you are affected. Read instructions below.
If you are using service provider-initiated SLO (Single Logout) then you are affected.
If you have a configuration on your identity provider where they are encrypting the SAML assertion with our certificate, you will be affected -- if the identity provider refuses to encrypt with an expired cert.
Other identity providers may reject requests when the cert has expired.
If you don't know, please ensure you're available on July 20 to perform the update in case your identity provider rejects authentication.
You can simply update the "Service Provider Certificate" in your identity provider (by uploading Keeper's Service Provider metadata or Service Provider Certificate). This can be done right now.
The metadata and SP Cert are available from the Keeper Admin Console as seen below:
Important: Ensure that you have the ability to login to the Admin Console with an account and a Master Password that exists outside of the SSO node, in case your SSO is unavailable or affected by the expired certificate.
Updating the certificate only takes a few minutes.
To update the service provider certificate on ADFS, please follow the below steps:
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert" and save the certificate file.
In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
On the "Encryption" tab, replace the old certificate with this new cert.
On the "Signature" tab, Add/Replace the new SP certificate with this new cert.
Azure does not appear affected by the certificate expiration, but updating the metadata is simple.
Go to Azure Portal > Enterprise Applications > Keeper Password Manager > Single Sign-On
Click "Upload metadata file" at the top.
Select the metadata xml file that was downloaded from Keeper.
Click Save
Only if you have enabled Single Logout enabled with Okta...
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert" and save the certificate file.
Go to Okta Admin Portal > Applications > Keeper > Sign On tab
If you have "Enable Single Logout" enabled...
Click Edit and Upload the SP Cert from Keeper and click Save
If you don't have Single Logout enabled, there's nothing to do.
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert" and save the certificate file.
Go to the JumpCloud Admin Portal and go to SSO
Open the Keeper Application > SSO Tab
Click on "Replace SP Certificate" and select the new SP Certificate file. (NOT the IdP Cert!)
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert" and save the certificate file.
Login to your Ping Identity portal.
Their notification center will notify you which certificates are expiring.
In the Ping portal, open the Keeper application
Update the "Verification Certificate" and the "Encryption Certificate".
(Alternatively, just upload the new Keeper metadata)
Login to the Keeper Admin Console
Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
Click on "Export SP Cert" and save the certificate file.
Click on "Export Metadata" and save the metadata file, which also contains the certificate.
Login to your Identity Provider portal and view the SSO configuration for Keeper.
Upload Keeper's SP certificate file (or metadata, if required) following their instructions to update the Service Provider certificate and Save.
If you can't login to the Admin Console, please open a support case and we'll assist you. Make sure to provide all the relevant information about your identity provider and your environment.
If you require assistance, please open a support ticket at the link below:
Q: Which certificate is updating?
A: Our SAML signing certificate for sso.keepersecurity.com has been renewed. The new certificate is now live and will be used for signing all requests until July 2024. This certificate is used for signing requests, sending Single Logout (SLO) requests and can be used to encrypt assertions from the Identity Provider (if configured that way).
Q: Are we affected?
A: In the document above, we identify which customers are affected. If you don't know, you should probably go ahead and update the certificate now, while the old cert is still valid. This is best practice.
Q: Is the key changing?
A: No, we are not re-keying the cert. The current certificate is simply being renewed. The public key does not change, only the expiration date of the cert.
Q: Why is this happening?
A: All certificates have to be renewed annually. Since 2020, public CAs have required that certificates must be renewed once per year (even if a multi-year certificate is purchased).
Q: Is SSO Connect On-Prem affected?
A: No, this only affects customers using SSO Connect Cloud.
Q: Why are we not affected if we use Automator?
A: When you set up Automator, the certificate used for signing comes from the Automator configuration, not from Keeper's certificate.
Q: How do we set up Automator?
A: The Keeper Automator service information is available here: https://docs.keeper.io/sso-connect-cloud/device-approvals/automator Keep in mind, Automator also requires a certificate that must be updated annually. It's just on a different time interval.