Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Configuration of the Admin Console with Keeper SSO Connect Cloud™
Configuration of Keeper SSO Connect Cloud™ is very simple and should only take a few minutes if you've previously configured other service providers with your IdP. Please follow the general steps in this document.
Step 1. Visit the Keeper Admin Console and login as the Keeper Administrator. US: EU: AU: CA: JP: US GovCloud:
Cloud SSO integration can only be applied to a node beneath the root node. Make sure to create a node for provisioning users and policies per the instructions below.
Step 2. After logging in, click on the Admin menu and select Add Node. This new node is where your SSO users will be provisioned.
Step 3. On the new node, select the Provisioning tab and click Add Method
Step 4. Select Single Sign-On with SSO Connect Cloud™ and click Next
Step 5. Enter the Configuration Name and Enterprise Domain. The Configuration Name will not be seen by your end users and allows you to manage multiple configurations. The Enterprise Domain will be used for logging in, therefore we recommend selecting a name that is unique and easy to remember.
Configuration Name: Internal use only, your users will not see this.
Enterprise Domain: Users will type in this name when authenticating in certain flows. It can be your domain name or any unique string.
Step 6. Click Save to proceed to the next step. Keeper will automatically open the "Edit Configuration" screen next.
Step 7. From the Edit Configuration screen, select your IdP (or "Generic"), upload the metadata file from your identity provider into Keeper and set up the 3 required attribute mappings. Note that Keeper works with any SAML 2.0 compatible identity provider.
There are a couple of additional options available here:
Enable IsPassive: We recommend leaving this off unless required by your IdP.
ForceAuthn: For customers who want to force a new SSO login session on every Keeper Vault login, turn this on.
Identity Provider: To assist you with the configuration of common identity providers, there is a drop-down "IDP Type" which allows you to select pre-defined setups. If your identity provider is not listed, please select "GENERIC".
SAML Metadata: Drag and drop the IdP Metadata file provided by your IdP into the Keeper configuration screen. This critical file provides Keeper with the URL endpoint and digital certificate to validate signed assertions.
Identity Provider Attribute Mappings: Keeper expects First Name, Last Name and Email to be called "First", "Last" and "Email" by default, but this can be changed. Make sure your identity provider is mapping to the field names on this screen exactly as written (case sensitive!).
Single Sign On Endpoint Preferences: This is advanced configuration and defaults to "Prefer HTTP post".
Step 8. At some point during your configuration with the IdP, you'll need to enter a few parameters from Keeper such as "Entity ID" and "ACS URL". This information is available on the "View Configuration" screen. You can get here by going back then clicking on "View".
Make note of the URLs that are provided on this screen that you may need to set within your identity provider.
Entity ID: This can be referred to as "SP Entity ID", or "Issuer". It's basically a unique identifier that must be known by both sides. Often times, the Entity ID is the same as the ACS URL endpoint.
Assertion Consumer Service Endpoint ("ACS URL"): This is the URL endpoint at Keeper to which your identity provider will send users after they authenticate. The data sent to Keeper will include a signed assertion that indicates if the user has successfully signed into the identity provider. The assertion is signed with the identity provider's private key. Keeper validates the signature with the identity provider's public key, which is provided in the IdP metadata file.
Single Logout Service Endpoint ("SLO"): This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.
This information is also available in the Keeper XML metadata file which can be optionally downloaded by clicking "Export Metadata". Upload the metadata file to your identity provider if required.
If Just In Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.
Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.
If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.
Identity Provider configuration for SSO Connect Cloud
The previous section of Admin Console Configuration applies to every SAML 2.0 compatible identity provider. To help with any IdP-specific configuration of common identity providers, we have added some helpful screens in this next section.
If your Identity Provider is not listed here, don't worry. Keeper is 100% compatible with all SAML 2.0 SSO identity providers and Passwordless authentication products. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.
(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)
How to configure Keeper SSO Connect Cloud with Microsoft AD FS for seamless and secure SAML 2.0 authentication.
Please complete the steps in the section first.
Inside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically /FederationMetadata/2007-06/FederationMetadata.xml as seen below:
To download the metadata file, this can typically be found by loading the URL in the browser on the server. For example: https://localhost/FederationMetadata/2007-06/FederationMetadata.xml Download this file and save to the computer.
From the Keeper Admin Console SSO Cloud configuration screen, select "ADFS" as the IdP type and import the Federation Metadata file saved in the previous step.
Go back to the Provisioning screen and click on View.
Next download the Keeper metadata file so it can be imported during the Relying Part Trust Wizard. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file. This will be used in a few steps ahead.
Important: Keeper's Cloud SSO SP Certificate is only valid for a year. On an annual basis, you will need to download the latest Keeper SP Cert from the Admin Console and upload this into the Relying Trust Party settings in AD FS.
Keeper notifies all affected customers when the certificate expiration is coming soon.
Create Keeper SSO Connect as a Relying Party Trust:
Import the Keeper Metadata file that was exported previously from Keeper SSO Connect Cloud view screen by completing the Relying Party Trust Wizard as seen in the steps below.
