Ping Identity (PingOne)

How to configure Keeper SSO Connect Cloud with Ping Identity for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Ping Identity Configuration

Login to the Ping Identity portal.

In your existing Environment click Manage Environment.

On the left, click Applications > Application Catalog > Search "Keeper" and select "Keeper Password Manager"

On the Application Details page, add the following data:

  • Keeper Security Domain: keepersecurity.com

  • Keeper Security Identifier: Can be found in the admin console under Entity ID https://keepersecurity.com/api/rest/sso/saml/<Identifier>

    • Log in to the Keeper Admin Console at https://keepersecurity.com/console/.

    • In the left panel, go to Admin and select a sub-node (not the root).

    • Navigate to Provisioning → Add Method → Single Sign-On with SSO Connect® Cloud.

    • Enter a configuration name, add your domain, and click Save.

    • After the SSO configuration is created, click the three-dot menu (⋮) next to it and select View to display the Entity ID.

  • Once that is complete we can save and move on to the next steps.

Next, we can add the Groups who will be accessing the Keeper Application and click Save.

Click Download Metadata as we will upload this to Keeper in the next step.

  • In attribute 1, type “First” in the Application Attribute column, select First Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.

  • In attribute 2, type "Last" in the Application Attribute column, select Last Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.

  • In attribute 3, type "Email" in the Application Attribute column, select Email in the Identity Bridge Attribute or Literal Value column, and check the Required button. Application Attributes: First, Last, Email must begin with a capital letter.

Application attribute names are case-sensitive. Ensure all attribute names use uppercase as shown in the examples. Using lowercase values may cause parsing errors during SSO setup.

On the Edit screen of the Keeper SSO Connect Cloud provisioning select "Generic" as the IDP Type and upload the saml2-metadata-idp xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:

The Keeper Application should be added and enabled.

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

PreviousOneLoginNextPingOne

Last updated

Was this helpful?