1 of 62

SSO Connect Cloud

Keeper SSO Connect Cloud

Enhance and Extend Your SSO and Passwordless Solution

Keeper SSO Connect is a Cloud-based SAML 2.0 service that seamlessly and quickly integrates with your existing Single Sign-On and Passwordless solution - enhancing and extending it with zero-knowledge password management and encryption. Keeper supports all popular SSO IdP platforms such as Microsoft Entra ID / Azure, Okta, Google Workspace, Centrify, Duo, OneLogin, Ping Identity, JumpCloud and many more.

Product Page

https://www.keepersecurity.com/keeper-sso-connect.html

IdP Compatibility

Keeper SSO Connect, included with Keeper Enterprise, seamlessly integrates with all popular SSO IdP platforms.

In addition to SSO providers, Keeper also seamlessly integrates with all popular Passwordless authentication platforms that support SAML 2.0 including Duo, HYPR, Trusona, Octopus, Traitware and Veridium.

Why Keeper SSO Connect

Pairing your SSO solution with Keeper's secure password manager solves several major functional and security gaps.

Use Case

Keeper Password Manager

SSO Identity Provider

Password-Based Apps

✅

Shared Passwords & Secrets

✅

Encrypted Data Storage

✅

Social Media Sites

✅

Native Apps

✅

Offline Access

✅

SSH Keys

✅

Encrypted Private Files

✅

Zero-Knowledge Encryption

✅

SAML-Based Apps

✅ [via SSO Connect Cloud]

Overview

High level overview of Keeper SSO Connect™ Cloud

End-to-End Password Protection Across Your Data Environment

Simply by authenticating through your existing IdP, your employees gain access to all of the capabilities of the top-rated Keeper password management platform, including:

Secure digital vault that can be accessed from any device, running any OS
Automatic password generation & autofill on all devices
Compatibility on any system, browser or app
Zero-knowledge encryption of vault data

This service does not require any on-premises or customer cloud-hosted services and there are no Master Passwords. Configuration is done directly between the IdP and Keeper's Admin Console.

To preserve Zero Knowledge, an Elliptic Curve public/private key pair is generated for each device. The private key on the device encrypts and decrypts the user's vault. Signing into a new device requires a key exchange that is processed by our Keeper Push feature or approved by a designated Admin. Automated admin approvals can be configured in several different ways.

Setup Steps

Important: SSO users and provisioning must exist in a dedicated node that you will create (not in the root node). Before completing these steps, create a new node as shown in the image below.

Keeper SSO Connect Cloud can be rolled out in 3 easy steps:

Create a SSO Connect Cloud instance on the Keeper Admin Console under Provisioning
Exchange metadata with your SAML identity provider
Set up automated provisioning and/or manually provision users to Keeper

Device Approvals

An Administrative Permission called "Approve Devices" allows an Administrator to perform device approvals. Admin Approvals can also be automated. See the Device Approval section for details.

A unique "device" includes physical devices as well as browsers and browser profiles.

Benefits

From an administrator's perspective, the cost, risk & labor saving benefits of Keeper SSO Connect Cloud are significant:

Easy setup, all in one place in Keeper’s existing Admin Console.
No hosted software to integrate with the IdP
No additional server costs
No patching software
Eliminates a potential single point of failure
Available 24/7/365 on Keeper’s high availability systems

Admin Console Configuration

Configuration of the Admin Console with Keeper SSO Connect Cloud™

Configuration of Keeper SSO Connect Cloud™ is very simple and should only take a few minutes if you've previously configured other service providers with your IdP. Please follow the general steps in this document.

Step 1. Visit the Keeper Admin Console and login as the Keeper Administrator. US: EU: AU: CA: JP: US GovCloud:

Cloud SSO integration can only be applied to a node beneath the root node. Make sure to create a node for provisioning users and policies per the instructions below.

Step 2. After logging in, click on the Admin menu and select Add Node. This new node is where your SSO users will be provisioned.

Step 3. On the new node, select the Provisioning tab and click Add Method

Step 4. Select Single Sign-On with SSO Connect Cloud™ and click Next

Step 5. Enter the Configuration Name and Enterprise Domain. The Configuration Name will not be seen by your end users and allows you to manage multiple configurations. The Enterprise Domain will be used for logging in, therefore we recommend selecting a name that is unique and easy to remember.

Configuration Name: Internal use only, your users will not see this.
Enterprise Domain: Users will type in this name when authenticating in certain flows. It can be your domain name or any unique string.
Enable Just-In-Time Provisioning: To allow users the ability to self-onboard to your Keeper enterprise tenant, enable the Just-in-Time provisioning feature. This is enabled by default. Just-In-Time Provisioning also allows new users with your domain name to automatically route to the SSO provider if the domain has been . If you are planning to use the Keeper Bridge for provisioning users instead of Just-In-Time SSO provisioning, please leave this option OFF.

Step 6. Click Save to proceed to the next step. Keeper will automatically open the "Edit Configuration" screen next.

Step 7. From the Edit Configuration screen, select your IdP (or "Generic"), upload the metadata file from your identity provider into Keeper and set up the 3 required attribute mappings. Note that Keeper works with any SAML 2.0 compatible identity provider.

There are a couple of additional options available here:

Enable IsPassive: We recommend leaving this off unless required by your IdP.
ForceAuthn: For customers who want to force a new SSO login session on every Keeper Vault login, turn this on.

Identity Provider: To assist you with the configuration of common identity providers, there is a drop-down "IDP Type" which allows you to select pre-defined setups. If your identity provider is not listed, please select "GENERIC".
SAML Metadata: Drag and drop the IdP Metadata file provided by your IdP into the Keeper configuration screen. This critical file provides Keeper with the URL endpoint and digital certificate to validate signed assertions.
Identity Provider Attribute Mappings: Keeper expects First Name, Last Name and Email to be called "First", "Last" and "Email" by default, but this can be changed. Make sure your identity provider is mapping to the field names on this screen exactly as written (case sensitive!).
Single Sign On Endpoint Preferences: This is advanced configuration and defaults to "Prefer HTTP post".

Step 8. At some point during your configuration with the IdP, you'll need to enter a few parameters from Keeper such as "Entity ID" and "ACS URL". This information is available on the "View Configuration" screen. You can get here by going back then clicking on "View".

Make note of the URLs that are provided on this screen that you may need to set within your identity provider.

Entity ID: This can be referred to as "SP Entity ID", or "Issuer". It's basically a unique identifier that must be known by both sides. Often times, the Entity ID is the same as the ACS URL endpoint.
Assertion Consumer Service Endpoint ("ACS URL"): This is the URL endpoint at Keeper to which your identity provider will send users after they authenticate. The data sent to Keeper will include a signed assertion that indicates if the user has successfully signed into the identity provider. The assertion is signed with the identity provider's private key. Keeper validates the signature with the identity provider's public key, which is provided in the IdP metadata file.
Single Logout Service Endpoint ("SLO"): This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.

This information is also available in the Keeper XML metadata file which can be optionally downloaded by clicking "Export Metadata". Upload the metadata file to your identity provider if required.

Domain Reservation and Just-In-Time provisioning

If Just In Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.

Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.

If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.

After configuring Keeper SSO Connect Cloud on the Admin Console the next step is to setup up the application in the Identity Provider. See the section.

SSO Identity Providers

Identity Provider configuration for SSO Connect Cloud

The previous section of Admin Console Configuration applies to every SAML 2.0 compatible identity provider. To help with any IdP-specific configuration of common identity providers, we have added some helpful screens in this next section.