Select "Claims aware" in the Welcome screen and then select the metadata file saved from Keeper.
To prevent a logout error, change the SAML Logout Endpoints on the Relying Party Trust to: https://<YourADFSserverDomain>/adfs/ls/?wa=wsignout1.0
To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with Send LDAP Attributes as Claims and map the LDAP attributes to Keeper Connect attributes.
Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above.
For Logout support we need to add two more Claim Issuance Policy rules:
To copy the syntax to add in the claims rule, copy the following text and paste it into the custom rule:
Incoming claim type: http://mycompany/internal/sessionid Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier
a. Open Powershell as Administrator on the AD FS server. b. Identify your SSO Connect Relying Party Trust "Identifier" string which you can obtain by running:
c. Run the below command, replacing <Identifier> with the string found in step (b).
If you run Get-ADFSRelyingPartyTrust again, you'll see that the SamlResponseSignature section is set to "MessageAndAssertion".
From the services manager, restart AD FS service.
SAML assertion signing must be configured properly on your AD FS environment. If signing has not been configured, you will need to set this up, then exchange metadata again between AD FS and Keeper SSO Connect after the re-configuration.
If you need to disable certificate validation on the IdP for testing purposes or for internal PKI certificates, you can use the below Powershell commands. Replace <Identifier> with the string found in the "SAML Signing Configuration" instructions above.
Note: Any changes made to signing configuration may require exchange of XML metadata between IdP and SSO Connect.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
How to configure Keeper SSO Connect Cloud with Amazon AWS SSO for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Log into AWS and select on AWS Single Sign-On.
On the SSO Dashboard, select Configure SSO access to your cloud applications.
On the Applications menu, select Add a new application.
Next select Keeper Security and select Add.**
Keeper is working with AWS to develop an Application Connector.
Fill in the Display name and Description (optional) in the application details section.
In the AWS SSO metadata section, select the download button to export the AWS SSO SAML metadata file. This file gets imported in the SSO Connect IdP Metadata section on the configuration screen.
Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by either browsing to or dragging and dropping the file into the Configuration screen's SAML Metadata area:
Next download the Keeper metadata file and upload it to the AWS Application metadata file. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file.
Back on the Ping Identity application configuration, select the Select File button and choose the config.xml file downloaded in the above step.
After saving changes the Configuration for Keeper Password Manager has been saved success message will be displayed.
Note: The Keeper SSL certificate cannot be larger than 2048K or the below error will be received.
Either, generate a smaller SSL certificate, re-export and import the metadata file or manually set the ACS URL and Audience URL in the AWS SSO application configuration.
Next, Ensure the Keeper application attributes that are to be mapped to AWS SSO are correct (These should be set by default. Select the Attribute mappings tab. The AWS string value to ${user:subject} and format is blank or unspecified. The Keeper Attributes are set as follows:
Note: If your AWS email is mapped to the AD UPN (which may not be the actual email address of your users) it can be re-mapped to the email address associated in the users AD profile.
To make this change navigate to the Connect Directory on the AWS SSO page.
Select on the Edit attribute mappings button.
Change the AWS SSO email attribute from ${dir:windowsUpn} to ${dir:email} .
Select on the the Assigned users tab and then the Assign users button to select users or groups to assign the application.
On the Assign Users window:
Select either Groups or Users
Type the name of a group or user
Select on the Search connect directory to initiate the search.
The results of the directory search will display under the search window.
Select the users/groups that are desired to have access to the application and then select the Assign users button.
Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that your identity provider is configured to sign SAML responses.
Your Keeper SSO Connect setup is now complete!
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Microsoft Entra ID (formerly Azure AD) for seamless and secure SAML 2.0 authentication.
Please complete the steps in the section first.
Keeper is compatible with all Microsoft Azure AD / Entra ID environments for SAML 2.0 authentication and automated provisioning.
Keeper applications (including Web Vault, Browser Extension, Desktop App and iOS/Android apps) are 100% compatible with conditional access policies.
Keeper supports both commercial (portal.azure.com) and Azure Government Cloud (portal.azure.us) environments.
Watch the following video to learn more about setting up Azure with SSO Connect Cloud.
Please follow the below steps.
(1) Add the Keeper Enterprise Application
(2) Click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault".
(3) Click "Create" to create the application.
(4) Click on the "Set up single sign on" then click "SAML"
(5) On the Keeper Admin Console, export the SAML Metadata file.
Go to View -> Export Metadata
(6) Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button.
and selecting the file just downloaded from the Keeper admin console and pressing the Add button.
(7) Azure will open up the SAML configuration screen.
The red error on the missing "Sign on URL" field is expected.
To fix the error, copy the URL from the "IDP Initiated Login Endpoint" from the Admin Console SSO Cloud instance "view" screen, and paste it into the "Sign on URL" field.
Single Logout Service Endpoint ("SLO")
This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.
By default, Keeper will force a logout session with Entra/Azure after logging out. If you would like to remove this behavior, edit the Azure metadata file before uploading to Keeper and remove the SingleLogoutService line. For security reasons, we recommend keeping this in place.
