# Shibboleth

{% hint style="info" %}
Please complete the steps in the [Admin Console Configuration](/en/sso-connect-cloud/admin-console-configuration.md) section first.
{% endhint %}

<figure><img src="/files/dFYvAmOZWfyO5mkYCSMC" alt=""><figcaption></figcaption></figure>

### Step 1: Export and Save Keeper Metadata File

To obtain your Keeper Metadata file, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select **View**. From there you have access to download and save the Keeper metadata file.

<figure><img src="/files/-MF6xOjnK9PJBqEBZBBp" alt=""><figcaption><p>Export Keeper Metadata File</p></figcaption></figure>

### Step 2: Adding Keeper Metadata to Shibboleth Identity Provider

The Shibboleth IdP must know some basic information about the Keeper relying party, which is defined in SAML metadata. The easiest way to do is to add your Keeper Metadata file to `IDP_HOME/metadata/` directory.

### Step 3: Adding a New Relying Party Trust to Shibboleth Identity Provider

Instruct Shibboleth how to behave when talking to Keeper by defining a new RelyingParty element in `IDP_HOME/conf/relying-party.xml`. The following snippet should be added just after the `DefaultRelyingParty` element. Be sure to replace the provider attribute to include your "Entity ID" (use whatever provider is configured in the DefaultRelyingParty).

```markup
<RelyingParty id="keepersecurity.com"
        provider="https://keepersecurity.com/api/rest/sso/saml/264325172298110"
        defaultSigningCredentialRef="IdPCredential">
    <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
```

Still in the `IDP_HOME/conf/relying-party.xml` file, configure Shibboleth to use the keeper metadata file you added in [Step 2](#step-2-adding-keeper-metadata-to-shibboleth-identity-provider). Add the following `MetadataProvider` element next to the existing configured provider (it should have an id value of “FSMD”), making sure to replace IDP\_HOME with your actual installation path.

```markup
<!-- Keeper Metadata -->
<MetadataProvider id="KeeperMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="IDP_HOME/metadata/keeper-metadata.xml" maintainExpiredMetadata="true" />
```

### Step 4: Configure Attribute Resolver

Keeper requires that you map specific **User Attributes** to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are **Email**, **First** and **Last**, as outlined in the table below. Shibboleth’s attribute resolver must be configured to make this data available by modifying `IDP_HOME/conf/attribute-resolver.xml`.

| Your IdP User Attributes | Keeper User Attributes |
| ------------------------ | :--------------------: |
| `<Email Address>`        |          Email         |
| `<First Name>`           |          First         |
| `<Last Name>`            |          Last          |

{% hint style="warning" %}
When Configuring Shibboleth Identity Provider SAML Attributes, Keeper Expects "**NameIDFormat**" coming in the form of "**emailAddress**". You can use / the suggested "**NameIDFormat**" or input correct value for your environment so long as it provides Keeper the users Email Address for the username login identifier.
{% endhint %}

### Step 5: Configure Attribute FIlter

Finally, configure the Shibboleth attribute filtering engine to release the `principal` attribute (encoded as a NameID) to Google. Add the following XML snippet to `IDP_HOME/conf/attribute-filter.xml` alongside the existing policy elements.

```markup
<AttributeFilterPolicy>
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="keepersecurity.com" />

    <AttributeRule attributeID="principal">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>
```

### Step 6: Obtain the Metadata XML File from Shibboleth

1. Locate Shibboleth metadata found at "`http://shibboleth.example.com/idp/shibboleth"` or in the Shibboleth identity provider filesystem in `<install_folder>/shibboleth-idp/metadata`.
2. Modify Shibboleth metadata manually and ensure all user endpoints are uncommented (e.g., `SingleLogout`).
3. Save the XML file.

### Step 7: Upload IdP Metadata to Keeper

Once you have your Shibboleth metadata file ready, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select **Edit**.

![Edit SSO Provisioning Method](/files/-MGAv2zKx89VS_t-6ep9)

Scroll down to the **Identity Provider** section, set IDP Type to **GENERIC**, select **Browse Files** and select your Shibboleth Metadata file.

![Upload your Metadata File](/files/-MOc99l9ArqCoAvJFtBD)

Still within the Keeper Admin Console, exit the **Edit View** and select **View** on your SSO Connect Cloud Provisioning method. Within the **Identity Provider** section you will find the metadata values for the **Entity ID, Single Sign On Service** and **Single Logout Service Endpoint** that are now populated.

![Your SSO Application's Metadata](/files/-MPCP04I4cfCmAMqN1a8)

### Graphic Assets

If your Shibboleth instance requires an icon or logo file for the Keeper application, please see the [Graphic Assets page](/en/sso-connect-cloud/graphic-assets.md).

{% hint style="success" %}
Success! Your **Keeper Security SSO Cloud** setup is now complete! You may now try logging into Keeper with SSO.
{% endhint %}

If you find that SSO is not functional, please review your Shibboleth settings, review your metadata file and user attributes for any errors.

Once complete, repeat **Step 4.**

If you need assistance, please email <enterprise.support@keepersecurity.com>.

#### Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

{% hint style="warning" %}
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
{% endhint %}

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

<figure><img src="/files/f9mh14DiYc7ZXa6OAWDt" alt=""><figcaption><p>Initially select 'Enterprise SSO Login'</p></figcaption></figure>

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

<figure><img src="/files/FVvma7g5o1WplEqLNvjX" alt=""><figcaption></figcaption></figure>

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation [can be found here](/en/enterprise-guide/domain-reservation.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/sso-connect-cloud/identity-provider-setup/shibboleth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.