If your Identity Provider is not listed here, don't worry. Keeper is 100% compatible with all SAML 2.0 SSO identity providers and Passwordless authentication products. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.

(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)

Auth0

How to configure Keeper SSO Connect Cloud with Auth0 for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Auth0 SSO Configuration

Select the Applications tab and click Create Application. Choose Regular Web Applications.

Next, go to the Addons tab and click SAML2 WEB APP.

On the Settings page that comes up next, you will need the “Assertion Consumer Service (ACS) Endpoint” that comes from the Keeper Admin Console.

Example Assertion Consumer Service (ACS) Endpoint: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX

This value can be found under the SSO Connect Cloud configuration as part of the Service Provider information, as seen below:

Paste the Assertion Consumer Service (ACS) Endpoint into the Application Callback URL field in the Auth0 screen.

Next, remove the sample JSON in the SAML2 Web App editor window, and replace with the following:

{
  "audience": "https://keepersecurity.eu/api/rest/sso/saml/XXXXX",
  "mappings": {
    "email": "Email",
    "given_name": "First",
    "family_name": "Last"
  },
  "createUpnClaim": false,
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

The value for “audience” is the Entity ID. This can also be found under the SSO Connect Cloud configuration as part of the Service Provider information:

Once you've added the Entity ID, you can click the Debug button to verify there are no formatting issues.

Next, scroll down to the bottom of the SAML2 Web App window and click Save.

Next, click on the Usage tab and download the Identity Provider Metadata file.

On the Keeper side, edit the SSO configuration and select GENERIC as the IDP Type. You can upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication. They won't have to enter the Enterprise Domain.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

DUO SSO

How to configure Keeper SSO Connect Cloud with DUO SSO for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Duo Setup

These instructions assume Duo has already been successfully enabled and configured with an authentication source (Active Directory or IdP). To activate Duo SSO, visit your Duo Admin Panel and visit the "Single Sign-On" section.

Step 1: DUO SSO Configuration

Log in to the Duo Admin Panel and click Protect an Application. Search for Keeper and choose Keeper Security with type "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list then click "Protect" (shown below as Configure).

Step 2: Metadata

The Download section is where you can download the SAML metadata file to upload into your SSO provisioning method.

Back on the Keeper Admin console, locate your DUO SSO Connect Cloud Provisioning method and select Edit.

Scroll down to the Identity Provider section, set IDP Type to DUO SSO, select Browse Files and select the DUO Metadata file previously downloaded.

Still within the Keeper Admin Console, exit Edit View and select View on your DUO SSO Connect Cloud Provisioning method. Within the Service Provider section you will find the metadata values for the Entity ID, IDP Initiated Login Endpoint and Assertion Consumer Service (ACS) Endpoint.

Single Logout Service (SLO) Endpoint is optional.

Return to the application page in your Duo Admin Panel, copy and Paste the Entity ID, Login Endpoint and ACS Endpoint into the Service Provider section.

Step 3: Map User Attributes

Within the SAML Response section, scroll down to Map attributes and map the following attributes.

Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen below.

Step 4: Policy (optional)

Within the Policy section, defines when and how users will authenticate when accessing this application. Your global policy always applies, but you can override its rules with custom policies.

Step 5: Global Policy

Within the Global Policy section, Review / Edit / Verify any Global Policy as seen by your DUO and or Keeper administrator.

Success! Your Keeper Security EPM - Single Sign-On setup is now complete!

Troubleshooting

If you need assistance implementing the Keeper Security EPM - Single Sign-On application within your DUO environment, please contact the Keeper support team.

Moving Existing Users to Duo SSO

Users created in the root node (top level) in the Keeper Admin Console will need to be moved to the SSO node if you want the users to login with Duo. An admin cannot move themselves to the SSO enabled node, another admin must perform this action.

After the user is moved to the SSO enabled node, they can login to the Keeper vault by simply typing their email address and clicking "Next". If this does not work, please ensure that your email domain (e.g. company.com) has been reserved to your enterprise and ensure that Just-In-Time provisioning is enabled.

To onboard with the Enterprise Domain, the user can select the "Enterprise SSO" pull down and type in the Enterprise Domain configured in the Keeper Admin Console.

Once the user has authenticated with SSO for the first time, they only need to use their email address next time to initiate SSO authentication.

F5

How to configure Keeper SSO Connect Cloud with F5 BIG-IP APM for seamless and secure SAML 2.0 authentication.

Please complete the steps in the section first.

F5

On the F5 BIG-IP APM, configure a new SAML IdP service for your Keeper platform: Go to Access Policy -> SAML -> BIG-IP as IdP -> Local IdP services

Navigate to: Access Policy > SAML : BIG-IP as IdP - Local IdP Services. Select your applicable IdP connection point and "Export Metadata".

Import the Metadata file extracted from F5 BIG-IP APM into SSO Connect Cloud instance and select F5 as the IDP Type.

Select Save to save the configuration and verify all settings look correct. Export the Keeper SSO Connect Cloud Metadata file for configuration of F5 BIG-IP APM from the Export Metadata link.

Your Keeper SSO Connect setup is now complete!

HENNGE

How to configure Keeper SSO Connect Cloud with HENNGE for seamless and secure SAML 2.0 authentication.

Please complete the steps in the section first.

HENNGE SSO Configuration

(1) Log into the HENNGE Administrator console.

Click the Administration tile on the menu.

(2) Next, Select the Connected Services menu item and click Add Service.

On the "Add New Service" page, Click the Add Service Manually at "Add Service for SSO" menu.

(3) Set the Service name to “Keeper Password Manager and Digital Vault” or whatever you prefer, and Add the Attributes Email claim with the value "UsePrincipleName (UPN)", then Click the Submit button.

In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

Now you can see all values required for Keeper side configuration at Step (5). Click X at the right up and Leave this page for now.

On the Connected Services menu area, Click the Service Name you created and then click the "Upload Using Metadata" button.

The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata

(4) After the metadata has been uploaded, head back to the HENNGE Connected Service configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794

Complete the configuration by scrolling to the bottom of the page and select the Save Changes button.

(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Assign Users

From HENNGE, you can now add users at Access Policy section on the User list page, or groups at Allowed services section on Access Policy Groups page.

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation .

JumpCloud

How to configure Keeper SSO Connect Cloud with JumpCloud for seamless and secure SAML 2.0 authentication.

Please complete the steps in the section first.

JumpCloud

(1) Log into the JumpCloud Administrator console.

Select the SSO tab on the side menu.

(2) Next, select the + icon in the upper left corner.

On the "Get Started with SSO Application page, search for Keeper in the search bar. Select Configure on the Keeper Application.

(3) Next, on Keeper Application connector page, General Info section set the Display Label: Keeper Security Password Manager

On the Single Sign-On Configuration area, click the "Upload Metadata" button.

The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata

(4) After the metadata has been uploaded, head back to the JumpCloud SSO configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/459561502469

Complete the configuration by scrolling to the bottom of the page and select the activate button.

(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Your Keeper SSO Connect setup is now complete!

User Provisioning SSO+SCIM

JumpCloud® supports Automated User and Team Provisioning with SCIM (System for Cross Domain Identity Management) which will update and deactivate Keeper user accounts as changes are made in JumpCloud®. Step-by-Step instructions can be found here,

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

Okta

How to configure Keeper SSO Connect Cloud with Okta for seamless and secure SAML 2.0 authentication.

Please complete the steps in the section first.

Okta SSO Configuration

Select the Applications menu item and click Browse App Catalog.

Search for “Keeper Password Manager”, and then select the Add button for the Keeper Password Manager and Digital Vault application.