(8) Click on Save then close the window with the SAML configuration.
(9) After saving, you'll be asked to test the configuration. Don't do this. Wait a couple seconds then reload the Azure portal page on the web browser. Now, there should be a certificate section that shows up in the "SAML Signing Certificate" area.
Click on "Download" under the Federation Metadata XML section:
(10) Upload the Metadata file into the Keeper Admin Console
In the Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step the SAML Metadata section.
(11) Edit User Attributes & Claims
Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.
We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.
In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.
In the Keeper Admin Console, the option to enforce a new login session with the identity provider is available. When ForceAuthn="true" is set in the SAML request, the Service Provider (Keeper) is telling the IdP that even though the user is already authenticated, they need to force a new authenticated session. This may be a desired behavior depending on your security policies and end-user environment.
Entra ID / Azure AD SAML signing certificates will expire after one year.
Ensure that you set yourself an annual calendar reminder to update the SAML certificate prior to expiration, or your Keeper users will not be able to login until it is updated.
Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.
If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.
Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.
On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.
If the domain is not reserved, the user can login into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password if they were recently moved from a non-SSO node to the SSO node.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
Keeper supports IdP-initiated login with Azure. Users can simply visit their Apps Dashboard at:
How to configure Keeper SSO Connect Cloud with DUO SSO for seamless and secure SAML 2.0 authentication.
Please complete the steps in the section first.
These instructions assume Duo has already been successfully enabled and configured with an authentication source (Active Directory or IdP). To activate Duo SSO, visit your Duo Admin Panel and visit the "Single Sign-On" section.
Log in to the Duo Admin Panel and click Protect an Application. Search for Keeper and choose Keeper Security with type "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list then click "Protect" (shown below as Configure).
The Download section is where you can download the SAML metadata file to upload into your SSO provisioning method.
Back on the Keeper Admin console, locate your DUO SSO Connect Cloud Provisioning method and select Edit.
Scroll down to the Identity Provider section, set IDP Type to DUO SSO, select Browse Files and select the DUO Metadata file previously downloaded.
Still within the Keeper Admin Console, exit Edit View and select View on your DUO SSO Connect Cloud Provisioning method. Within the Service Provider section you will find the metadata values for the Entity ID, IDP Initiated Login Endpoint and Assertion Consumer Service (ACS) Endpoint.
Single Logout Service (SLO) Endpoint is optional.
Return to the application page in your Duo Admin Panel, copy and Paste the Entity ID, Login Endpoint and ACS Endpoint into the Service Provider section.
Within the SAML Response section, scroll down to Map attributes and map the following attributes.
Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen below.
Within the Policy section, defines when and how users will authenticate when accessing this application. Your global policy always applies, but you can override its rules with custom policies.
Within the Global Policy section, Review / Edit / Verify any Global Policy as seen by your DUO and or Keeper administrator.
Success! Your Keeper Security EPM - Single Sign-On setup is now complete!
If you need assistance implementing the Keeper Security EPM - Single Sign-On application within your DUO environment, please contact the Keeper support team.
Users created in the root node (top level) in the Keeper Admin Console will need to be moved to the SSO node if you want the users to login with Duo. An admin cannot move themselves to the SSO enabled node, another admin must perform this action.
To onboard with the Enterprise Domain, the user can select the "Enterprise SSO" pull down and type in the Enterprise Domain configured in the Keeper Admin Console.
Once the user has authenticated with SSO for the first time, they only need to use their email address next time to initiate SSO authentication.
Enable Just-In-Time Provisioning: To allow users the ability to self-onboard to your Keeper enterprise tenant, enable the Just-in-Time provisioning feature. This is enabled by default. Just-In-Time Provisioning also allows new users with your domain name to automatically route to the SSO provider if the domain has been . If you are planning to use the Keeper Bridge for provisioning users instead of Just-In-Time SSO provisioning, please leave this option OFF.
After configuring Keeper SSO Connect Cloud on the Admin Console the next step is to setup up the application in the Identity Provider. See the section.
Running this command will generate a long list of output, you are looking for the SSO Connect section and the "Identifier" string. This string will look something like:
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation .
Go to your Azure Admin account at and click on Azure Active Directory > Enterprise Applications. Note: If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application.
For US Public Sector entities, login to and follow the same steps as outlined in this document.
For control over Keeper-initiated Single Logout behavior with the identity provider, .
For instructions on renewing the certificate, see the page.
For Step-By-Step instructions, please refer to this URL:
For any that has just-in-time provisioning enabled, the user can simply type in their email address on the Vault login screen and they will be routed to the correct SSO provider. From here, the user can create their vault or login to an existing vault.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation .
This will load their assigned Keeper application and the user can click the icon.
After the user is moved to the SSO enabled node, they can login to the Keeper vault by simply typing their email address and clicking "Next". If this does not work, please ensure that your email domain (e.g. company.com) has been and ensure that Just-In-Time provisioning is enabled.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation .