LogoLogo
SSO Connect Cloud
SSO Connect Cloud
  • Keeper SSO Connect Cloud
  • Overview
  • Admin Console Configuration
  • SSO Identity Providers
    • Amazon AWS
    • Auth0
    • Centrify
    • CloudGate UNO
    • DUO SSO
    • Entra ID (Azure AD)
    • F5
    • Google Workspace
      • Google Workspace User and Group Provisioning with Cloud Function
      • Google Workspace User Provisioning with SCIM
    • HENNGE
    • Imprivata
    • JumpCloud
    • Microsoft AD FS
    • Okta
    • OneLogin
    • Ping Identity
    • PingOne
    • Rippling
    • RSA SecurID Access
    • SecureAuth
    • Shibboleth
    • Other SAML 2.0 Providers
  • Passwordless Providers
    • Traitware
    • Trusona
    • Veridium
    • Beyond Identity
  • Device Approvals
    • Keeper Push
    • Admin Approval
    • Keeper Automator Service
      • Version 17.0 Overview
      • Ingress Requirements
      • Azure Container App
      • Azure App Services
      • Azure App Gateway (Advanced)
      • AWS Elastic Container Service
      • AWS Elastic Container Service with KSM (Advanced)
      • Java on Linux
      • Docker on Linux
      • Docker Compose
      • Google Cloud with GCP Cloud Run
      • Kubernetes Service
      • Windows Service
      • Multi-Tenant Mode
      • Custom SSL Certificate
      • Advanced Settings
      • Troubleshooting
    • CLI Approvals
  • Certificate Renewal
  • Logout Configuration
  • User Provisioning
  • System Architecture
  • Security and User Flow
  • Migrate from OnPrem
  • Graphic Assets
  • Links & Resources
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Keeper SSO Connect Certificate Renewal Process
  • Resolution
  • Entra ID / Azure AD Instructions
  • Unable to Access the Keeper Admin Console?

Was this helpful?

Export as PDF

Certificate Renewal

Keeper SSO Connect certificate renewal instructions

PreviousCLI ApprovalsNextLogout Configuration

Last updated 8 months ago

Was this helpful?

Keeper SSO Connect Certificate Renewal Process

It is critical to ensure that your IdP SAML Signing Certificates are renewed and activated. Typically, this occurs once per year.

If you receive the below error when logging into the Keeper vault, this usually indicates that the SAML Signing Certificate has expired.

"Sorry! There was an unexpected error logging you into Keeper via your company account. We are unable to parse the SAML Response from the IDP"

Resolution

To resolve this issue, please follow the basic steps below:

  1. Update the SAML signing certificate from your identity provider related to the Keeper application

  2. Download the new SAML signing certificate and/or IdP metadata file

  3. Update the IdP metadata in the Keeper Admin Console

Entra ID / Azure AD Instructions

Since Microsoft Azure is the most widely used identity provider, the step by step update guide is documented below. If Azure is not your provider, the process is very similar.

(2) Under the SAML Certificates section, note that the certificate has expired. Click Edit.

(3) Click on New Certificate to generate a new cert.

(4) Click the overflow menu and then click "Make certificate active" the Save and apply the changes.

(5) From the SAML Certificates section, download the new Federation Metadata XML file. Save this to your computer.

(6) Update the SAML Metadata in the Keeper Admin Console

From the Keeper Admin Console, login to the Keeper tenant and visit the SSO configuration.

  • Select the SSO node then select the "Provisioning" tab.

  • Click on "Single Sign-On with SSO Connect Cloud

  • Click "Edit Configuration"

  • Click out the existing SAML Metadata

  • Upload the new XML metadata file from your desktop

At this point, the SAML certificate should be updated with success.

(7) Confirm that SSO is functioning properly

Now that the metadata XML file with the latest certificate is uploaded to Keeper, your users should be able to login with SSO without error.

(8) Delete the metadata XML file from your local computer or store this in your Vault

(9) Make yourself a calendar reminder to update the SAML certificate next year prior to the expiration date.

Unable to Access the Keeper Admin Console?

If you are unable to login to the Keeper Admin Console due to the SSO certificate issue, please select one of the following options to regain access:

Option 1: Use a service account that logs into the Admin Console with a Master Password

Option 2: Contact a secondary admin to login and update the cert for you

(1) Login to the Azure Portal () and go to Enterprise Applications > Keeper > Set up Single sign on

Follow the links below to access the Keeper Admin Console: (US) (EU) (AU) (CA) (JP) (US Gov)

(Or open > Login > Admin Console)

If neither option is available, contact Keeper

https://portal.azure.com
https://keepersecurity.com/console
https://keepersecurity.eu/console
https://keepersecurity.com.au/console
https://keepersecurity.ca/console
https://keepersecurity.jp/console
https://govcloud.keepersecurity.us/console
KeeperSecurity.com
Business Support
Set up single sign on
Edit SAML Certificates
Create a New Certificate
Make certificate active
Download Metadata XML
Edit Configuration
Clear out existing SAML Metadata
Drop in the new Metadata XML