On the General Settings page that comes up next, you need the "Entity ID" that comes from the Keeper Admin Console.

Example Server Base URL: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX

The value for XXXXXXXX represents the specific SSO Connect instance associated with your enterprise and can be found on the Admin Console SSO configuration as part of the Service Provider information, as seen below:

Paste the Entity ID into the Server Base URL field in the Okta screen.

Select the Sign On tab.

Scroll down to the SAML Signing Certificates configuration section, and select Actions > View IdP metadata.

Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.

In the Keeper Admin Console, Edit the SSO configuration then Select OKTA as the IDP Type and upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:

(Optional) Enable Single Logout

If you would like to enable the Single Logout feature in Okta, go to the Sign On tab and click Edit. Click the Enable Single Logout checkbox and then upload the SP Cert which comes from the Keeper Admin Console.

To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.

Upload the SP cert file and be sure to click Save to save the Sign On settings in Okta.

If you have changed the Single Logout Setting, you'll have to download the latest Okta metadata file once again, and upload the new metadata.xml file into Keeper on the SSO edit screen.

From the Actions menu, select View IdP metadata.

Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.

In the Keeper Admin Console, Edit the SSO configuration then upload the new metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen.

Okta SCIM Provisioning

To enable Okta SCIM user and group provisioning please follow the instructions found within the Keeper Enterprise Guide:

Assign Users

From Okta, you can now add users or groups on the Assignments page. If you have activated SCIM provisioning per the instructions then the user will be instantly provisioned to Keeper.

Move existing users/initial admin to SSO authentication

An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

OneLogin

How to configure Keeper SSO Connect Cloud with OneLogin for seamless and secure SAML 2.0 authentication and SCIM provisioning.

Please complete the steps in the Admin Console Configuration section first.

OneLogin Setup:

2. Select Administration to enter the admin section.

3. From the onelogin menu select Applications then Add App.

In the Search field, do a search for Keeper Password Manager and select it from the search result.

4. On the Add Keeper Manager screen click Save.

5. The next step is to download the SAML Metadata from OneLogin. Select the down arrow on the MORE ACTIONS button and select SAML Metadata.

Drag and drop or browse to this saved file on the SAML Metadata Section of the Single Sign-On with SSO Connect™ Cloud section on the Keeper Admin Console.

6. On the Keeper Admin Console, copy the Assertion Consumer Service (ACS) Endpoint field.

7. Back on the OneLogin Configuration tab, paste in the Keeper SSO Connect Assertion Consumer Service (ACS) Endpoint field and then click Save.

8. If SCIM is desired then go back on the Keeper Provisioning tab, click on "Add Method" and select SCIM. If not skip to step to step 12.

9. Click Generate then copy the URL and Token.

10. Paste the "URL" into the SCIM Base URL, and paste the "Token" into the SCIM Bearer Token.

11. On the Keeper Admin Console make sure to Save the SCIM token.

For more detailed configuration of SCIM visit the User and Team Provisioning section in the Enterprise Guide

12. Click Save and the integration is complete.

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

Ping Identity (PingOne)

How to configure Keeper SSO Connect Cloud with Ping Identity for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Ping Identity Configuration

In your existing Environment click Manage Environment.

On the left, click Applications > Application Catalog > Search "Keeper" and select "Keeper Password Manager"

On the Application Details page, add the following data:

Keeper Security Domain: keepersecurity.com
Keeper Security Identifier: Can be found in the admin console under Entity ID https://keepersecurity.com/api/rest/sso/saml/<Identifier>
- Log in to the Keeper Admin Console at https://keepersecurity.com/console/.
- In the left panel, go to Admin and select a sub-node (not the root).
- Navigate to Provisioning → Add Method → Single Sign-On with SSO Connect® Cloud.
- Enter a configuration name, add your domain, and click Save.
- After the SSO configuration is created, click the three-dot menu (⋮) next to it and select View to display the Entity ID.
Once that is complete we can save and move on to the next steps.

Next, we can add the Groups who will be accessing the Keeper Application and click Save.

Click Download Metadata as we will upload this to Keeper in the next step.

On the Edit screen of the Keeper SSO Connect Cloud provisioning select "Generic" as the IDP Type and upload the saml2-metadata-idp xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:

The Keeper Application should be added and enabled.

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

PingOne

How to configure Keeper SSO Connect Cloud with PingOne for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first. Legacy Ping Identity users who are not on PingOne should view our Ping Identity documentation.

PingOne

From the PingOne console menu, select Applications > Application Catalog

Search "Keeper" and click on the "Keeper Password Manager - Cloud SSO" link to add the Keeper Password Manager application

Click Setup to proceed to the next step

Click "Continue to Next Step"

From the Keeper Admin Console, view the PingOne SSO Connect Cloud entry and click Export Metadata and save it in a safe location for future use. Also click Export SP Cert and save it in a safe location for future use.

From the PingOne Admin Console, click Select File next to "Upload Metadata" and browse to the saved metadata file from the Keeper Admin Console. This should populate the "ACS URL" and "Entity ID" fields with the proper datapoints.

Click on Choose File next to "Primary Verification Certificate" and browse to the saved .crt file from the Keeper Admin Console. Click on the checkbox next to "Encrypt Assertion" and then click Choose File next to "Encryption Certificate". Browse to the same saved .crt file from the Keeper Admin Console.

Validate the certificate and click "Continue to Next Step".

Enter the appropriate values associated with each attribute (see below image) and click Continue to Next Step

Modify the Name to appropriately match the Configuration Name of the SSO node from the Keeper Admin Console. Click Continue to Next Step

You may choose to add PingOne user groups to your application. Click Add next to the group or groups you would like to add and click Continue to Next Step.

PingOne users will have access to Keeper Password Manager by default. Assigning groups to Keeper Password Manager restricts access to only those groups.

Click Download next to "SAML Metadata" and save the .xml file to a safe location.

Click Finish to complete the application setup wizard.

On the Edit Configuration screen of the Keeper SSO Connect Cloud provisioning in the Keeper Admin Console, select PingOne as the IDP Type.

Upload the SAML Metadata file downloaded in the previous step into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the SAML Metadata section.

The PingOne Keeper SSO Connect Cloud™ entry will now show as Active.

Your PingOne Keeper SSO Connect Cloud™ setup is complete!

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

Rippling

How to configure Keeper SSO Connect Cloud with Rippling for seamless and secure SAML 2.0 authentication and SCIM provisioning.

Please complete the steps in the Admin Console Configuration section first.

Rippling Setup

2. After logging in, on the left side hover over Home and click App Shop in the bottom left.

3. In the App Shop, search for Keeper in the upper left corner and select it from the search result.

4. After selecting clicking on the Keeper app, click Connect Account to get started with SSO.

5. Rippling has it's own SSO set up walkthrough, continue the walkthrough to set up SSO.

6. Once you have reached this page, the SSO setup is complete, however there is also an option for SCIM provisioning. If you would like SCIM provisioning, select Continue with API and follow the SCIM provisioning walkthrough. Otherwise, click Skip for now, visit app.

You can assign users to the application and designate who has access to keeper in your Rippling environment here.

For more detailed configuration of SCIM visit the User and Team Provisioning section in the Enterprise Guide

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

RSA SecurID Access

How to configure Keeper SSO Connect Cloud with RSA SecurID Access for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Keeper Security is RSA SecurID Access Certified.

RSA SecurID Access integrates RSA Authentication Manager and their Cloud Authentication Service. In this setup Cloud Authentication Service can be used as an identity provider in conjunction with Keeper SSO Connect. Detailed documentation is provided on the RSA website via the links below.

