# Beyond Identity ### **Configure Keeper for Beyond Identity Integration** {% hint style="success" %} Please complete the steps in the [Admin Console Configuration](https://docs.keeper.io/en/sso-connect-cloud/admin-console-configuration) section first. {% endhint %} Visit the [Keeper Admin Console](https://keepersecurity.com/console) and login as the Keeper Administrator. (US / Global)\ (EU-hosted customers)\ (AU-hosted customers)\ (GovCloud customers) {% hint style="success" %} Note: Passwordless integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console. {% endhint %} 1\) Click on the **Admin** tab and click **Add Node** 2\) Name the node and click **Add Node** ![Create a node for Beyond Identity in the Keeper Admin](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FPyDzXKbgFqoXqJROmnLa%2FKeeper-BeyondIdentity-Add-Node.gif?alt=media\&token=0aee0c37-a851-44c4-9e96-d9b386b2eb30) 3\) From the **Provisioning** tab, click **Add Method** 4\) Select **Single Sign-On with SSO Connect™ Cloud** and click **Next** 5\) Enter your **Configuration Name** and **Enterprise Domain**, then click **Save**. Take note of the Enterprise Domain. This will be used later for Enterprise SSO login. ![Configure Beyond Identity for Single Sign-On with SSO Connect™ Cloud](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2Fx4MExyAATNICZMKOnvt8%2FKeeper-BeyondIdentity-Add-SSO.gif?alt=media\&token=a6925b34-6d9d-48f7-bf7f-c7d8bd3e05c0) 6\) The newly-created SAML 2.0 with Cloud SSO Connect provisioning method will be visible. Select **View** from the menu. {% hint style="info" %} These items will be used when configuring Beyond Identity later in the documentation. {% endhint %} ![View Beyond Identity Provisioning Settings](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FRtkD2ypmKONiqvDiKaAY%2FKeeper-BeyondIdentity-Enter-View-SSO.png?alt=media\&token=c1a330c5-6f67-423a-82b8-d5156ec201ec) 7\) Note the **Entity ID, Assertion Consumer Service (ACS) Endpoint and Single Logout Service Endpoint** 8\) Click **Export SP Cert** ![Note the highlighted fields and Export SP Cert](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FHMMiIN2lFpX98ir4V4ag%2FKeeper-BeyondIdentity-View-SSO.png?alt=media\&token=a0e49f26-5cdd-4928-95cb-e62b43f814f7) ### Configure **Beyond Identity** 1\) [Download the Beyond Identity Authenticator App ](https://app.byndid.com/downloads)for your device. 2\) Log into the Beyond Identity Admin Console at . {% hint style="info" %} Instructions for registering and using Beyond Identity can be found in [Beyond Identity's Documentation.](https://developer.beyondidentity.com/) {% endhint %} #### Create Keeper Integration in Beyond Identity 3\) From your Beyond Identity Admin Console, select **Integrations** from the left-hand navigation. 4\) Click the **SAML** tab. 5\) Click **Add SAML Connection**. 6\) In the **Edit SAML Connection** dialog, use the following table to determine values to enter: | Beyond Identity Field | Value to Use | | ---------------------------- | ------------------------------------------------------------------------- | | Name | Display Name for your SAML Connection | | SP Single Sign On URL | Assertion Consumer Service (ACS) Endpoint value from Keeper Admin Console | | SP Audience URI | Entity ID from Keeper Admin Console | | Name ID format | emailAddress | | Subject User Attribute | Email | | Request Binding | http post | | Authentication Context Class | X509 | | Signed Response | Signed toggled On | | X509 Signing Certificate | SP Cert exported from Keeper Admin Console | 7\) In the **Attribute Statements** section, add the following two attributes: | Name | Name Format | Value | | ----- | ----------- | --------------- | | Email | unspecified | {{Email}} | | First | unspecified | {{DisplayName}} | 8\) Click **Save Changes**. ![Configure SAML Settings for Beyond Identity Integration](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FQOnfxmDolyU85XhPnet3%2FKeeper-BeyondIdentity-Beyond-SAML-Config%20\(1\).png?alt=media\&token=ef440583-3235-414c-858d-a15f11e9f521) 9\) Click the **Download Metadata** icon `` to download the XML metadata for use in the Keeper Admin Console. ![Download Beyond Identity Metadata](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FojgJNfCcH1y7GfJpsWK6%2FKeeper-BeyondIdentity-Download-Metadata.png?alt=media\&token=1f2594d7-872e-498d-b718-e15d5892da24) 10\) Return to the Keeper Admin Console 11\) Click **Edit** on the Beyond Identity provisioning method to view the configuration settings. ![Click Edit to view the configuration screen](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FnckRruJzShPhQ6nV2Zs8%2FKeeper-BeyondIdentity-Edit-Provisioning-Method.png?alt=media\&token=cec46484-ed9f-4b89-86a8-b291da2e98c6) 12\) Optionally enable **Just-In-Time Provisioning** to allow users to create accounts in the node by typing in the Enterprise Domain name when signing up. 13\) Under **SAML Metadata**, upload the metadata.xml file downloaded from the Beyond Identity Admin Console. ![Upload metadata and configure Just-In-Time Provisioning](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2F5iMNrP2oTrhwLsk4sZY5%2FKeeper-BeyondIdentity-Edit-Provisioning-Method-Details.png?alt=media\&token=0856049c-ba4e-44be-8a04-ffb9b00b7c37) ### **User Provisioning** Instructions on how to provision users with SSO Connect Cloud can be found [here](https://docs.keeper.io/en/sso-connect-cloud/end-user-login-flow). ### End User Login Users may login either using their enterprise domain or email address. #### **Login Using Email Address on desktop with Beyond Identity Authenticator installed** 1\) Navigate to the Keeper Vault 2\) Enter your email address and click **Next** 3\) You will now be logged in to your Keeper vault **Login Using Enterprise Domain on desktop with Beyond Identity Authenticator installed** 1\) Navigate to the Keeper Vault 2\) Click the **Enterprise SSO Login** dropdown and select **Enterprise Domain** 3\) Enter the Enterprise Domain name you specified in the Keeper portion of this walkthrough and click **Connect** 4\) You will now be logged in to your Keeper vault **Login Using Enterprise Domain with Beyond Identity installed for iOS or Android** 1\) Navigate to the Keeper Vault 2\) Tap **Use** **Enterprise SSO Login** dropdown 3\) Enter the Enterprise Domain you specified in the Keeper portion of this walkthrough and tap **Connect** 4\) Accept the push notification from the Beyond Identity App 5\) You will now be logged in to your Keeper vault **Login Using Email Address with Beyond Identity installed for iOS or Android** 1\) Open the Keeper App 2\) Enter your email address and click **Next** 3\) Accept the push notification from the Beyond Identity App 4\) You will now be logged in to your Keeper vault --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/sso-connect-cloud/passwordless-providers/beyond-identity.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.