Okta
How to configure Keeper SSO Connect Cloud with Okta for seamless and secure SAML 2.0 authentication.
Last updated
How to configure Keeper SSO Connect Cloud with Okta for seamless and secure SAML 2.0 authentication.
Last updated
Please complete the steps in the Admin Console Configuration section first.
Login to the Admin section of the Okta portal.
Select the Applications menu item and click Browse App Catalog.
Search for “Keeper Password Manager”, and then select the Add button for the Keeper Password Manager and Digital Vault application.
On the General Settings page that comes up next, you need the "Entity ID" that comes from the Keeper Admin Console.
Example Server Base URL: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX
The value for XXXXXXXX represents the specific SSO Connect instance associated with your enterprise and can be found on the Admin Console SSO configuration as part of the Service Provider information, as seen below:
Paste the Entity ID into the Server Base URL field in the Okta screen.
Select the Sign On tab.
Scroll down to the SAML Signing Certificates configuration section, and select Actions > View IdP metadata.
Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.
In the Keeper Admin Console, Edit the SSO configuration then Select OKTA as the IDP Type and upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:
If you would like to enable the Single Logout feature in Okta, go to the Sign On tab and click Edit. Click the Enable Single Logout checkbox and then upload the SP Cert which comes from the Keeper Admin Console.
To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.
Upload the SP cert file and be sure to click Save to save the Sign On settings in Okta.
If you have changed the Single Logout Setting, you'll have to download the latest Okta metadata file once again, and upload the new metadata.xml file into Keeper on the SSO edit screen.
From the Actions menu, select View IdP metadata.
Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.
In the Keeper Admin Console, Edit the SSO configuration then upload the new metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen.
To enable Okta SCIM user and group provisioning please follow the instructions found within the Keeper Enterprise Guide: https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/okta-integration-with-saml-and-scim
From Okta, you can now add users or groups on the Assignments page. If you have activated SCIM provisioning per the instructions here then the user will be instantly provisioned to Keeper.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