RSA SecurID Access Overview

Keeper Password Manager Integration Guides

SecureAuth

How to configure Keeper SSO Connect Cloud with SecureAuth for seamless and secure SAML 2.0 authentication.

Please complete the steps in the section first.

SecureAuth can be configured using the same instructions in the section. Please follow that guide in order to set up the SecureAuth environment.

For reference, use the SecureAuth guide located here:

A few additional important items to note regarding SecureAuth:

Ensure that "By Post" is selected in the Connection Type section:

Ensure to select "Sign SAML Assertion" and "Sign SAML Message".
Ensure the Entity ID of the IdP metadata matches the SAML response from SecureAuth.

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

Passwordless Providers

Passwordless configuration for SSO Connect Cloud

The previous section of Admin Console Configuration applies to every SAML 2.0 compatible passwordless provider. To help with configuration of common passwordless providers, we have added some helpful screens in this next section.

Keeper is compatible with all SAML 2.0 SSO passwordless authentication products. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.

(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)

Veridium

How to configure Keeper SSO Connect Cloud with Veridium for Passwordless login to Keeper.

Please complete the steps in the section first.

(1) Add a new service provider

From the Veridium interface, click on Add Service Provider.

(2) Download Keeper metadata

On the Keeper Admin Console, export the SAML Metadata file.

Go to View -> Export Metadata

(3) Upload Metadata to Veridium

In the service provider name box enter “Keeper”, upload the metadata file from Keeper and select “Email” as the NameID format.

(4) Map Attributes

Map the firstname, lastname and mail attributes and click “Save”.

Integration is now complete. A video demo of the Veridium login flow can be seen below:

Device Approvals

SSO Cloud device approval system

Overview

Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.

For customers who authenticate with Keeper SSO Connect Cloud, device approval performs a key transfer, in which the user's encrypted data key is delivered to the device, which is then decrypted locally using their elliptic curve private key.

Technical Details

Keeper SSO Connect Cloud provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".

Using Guest, Private or Incognito mode browser modes will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.

To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customer to host a service which performs the device approvals and key exchange automatically, without any user interaction.

Approval Methods

Device approval methods include the following:

Keeper Push (using push notifications) to existing user devices
Admin Approval via the Keeper Admin Console
Automatic approval via Keeper Automator service (preferred)
Semi-automated Admin Approval via Commander CLI

Keeper Push

Keeper Push is a method of SSO device approval using existing devices

Overview

Users can approve their additional devices by using a previously approved device. For example, if you are logged into your web vault on your computer already, and logging into your phone app for the first time, you will get a device approval prompt on your web vault with the mobile device's information which you can approve or deny. Device Approvals perform an encryption key exchange that allow a user on a new device to decrypt their vault.

Keeper Push Method

Keeper Push is a method of approval that the user handles for themselves. Selecting "Keeper Push" will send a notification to the user's approved devices. For mobile and desktop apps, the push will show as a pop-up, and the user can simply accept the device approval.

Here's an example of Keeper Push approval using mobile as the approver device:

Steps to Using Keeper Push

(1) Select Keeper Push

(2) User waits for the push approval to appear on the device in which they are already logged in.

(3) User must be already logged into a different, previously approved device in order to receive the notification.

Admin Approval

Admins can approve end-user SSO Cloud devices

Admin Approval Method via Admin Console

Selecting "Admin Approval" will send the request to the Keeper Administrator with the "Approve Devices" permission. The Admin can perform the approval through the Admin Console "Approval Queue" screen or by being logged into the Admin Console at the time of the request.

(1) User selects "Admin Approval"

(2) User waits for approval or comes back later

(3) Administrator logs into the Admin Console and visits the Approval Queue

(4) Admin reviews the information and approves the device

Select the device to approve and then click "Approve". If the user is waiting, they will be instantly permitted to login. Otherwise, the user can login at a later time without any approval (as long as they don't clear out their web browser cache or reset the app).

Approve Devices Role Permission

A special role permission called "Approve Devices" provides a Keeper Administrator the ability to approve a device.

(1) Go to Roles within the root node or the SSO node

(2) Select the gear icon to control the Admin Permissions for the selected role.

(3) Assign "Approve Devices" permission

Now, any user added to this role is able to login to the Admin Console to perform device approvals.

As with any administrative permission, ensure least privilege

Keeper Automator Service

Automatic device approval service for SSO Connect Cloud environments

Overview

The Keeper Automator is a self-hosted service which performs cryptographic operations including device approvals, team approvals and team user assignments.

Once Automator is running, users can seamlessly access Keeper on a new (not previously approved) device after a successful authentication with your identity provider, without any further approval steps. Without the Automator service, users and admins can still perform manual device approvals through Push Approval methods.

Keeper Automator is a lightweight service that can be deployed in your cloud or on-prem environment.

Why is this needed?

Keeper SSO Connect provides seamless authentication into the Keeper vault using your identity provider. Normally a user must a approve their new device, or an Admin can approve a new device for a user. The Automator service is totally optional, created for Admins who want to remove any friction associated with device approvals.

To preserve Zero Knowledge and automate the transfer of the Encrypted Data Key (EDK) to the user's device, a service must be run which is operated by the Enterprise (instead of hosted by Keeper). The service can be run several different ways, either in the cloud or self-hosted.

An in-depth explanation of SSO Connect encryption model is

Installation Options

Depending on your environment, select from one of the following installation methods. The , , and Google are the best choices if you use one of these cloud services.

Installation Method: Azure Container App

Installation Method: Azure App Services

Installation Method: Azure App Gateway

Installation Method: AWS Elastic Container Service

Installation Method: AWS Elastic Container Service with KSM

Installation Method: Google Cloud with GCP Cloud Run

Installation Method: Standalone Java

Installation Method: Docker

Installation Method: Docker Compose

Installation Method: Kubernetes

Installation Method: Windows Service

Automator Security

Using the Automator service creates a frictionless experience for users, however it requires that you have fully secured your identity provider.

Please refer to our guide to securing your Keeper environment.

Version 17.0 Overview

Instructions for upgrading your Automator instance to v17.0

Overview

Version v17.0+ incorporated several new features:

Team Approvals (Team Creation)
Team User Approvals (Assigning Users to Teams)
All settings can be configured as environment variables
Support for simplified deployment
Support for simplified deployment
HSTS is enabled for improved HTTPS security
IP address filtering for device approval and team approval
Optional rate limiting for all APIs
Optional filtering by email domain
Optional binding to specific network IPs

Team User approvals

Teams and users who are provisioned through SCIM can be immediately processed by the Automator service (instead of waiting for the admin to login to the console).

To activate this new feature:

Update your Automator container or .zip file to the latest version
Use the automator edit command in Keeper Commander to instruct the service to perform device approvals and also perform Team User approvals:

Example:

With the skill enabled, automator is triggered to approve team users when the user logs into their vault

Team Approvals

When team creation is requested by the identity provider via SCIM messaging, the request is not fully processed until someone can generate an encryption key (to preserve Zero Knowledge). This is normally processed when an admin logs into the Keeper Admin Console.

When team approvals is activated on the Keeper Automator service, teams are now created automatically when any assigned user from the team logs in successfully to the Keeper Vault. Therefore, teams will not appear in the environment until at least one user from that team logs into their vault.

Teams will not appear in the environment until at least one user from that team logs into their vault.

All settings can be configured as environment variables

This makes configuration easier when installing Automator in Azure Containers or other Docker-like containers where access to the settings file is difficult.

