Shibboleth

How to configure Keeper SSO Connect Cloud with Shibboleth for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Step 1: Export and Save Keeper Metadata File

To obtain your Keeper Metadata file, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download and save the Keeper metadata file.

Step 2: Adding Keeper Metadata to Shibboleth Identity Provider

The Shibboleth IdP must know some basic information about the Keeper relying party, which is defined in SAML metadata. The easiest way to do is to add your Keeper Metadata file to IDP_HOME/metadata/ directory.

Step 3: Adding a New Relying Party Trust to Shibboleth Identity Provider

Instruct Shibboleth how to behave when talking to Keeper by defining a new RelyingParty element in IDP_HOME/conf/relying-party.xml. The following snippet should be added just after the DefaultRelyingParty element. Be sure to replace the provider attribute to include your "Entity ID" (use whatever provider is configured in the DefaultRelyingParty).

<RelyingParty id="keepersecurity.com"
        provider="https://keepersecurity.com/api/rest/sso/saml/264325172298110"
        defaultSigningCredentialRef="IdPCredential">
    <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

Still in the IDP_HOME/conf/relying-party.xml file, configure Shibboleth to use the keeper metadata file you added in Step 2. Add the following MetadataProvider element next to the existing configured provider (it should have an id value of “FSMD”), making sure to replace IDP_HOME with your actual installation path.

<!-- Keeper Metadata -->
<MetadataProvider id="KeeperMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="IDP_HOME/metadata/keeper-metadata.xml" maintainExpiredMetadata="true" />

Step 4: Configure Attribute Resolver

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Shibboleth’s attribute resolver must be configured to make this data available by modifying IDP_HOME/conf/attribute-resolver.xml.

Your IdP User Attributes

Keeper User Attributes

<Email Address>

Email

<First Name>

First

<Last Name>

Last

When Configuring Shibboleth Identity Provider SAML Attributes, Keeper Expects "NameIDFormat" coming in the form of "emailAddress". You can use / the suggested "NameIDFormat" or input correct value for your environment so long as it provides Keeper the users Email Address for the username login identifier.

Step 5: Configure Attribute FIlter

Finally, configure the Shibboleth attribute filtering engine to release the principal attribute (encoded as a NameID) to Google. Add the following XML snippet to IDP_HOME/conf/attribute-filter.xml alongside the existing policy elements.

<AttributeFilterPolicy>
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="keepersecurity.com" />

    <AttributeRule attributeID="principal">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

Step 6: Obtain the Metadata XML File from Shibboleth

  1. Locate Shibboleth metadata found at "http://shibboleth.example.com/idp/shibboleth" or in the Shibboleth identity provider filesystem in <install_folder>/shibboleth-idp/metadata.

  2. Modify Shibboleth metadata manually and ensure all user endpoints are uncommented (e.g., SingleLogout).

  3. Save the XML file.

Step 7: Upload IdP Metadata to Keeper

Once you have your Shibboleth metadata file ready, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select your Shibboleth Metadata file.

Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.

Graphic Assets

If your Shibboleth instance requires an icon or logo file for the Keeper application, please see the Graphic Assets page.

Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.

If you find that SSO is not functional, please review your Shibboleth settings, review your metadata file and user attributes for any errors.

Once complete, repeat Step 4.

If you need assistance, please email enterprise.support@keepersecurity.com.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Last updated