Certificate Renewal

Keeper SSO Connect certificate renewal instructions

Keeper SSO Connect Certificate Renewal Process

It is critical to ensure that your IdP SAML Signing Certificates are renewed and activated. Typically, this occurs once per year.

If you receive the below error when logging into the Keeper vault, this usually indicates that the SAML Signing Certificate has expired.

"Sorry! There was an unexpected error logging you into Keeper via your company account. We are unable to parse the SAML Response from the IDP"

Resolution

To resolve this issue, please follow the basic steps below:

  1. Update the SAML signing certificate from your identity provider related to the Keeper application

  2. Download the new SAML signing certificate and/or IdP metadata file

  3. Update the IdP metadata in the Keeper Admin Console

Entra ID / Azure AD Instructions

Since Microsoft Azure is the most widely used identity provider, the step by step update guide is documented below. If Azure is not your provider, the process is very similar.

(1) Login to the Azure Portal (https://portal.azure.com) and go to Enterprise Applications > Keeper > Set up Single sign on

Set up single sign on

(2) Under the SAML Certificates section, note that the certificate has expired. Click Edit.

Edit SAML Certificates

(3) Click on New Certificate to generate a new cert.

Create a New Certificate

(4) Click the overflow menu and then click "Make certificate active" the Save and apply the changes.

Make certificate active

(5) From the SAML Certificates section, download the new Federation Metadata XML file. Save this to your computer.

Download Metadata XML

(6) Update the SAML Metadata in the Keeper Admin Console

From the Keeper Admin Console, login to the Keeper tenant and visit the SSO configuration.

Follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU) https://keepersecurity.com.au/console (AU) https://keepersecurity.ca/console (CA) https://keepersecurity.jp/console (JP) https://govcloud.keepersecurity.us/console (US Gov)

(Or open KeeperSecurity.com > Login > Admin Console)

  • Select the SSO node then select the "Provisioning" tab.

  • Click on "Single Sign-On with SSO Connect Cloud

  • Click "Edit Configuration"

  • Click out the existing SAML Metadata

  • Upload the new XML metadata file from your desktop

Edit Configuration
Clear out existing SAML Metadata
Drop in the new Metadata XML

At this point, the SAML certificate should be updated with success.

(7) Confirm that SSO is functioning properly

Now that the metadata XML file with the latest certificate is uploaded to Keeper, your users should be able to login with SSO without error.

(8) Delete the metadata XML file from your local computer or store this in your Vault

(9) Make yourself a calendar reminder to update the SAML certificate next year prior to the expiration date.

Unable to Access the Keeper Admin Console?

If you are unable to login to the Keeper Admin Console due to the SSO certificate issue, please select one of the following options to regain access:

Option 1: Use a service account that logs into the Admin Console with a Master Password

Option 2: Contact a secondary admin to login and update the cert for you

If neither option is available, contact Keeper Business Support

PreviousCLI ApprovalsNextLogout Configuration

Last updated

Was this helpful?