In Docker, Azure Containers, or other environments that use the docker-compose.yml file, you can set environment variables in the docker compose file, for example:

After editing the docker-compose.yml file, you will need to rebuild the container if the environment variables have changed. Just restarting the container will not incorporate the changes.

Advanced Features

for all of the new and advanced features / settings for the Automator service.

Ingress Requirements

Ingres configuration for Keeper Automator

Keeper Automator can be deployed many different ways - on prem, cloud or serverless.

Data Flow Diagram

Network Firewall Setup

In your firewall inbound traffic rules, set one of following rulesets:

For US Data Center Customers:

Inbound TCP port 443 from 54.208.20.102/32
Inbound TCP port 443 from 34.203.159.189/32

US / GovCloud Data Center Customers:

Inbound TCP port 443 from 18.252.135.74/32
Inbound TCP port 443 from 18.253.212.59/32

For EU / Dublin Data Center Customers:

Inbound TCP port 443 from 52.210.163.45/32
Inbound TCP port 443 from 54.246.185.95/32

For AU / Sydney Data Center Customers:

Inbound TCP port 443 from 3.106.40.41/32
Inbound TCP port 443 from 54.206.208.132/32

For CA / Canada Data Center Customers:

Inbound TCP port 443 from 35.182.216.11/32
Inbound TCP port 443 from 15.223.136.134/32

For JP / Tokyo Data Center Customers:

Inbound TCP port 443 from 54.150.11.204/32
Inbound TCP port 443 from 52.68.53.105/32

In addition, you may want to allow traffic from your office network (for the purpose of testing and health checks).

Make sure to create a rule for each IP address listed based on your Keeper geographic data center region.

Multi-Tenant Mode

Setting up multiple tenants in a single Automator instance

Overview

Keeper Automator supports a multi-tenant configuration, so that a single deployment can perform automations for multiple Keeper Enterprise environments.

For MSP environments, a single Keeper Automator instance can be used to run multiple Managed Companies.
For Enterprise customers, a single instance can process approvals for any number of identity providers.

Once the server is running, you can use it for multiple SSO nodes, even in different enterprises.

MSP with Multiple Managed Companies

The steps for activating one Automator instance for multiple Managed Companies is below:

(1) Login to Commander as the MSP Admin

My Vault> login [email protected]

(2) Switch context to the Managed Company

My Vault> msp-info

MSP Plans and Licenses
-----------------------
  #  Plan Id           Available Licenses    Total Licenses    Stash
---  --------------  --------------------  ----------------  -------
  1  business                          83               100        0
  2  businessPlus                      50               100        0
  3  enterprise                        80               100        0
  4  enterprisePlus                    85               100        0

  #      ID  Name                     Plan              Allocated    Active
---  ------  -----------------------  --------------  -----------  --------
  1   81386  Demo Managed Co. LLC     enterprisePlus            5         0
  2   81344  Elite Auto Works         business                  5         4
  3  114391  John's Garage            enterprisePlus            5         0
  4  114392  John's Garages           enterprisePlus            5         0
  5   81345  Perfect Teeth Dental     businessPlus             50         4
  6  114281  Test                     business                 12         0
  7   81346  Troy Financial Services  enterprise               20         0

Find the MC you want to set up, select the ID and then type:

switch-to-mc <ID>

(3) Create an Automator instance

Use the common Automator URL in the "edit" step

For example:

My Vault> automator create --name="Tenant1" --node="SSO Node"
My Vault> automator edit --url=https://my.company.com:8089 --skill=team_for_user --skill=device <Automator ID>
My Vault> automator setup <Automator ID>
My Vault> automator init <Automator ID>
My Vault> automator enable <Automator ID>

(4) Switch back to MSP

Switch back to the MSP Admin context

My Vault> switch-to-msp

For each Managed Company, repeat the above 4 steps.

Multi-Tenant Enterprise

The steps for activating one Automator instance for multiple Nodes in the same Enterprise tenant is below:

(1) Login to Commander as Admin

My Vault> login [email protected]

(2) Create the Automator Instance

For each Node, use the same "edit" URL. For example:

My Vault> automator create --name="Tenant A" --node="<node_name>"
My Vault> automator edit --url=https://my.company.com:8089 --skill=team --skill=team_for_user --skill=device <Automator ID>
My Vault> automator setup <Automator ID>
My Vault> automator init <Automator ID>
My Vault> automator enable <Automator ID>

Then, simply set up another instance with the same URL endpoint:

My Vault> automator create --name="Tenant B" --node="Azure"
My Vault> automator edit --url=https://my.company.com:8089 --skill=team --skill=team_for_user --skill=device <Automator ID>
My Vault> automator setup <Automator ID>
My Vault> automator init <Automator ID>
My Vault> automator enable <Automator ID>

Note that they have different names and IDs and are assigned to different nodes but they use the same URL.

Repeat step (2) for every node to set up multiple tenants on the same Automator instance.

Advanced Settings

Configuration settings and features on Automator

Overview

The settings in this document control the features and security of the Automator service.

Setting: `automator_debug`

Env Variable: AUTOMATOR_DEBUG

Description: This is an easier way to turn on/off debug logging in Automator.

Setting: `automator_config_key`

Env Variable: AUTOMATOR_CONFIG_KEY

Default: Empty

Description: Base64-url-encoded 256-bit AES key. This is normally only used as an environment variable. (since v3.1.0). This setting is required to load the encrypted configuration from the Keeper cloud if there is no shared /usr/mybin/config file storage between container instances.

Setting: `automator_host`

Env Variable: AUTOMATOR_HOST

Default: localhost

Description: The hostname or IP address where the Automator service is listening locally. If SSL is enabled (ssl_mode parameter), the automator_host value needs to match the SSL certificate subject name. The setting disable_sni_check can be set to false if the subject name does not match.

If the service is running on a machine with multiple network IPs, this setting will bind the Automator service to the specified IP.

If you encounter binding errors in the service startup, it is recommended to use the local network IP address in the host setting instead of localhost.

Setting: `automator_port`

Env Variable: AUTOMATOR_PORT

Default: 8089

Description: The port where the Automator listens. If running in Docker, use the default 8089.

Setting: `disable_sni_check`

Env Variable: DISABLE_SNI_CHECK

Default: false

Description: Disable the SNI check against the certificate subject name, if SSL is being used.

Setting: `email_domains`

Env Variable: EMAIL_DOMAINS

Default: null

Description: A comma-separated list of user email domains for which Automator will approve devices or teams. Example: "example.com, test.com, mydomain.com". This depends on the filter_by_email_domains setting to be enabled as well.

Setting: `filter_by_email_domains`

Env Variable: FILTER_BY_EMAIL_DOMAINS

Description: If true, Keeper will consult the email_domains list. If false, the email_domains list will be ignored.

Setting: `enabled`

Env Variable: N/A

Default: false

Description: This determines if Automator is enabled or disabled.

Setting: `enable_rate_limits`

Env Variable: ENABLE_RATE_LIMITS

Default: false

Description: If true, Automator will rate limit incoming calls per the following schedule:

approve_device: 100 calls/minute with bursts to 200

approve_teams_for_user: 100 calls/minute with bursts to 200

full_reset: 4 per minute, with bursts to 6

health: 4 per minute

initialize: 4 per minute, with bursts to 6

setup: 4 per minute, with bursts to 6

status: 5 per minute

Setting: `ip_allow` and `ip_deny`

Env Variable: IP_ALLOW and IP_DENY

Default: ""

Description: This restriction allows users to be eligible for automatic approval. Users accepted by the IP restriction filter still need to be approved in the usual way by Automator. Users denied by the IP restriction filter will not be automatically approved.

