Entra ID (Azure AD)

How to configure Keeper SSO Connect Cloud with Microsoft Entra ID (formerly Azure AD) for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Overview

Keeper is compatible with all Microsoft Azure AD / Entra ID environments for SAML 2.0 authentication and automated provisioning.

  • Keeper applications (including Web Vault, Browser Extension, Desktop App and iOS/Android apps) are 100% compatible with conditional access policies.

  • Keeper supports both commercial (portal.azure.com) and Azure Government Cloud (portal.azure.us) environments.

Azure Setup

Watch the following video to learn more about setting up Azure with SSO Connect Cloud.

Setting Up Azure with SSO Connect Cloud

Please follow the below steps.

(1) Add the Keeper Enterprise Application

Go to your Azure Admin account at https://portal.azure.com and click on Azure Active Directory > Enterprise Applications. Note: If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application.

For US Public Sector entities, login to https://portal.azure.us and follow the same steps as outlined in this document.

(2) Click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault".

(3) Click "Create" to create the application.

(4) Click on the "Set up single sign on" then click "SAML"

(5) On the Keeper Admin Console, export the SAML Metadata file.

Go to View -> Export Metadata

(6) Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button.

and selecting the file just downloaded from the Keeper admin console and pressing the Add button.

(7) Azure will open up the SAML configuration screen.

The red error on the missing "Sign on URL" field is expected.

To fix the error, copy the URL from the "IDP Initiated Login Endpoint" from the Admin Console SSO Cloud instance "view" screen, and paste it into the "Sign on URL" field.


Single Logout Service Endpoint ("SLO")

This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.

For control over Keeper-initiated Single Logout behavior with the identity provider, see this page.

By default, Keeper will force a logout session with Entra/Azure after logging out. If you would like to remove this behavior, edit the Azure metadata file before uploading to Keeper and remove the SingleLogoutService line. For security reasons, we recommend keeping this in place.

(8) Click on Save then close the window with the SAML configuration.

(9) After saving, you'll be asked to test the configuration. Don't do this. Wait a couple seconds then reload the Azure portal page on the web browser. Now, there should be a certificate section that shows up in the "SAML Signing Certificate" area.

Click on "Download" under the Federation Metadata XML section:

(10) Upload the Metadata file into the Keeper Admin Console

In the Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step the SAML Metadata section.

(11) Edit User Attributes & Claims

Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.

We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.

In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

ForceAuthn Setting

In the Keeper Admin Console, the option to enforce a new login session with the identity provider is available. When ForceAuthn="true" is set in the SAML request, the Service Provider (Keeper) is telling the IdP that even though the user is already authenticated, they need to force a new authenticated session. This may be a desired behavior depending on your security policies and end-user environment.

Certificate Renewal Reminder

Entra ID / Azure AD SAML signing certificates will expire after one year.

Ensure that you set yourself an annual calendar reminder to update the SAML certificate prior to expiration, or your Keeper users will not be able to login until it is updated.

For instructions on renewing the certificate, see the Certificate Renewal page.

User Provisioning

Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.

Manual

If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.

Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.

On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.

Automated provisioning with SCIM

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.

Vault Login with Email

For any reserved domain that has just-in-time provisioning enabled, the user can simply type in their email address on the Vault login screen and they will be routed to the correct SSO provider. From here, the user can create their vault or login to an existing vault.

Vault Login with Enterprise Domain

If the domain is not reserved, the user can login into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password if they were recently moved from a non-SSO node to the SSO node.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

IdP-Initiated Login

Keeper supports IdP-initiated login with Azure. Users can simply visit their Apps Dashboard at:

https://myapplications.microsoft.com/ This will load their assigned Keeper application and the user can click the icon.

Last updated