If "ip_allow" is empty, all IP addresses are allowed except those listed in the "ip_deny" list. If used, devices at IP addresses outside the allowed range are not approved by Automator. The values are a comma-separated list of single IP addresses or IP ranges. The "ip_allow" list is checked first, then the "ip_deny" list is checked.

Example 1: ip_allow=

ip_deny=

Example 2:

ip_allow=10.10.1.1-10.10.1.255, 172.58.31.3, 175.200.1.10-175.200.1.20

ip_deny=10.10.1.25

Setting: `name`

Env Variable: N/A

Default: Automator-1

Description: The name of the Automator. It should be unique inside an Enterprise. An automator can be referenced by its name or by its ID.

Setting: `persist_state`

Env Variable: N/A

Default: true

Description: If true, the Automator state will be preserved across shutdowns. Leave this on.

Setting: `skill`

Env Variable: N/A

Default: device_approval

Description: “device_approval” means device approval. “team_for_user_approval” means team approvals. An Automator can have multiple skills. “device_approval” is the default.

Setting: `ssl_certificate`

Env Variable: SSL_CERTIFICATE

Default: null

Description: A Base64-encoded string containing the contents of the PFX file used for the SSL certificate. For example, on UNIX base64 -i my-certificate.pfx will produce the required value.

Using this environment variable will override the ssl_certificate_filename setting.

Setting: `ssl_certificate_file_password`

Env Variable: SSL_CERTIFICATE_PASSWORD

Default: ""

Description: The password on the SSL file. If used, the key password should be empty, or should be the same. The library we use does not allow different passwords.

Setting: `ssl_certificate_key_password`

Env Variable: SSL_CERTIFICATE_KEY_PASSWORD

Default: ""

Description: The password on the private key inside the SSL file. This should be empty or the same as the file password.

Setting: `ssl_mode`

Env Variable: SSL_MODE

Default: certificate

Description: The method of communication on the Automator service. This can be: certificate, self_signed, or none. If none, the Automator server will use HTTP instead of HTTPS. This may be acceptable when Automator is hosted under a load balancer that decrypts SSL traffic.

Setting: `url`

Env Variable: N/A

Default: ""

Description: The URL where the Automator can be contacted.

Troubleshooting

Common issues and troubleshooting for your Automator service

Unable to communicate with the Automator service

There are several reasons why Keeper Commander is unable to communicate with your Automator service:

Ensure that the automator service is open to Keeper’s IP addresses. The list of IPs that must be open are found at this Ingress Requirements page. We recommend also adding your own IP address so that you can troubleshoot the connection.
If you are using a custom SSL certificate, ensure that the SSL certificate is loaded. Check the Automator log files which will indicate if the certificate is loaded by the service restart. If the IP address is open to you, you can run a health check on the command line using curl, for example: curl https://automator.mycompany.com/health
Check that the subject name of the certificate matches the FQDN.
Check that your SSL certificate includes the CA intermediate certificate chain. This is the most common issue that causes a problem. Keeper will refuse to connect to Automator if the intermediate certificate chain is missing. You can do this using openssl like the following:

openssl s_client -showcerts -servername automator.company.com -connect automator.company.com

This command will clearly show you the number of certificates in the chain. If there's only a single cert, this means you did not load the full chain. To resolve this, see Step 4 of the Custom SSL Certificate step by step instructions page.

400 Error in Health Checks

This may occur if the healthcheck request URI does not match the SSL certificate domain. To allow the healthcheck to complete, you need to disable SNI checks on the service. This can be accomplished by setting the disable_sni_check=true in the Automator configuration or passing in the environmental variable DISABLE_SNI_CHECK with the value of "true".

CLI Approvals

Commander Approvals

Commander Method for Automated Approvals

Keeper Commander, our CLI and SDK platform is capable of performing Admin Device Approvals for automated approval without having to login to the Admin Console. Admin approvals can be configured on any computer that is able to run Keeper Commander (Mac, PC or Linux).

This method does not require inbound connections from the Keeper cloud, so it could be preferred for environments where ingress ports cannot be opened. This method uses a polling mechanism (outbound connections only).

Install Keeper Commander

Please see the Installation Instructions here: https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup You can install the binary versions for Mac/PC/Linux or use pip3.

Use CLI for Device Approvals

Enter the Commander CLI using the "keeper shell" command. Or if you installed the Commander binary, just run it from your computer.

$ keeper shell
  _  __
 | |/ /___ ___ _ __  ___ _ _
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
              |_|

 password manager & digital vault

Use the "login" command to login as the Keeper Admin with the permission to approve devices. Commander supports SSO, Master Password and 2FA. For the purpose of automation, we recommend creating a dedicated Keeper Admin service account that is specifically used for device approvals. This ensures that any changes made to the user account (such as policy enforcements) don't break the Commander process.

My Vault> login [email protected]
Password: *******

Type "device-approve" to list all devices:

My Vault> device-approve
Email               Device ID           Device Name       Client Version
------------------  ------------------  ----------------  ----------------
[email protected]  f68de375aacdff3846  Web Vault Chrome  w15.0.4
[email protected]  41sffcb44187222bcc  Web Vault Chrome  w15.0.4

To manually approve a specific device, use this command:

My Vault> device-approve --approve <device ID>

To approve all devices that come from IPs that are recognized as successfully logged in for the user previously, use this command:

My Vault> device-approve --approve --trusted-ip

To approve all devices regardless of IP address, use this command:

My Vault> device-approve --approve

To deny a specific device request, use the "deny" command:

My Vault> device-approve --deny <device ID>

To deny all approvals, remove the Device ID parameter:

My Vault> device-approve --deny

To reload the latest device approvals without having to exit the shell, use the "reload" command:

My Vault> device-approve --reload

Automatically Approving Devices every X seconds

Commander supports an automation mode that will run approvals every X number of seconds. To set this up, modify the config.json file that is auto-created. This file is located in the OS User's folder under the .keeper folder. For example: C:\Users\Administrator\.keeper\config.json on Windows or /home/user/.keeper/config.json on Mac/Linux.

Leave the existing data in the file and add the following lines :

"commands":["enterprise-down","device-approve --approve"],
"timedelay":30

JSON files need a comma after every line EXCEPT the last one.

Now when you open Commander (or run "keeper shell"), Commander will run the commands every time period specified. Example:

$ keeper shell
Executing [enterprise-down]...
Password: 
Logging in...
Syncing...

Executing [enterprise-down]...

Email               Device ID           Device Name       Client Version
------------------  ------------------  ----------------  ----------------
[email protected]  f68de375aacdff3846  Web Vault Chrome  w15.0.4

Executing [device-approve --approve]...
2020/09/20 21:59:47 Waiting for 30 seconds
Executing [enterprise-down]...
There are no pending devices to approve
.
.
.

Automatically Approving Teams and Users

Similar to the example above, Commander can automatically approve Team and User assignments that are created from SCIM providers such as Azure, Okta and JumpCloud.

To set this up, simply add one more command team-approve to the JSON config file. For example:

{
    "user": "[email protected]",
    "commands": [
        "enterprise-down",
        "device-approve --approve",
        "team-approve"
    ],
    "timedelay": 60
}

Persistent Sessions

Keeper Commander supports "persistent login" sessions which can run without having to login with a Master Password or hard-code the Master Password into the configuration file.

Commands to enable persistent login on a device for 30 days (max):

My Vault> this-device register
My Vault> this-device persistent-login on
My Vault> this-device ip-auto-approve on
My Vault> this-device timeout 30d
My Vault> quit

You can use seconds as the value (e.g. 60 for 60 seconds) or numbers and letters (e.g. 1m for one minute, 5h for 5 hours, and 7d for 7 days).

Also note that typing "logout" will invalidate the session. Just "quit" the Commander session to exit.

Once persistent login is set up on a device, the config.json in the local folder will look something like this:

{
    "private_key": "8n0OqFi9o80xGh06bPzxTV1yLeKa5BdWc7f7CffZRQ",
    "device_token": "R2O5wkajo5UjVmbTmvWnwzf7DK1g_Yf-zZ3dWIbKPOng",
    "clone_code": "retObD9F0-WDABaUUGhP0Q",
    "user": "[email protected]",
    "server": "keepersecurity.com"
}

Additional information about persistent login sessions and various options is available at this link.

There are many ways to customize, automate and process automated commands with Keeper Commander. To explore the full capabilities see the Commander documentation.

Certificate Renewal

Keeper SSO Connect certificate renewal instructions

Keeper SSO Connect Certificate Renewal Process

It is critical to ensure that your IdP SAML Signing Certificates are renewed and activated. Typically, this occurs once per year.

If you receive the below error when logging into the Keeper vault, this usually indicates that the SAML Signing Certificate has expired.

"Sorry! There was an unexpected error logging you into Keeper via your company account. We are unable to parse the SAML Response from the IDP"

Resolution

To resolve this issue, please follow the basic steps below:

Update the SAML signing certificate from your identity provider related to the Keeper application
Download the new SAML signing certificate and/or IdP metadata file
Update the IdP metadata in the Keeper Admin Console

Entra ID / Azure AD Instructions

Since Microsoft Azure is the most widely used identity provider, the step by step update guide is documented below. If Azure is not your provider, the process is very similar.

(1) Login to the Azure Portal () and go to Enterprise Applications > Keeper > Set up Single sign on

(2) Under the SAML Certificates section, note that the certificate has expired. Click Edit.

(3) Click on New Certificate to generate a new cert.

(4) Click the overflow menu and then click "Make certificate active" the Save and apply the changes.

(5) From the SAML Certificates section, download the new Federation Metadata XML file. Save this to your computer.

(6) Update the SAML Metadata in the Keeper Admin Console

From the Keeper Admin Console, login to the Keeper tenant and visit the SSO configuration.

Follow the links below to access the Keeper Admin Console: (US) (EU) (AU) (CA) (JP) (US Gov)

(Or open > Login > Admin Console)

Select the SSO node then select the "Provisioning" tab.
Click on "Single Sign-On with SSO Connect Cloud
Click "Edit Configuration"
Click out the existing SAML Metadata
Upload the new XML metadata file from your desktop

At this point, the SAML certificate should be updated with success.

(7) Confirm that SSO is functioning properly

Now that the metadata XML file with the latest certificate is uploaded to Keeper, your users should be able to login with SSO without error.

(8) Delete the metadata XML file from your local computer or store this in your Vault

(9) Make yourself a calendar reminder to update the SAML certificate next year prior to the expiration date.

Unable to Access the Keeper Admin Console?

If you are unable to login to the Keeper Admin Console due to the SSO certificate issue, please select one of the following options to regain access:

Option 1: Use a service account that logs into the Admin Console with a Master Password

Option 2: Contact a secondary admin to login and update the cert for you

If neither option is available, contact Keeper

Logout Configuration

Configuration options for Single Logout (SLO) between Keeper and IdP

Different customers may have different desired behavior when a user clicks on "Logout" from their Keeper vault. There are two choices:

Option 1: Don't logout from IdP

Clicking "Logout" from the Keeper Vault will just close the vault but stay logged into the Identity Provider.
Logging into the Keeper Vault again will defer to the Identity Provider's login logic. For example, Okta has configurable Sign-On rules which allow you to prompt the user for their MFA code before entering the application. See your identity provider sign-on logic to determine the best experience for your users.

Option 2: Logout from IdP

Clicking "Logout" from the Keeper Vault will also logout the user from the Identity Provider.
This may create some frustration with users because they will also logout from any IdP-connected services.
Users would need to be directed to simply close the vault and not click "Logout" if they don't like this behavior.

How to Enable Single Logout (SLO)

If your identity provider has a "Single Logout" option, then you can turn this feature ON from the identity provider configuration screen. For example, Okta has a "Single Logout" checkbox and they require that the "Keeper SP Certificate" is uploaded. After changing this setting, you will need to export the metadata from the IdP and import it back into the Keeper SSO configuration screen.

How to Disable Single Logout (SLO)

If your identity provider has a "Single Logout" option, then you can turn this feature OFF from the identity provider configuration screen and upload the new metadata file into Keeper.
If the IdP does not have a configuration screen on their user interface, you can just manually edit the IdP metadata file (screenshot below). In a text editor or vim, remove the lines highlighted below that represent the SLO values. Then save the file and upload the metadata into the Keeper SSO configuration screen.

User Provisioning

Instructions on how to provision users with SSO Connect Cloud

Onboarding Users

There are several options for onboarding users who inside an SSO-provisioned node:

Option 1: Using SCIM Automated Provisioning

If your identity provider supports Automated Provisioning (using the SCIM protocol), users will be automatically provisioned with a Keeper Vault.
Follow our guide for instructions on setting up SCIM with your identity provider, if you haven't done this.
Users who are provisioned through SCIM can simply type in their Email Address on the Vault Login screen and they will be automatically directed to the IdP login screen to complete the sign-in. Please makes sure that your email domain is reserved with Keeper so that we route your users to the IdP. to learn about domain reservation.
After authentication to the IdP, the user will instantly be logged into their Vault on their first device. Subsequent devices will require Device Approval.

Option 2: Using Just-In-Time (JIT) Provisioning

If Just-In-Time (JIT) provisioning is activated on your SSO configuration, there are a few ways that users can access their vault:

(1) Direct your users to the identity provider dashboard to click on the Keeper icon (IdP-initiated Login).

(2) Provide users with a hyperlink to the Keeper application within the identity provider (see your IdP Application configuration screen for the correct URL).

(3) Send users to the Keeper Vault to simply enter their email address and click "Next".

Ensure that your domain has been for automatic routing.

(4) If using the email address is not desired, users can also click on "Enterprise SSO Login" using the "Enterprise Domain" that you configured in the Admin Console for the SSO connection.

(5) Hyperlink users directly to the Enterprise Domain login screen on Keeper using the below format:

Replace <domain> with the endpoint of the data center where your Keeper tenant is hosted. This can be one of the following:
- keepersecurity.com
- keepersecurity.eu
- keepersecurity.com.au
- govcloud.keepersecurity.us
- keepersecurity.jp
- keepersecurity.ca
Replace <name> with the name of the Enterprise Domain that has been assigned in the Admin Console.

Option 3: Manually Inviting Users

If you prefer to manually invite users from the Admin Console instead of using Just-In-Time provisioning, follow these steps:

Login to the Keeper Admin Console
Open the node which is configured with your identity provider
Click on "Add Users" to invite the user manually
User can then simply type in their email from the Vault login screen to sign in

Note: Additional customization of the Email Invitation including graphics and content can be made by visiting the "Configuration" screen of the Admin Console.

Please make sure to test the configuration and onboarding process with non-admin test user accounts prior to deploying Keeper to real users in the organization.

Please don't use SSO with your Keeper Administrator account for testing. We recommend that the Keeper Administrator exists at the root node of the Admin Console and uses Master Password login. This ensures you can always have access to manage your users if the identity provider is unavailable (e.g. if Microsoft goes down).

Move existing users/initial admin to SSO authentication

An admin can not move themselves to the SSO enabled node. It requires a another admin to perform this action.

System Architecture

SSO Connect Cloud System Architecture

Migrate from OnPrem

How to migrate from Keeper SSO On-Prem to Cloud SSO

See the below instructions:

Graphic Assets

Keeper Password Manager graphic assets for IdP configuration

This page contains various graphic assets of Keeper icons and logos for use in your identity provider, if required.

Zip file with various sizes:

512x512 PNG Square Icon:

256x256 PNG Square Icon:

128x128 PNG Square Icon:

Keeper Logo - JPG white background:

Keeper Logo - PNG transparent background:

Keeper Logo - JPG White on black background:

Links & Resources

Google Workspace User and Group Provisioning with Cloud Function

Step by Step guide to automatically provisioning Users and Groups from Google Workspace using a Cloud Function

Overview

This document describes how to automatically provision users from Google Workspace to Keeper using a Google Cloud Function, which includes the provisioning of Users, Groups and user assignments. User and Team Provisioning provides several features for lifecycle management:

You can specify which Google Groups and/or users are provisioned to Keeper
Matching of Groups can be performed by Group name or Group email
Google Groups assigned to Keeper are created as Keeper Teams
Keeper Teams can be assigned to Shared Folders in the vault
New users added to the group are automatically invited to Keeper
Group and user assignments are applied every sync
When a user is de-provisioned, their Keeper account will be automatically locked
The process is fully cloud-based. No on-prem infrastructure or services are required.
Processing can be performed on your desired scheduler or on-demand

The setup steps in this section allow you to provision users and groups from your Google Workspace account. Setting up this method requires access to several resources:

Keeper Secrets Manager is used in this implementation to perform the most secure method of integration between Google and Keeper, ensuring least privilege. If you don't use Keeper Secrets Manager, please contact the Keeper customer success team.

STEP 1: Create a Google Cloud Project

Login to Google Cloud and create a project or chose an existing project. The project name can be "Keeper SCIM Push" or whatever you prefer.

STEP 2: Enable the Admin SDK API

In the APIs & Services click +ENABLE APIS AND SERVICES
In the Search for APIs & Services enter Admin SDK API
Click ENABLE

STEP 3: Create a Service Account

The service account created here will be used to access the Google Workspace user and group information.

In the IAM and Admin menu select Service accounts
Click +CREATE SERVICE ACCOUNT with suggested service account name: keeper-scim

For newly created service account click Actions/dots and select Manage Keys

Click ADD KEYS -> Create New Key. Choose JSON key type then CREATE

A JSON file with service account credentials will be downloaded to your computer

Rename this file to credentials.json and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.

STEP 4: Copy the Client ID

Navigate to your Service Account and select DETAILS tab > Advanced Settings

In the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

STEP 5: Authorize Service Account on Google Workspace

In the Google Workspace Panel (https://admin.google.com):

Navigate to Security -> API controls
Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION
Click Add new in API Clients
Paste the Client ID (copied from previous step)

Paste the following text into OAuth scopes (comma-delimited)

https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly

Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.

STEP 6: Retrieve the Primary Email

In Google Workspace (https://admin.google.com), navigate to Account -> Account settings
Copy the Primary admin email into the clipboard (upper right area) for use in the next step.

STEP 7: Create a Shared Folder in your Keeper Vault

In your Keeper Vault, create a new Shared Folder. This folder can be named anything, for example "Google SCIM Push". The user and record permissions for this folder can be set any way you prefer.

STEP 8: Create a Secrets Manager Application

Assuming that you have Keeper Secrets Manager enabled and activated for this vault, click on Secrets Manager from the left side and then select Create Application.

Call the Application name "Google SCIM Push" (or whatever you prefer) and click Generate Access Token. This token will be discarded and not used in this scenario.

Next, select the "Google SCIM Push" application from the list, and click on Edit then Add Device.

Select the base64 configuration and download it to your computer.

Save the file to your computer as config.base64.

STEP 9: Create a SCIM Provisioning Method

From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".

Select SCIM and click Next.

Click on "Create Provisioning Token"

The URL and Token displayed on the screen will be used in the next step. Save the URL and Token in a file somewhere temporarily and then click Save.

Make sure to save these two parameters (URL and Token) and then click Save. These parameters are used in the next step.

STEP 10: Create a Keeper Record in the Shared Folder

Inside the Shared Folder created in step 7, create a Keeper record that contains the following fields:

Field

Value

Login

Google Workspace admin email

Password

SCIM Token generated from Step 9 above

Website Address

SCIM URL generated from Step 9 above

credentials.json

File attachment from Step 3 with Google Service Account credentials

SCIM Group

Multi-line custom text field containing a list of all groups to be provisioned. The names can either be Group Email or Group Name.

All Groups and users within the specified Groups will be provisioned to Keeper.

You can specify either the Group Email address or the Group Name in the list of groups. Keeper will match either value and provision all associated users and groups.

The Group Name and Group Email is CASE SENSITIVE

At this point, the configuration on Keeper is complete. The remaining steps are performed back on the Google Cloud console by setting up a Cloud Function.

STEP 11: Create the Google Cloud Function

From the Google Cloud console, open Cloud Functions and then click CREATE FUNCTION.

Under Basics:

Select environment of "2nd gen"
Select Function name of keeper-scim-push
Select your preferred region and note this for later
Trigger is HTTPS
Authentication set to Require authentication

Under Advanced -> Runtime:

Memory allocated: 256MiB
CPU: 0.333
Timeout: 120 seconds
Concurrency: 1
Autoscaling min: 0
Autoscaling max: 1
Runtime service account: select
Under Runtime service account, select the Default compute service account

If the Default compute service account does not exist yet, select a different account temporarily then go back and edit the service account after saving.

Below is an example full configuration:

In the Runtime environment variables:

Create two variables:

Set Name 1 to KSM_CONFIG_BASE64 and Value 1 to the contents of the KSM configuration file generated in Step 8
Set Name 2 to KSM_RECORD_UID and Value 2 to the record UID created in the vault in Step 10.

You can find the Record UID by clicking on the (info) icon from the Keeper vault record. Click on the Record UID to copy the value.

Click on CONNECTIONS and select "Allow internal traffic only"

Scroll down and click NEXT to upload the Cloud Function source.

STEP 12: Upload the Cloud Function Source

Visit the Keeper Google SCIM Push release page: https://github.com/Keeper-Security/ksm-google-scim/releases
Download the source.zip file and save it to your computer

Select Runtime of Go 1.21
Select Source code of Zip Upload
Type Entry point of GcpScimSyncHttp
Zip upload destination bucket: Create a bucket with any name you choose, using the default bucket permissions (not public).
Zip file: upload the source.zip file saved from the above step

Click DEPLOY to create the Cloud Function. After a few minutes, the function will be created and published.

The function is private and requires authentication, so the next step is creating a Cloud Scheduler.

STEP 13: Copy the Cloud Function URL

From the Cloud Function screen, copy the URL as seen below:

STEP 14: Create the Cloud Scheduler

From the Google Cloud console, search for Cloud Scheduler and open it.

Click SCHEDULE A JOB

Define the schedule:

Set any description, such as "Keeper SCIM Push for Google Workspace"
Set the frequency, for example 0 * * * * for running once per hour
Set the Timezone according to your location
Set the Target type to HTTP
Set the URL to the Cloud Function URL copied from Step 13 above
Set the HTTP method to GET
Set the Auth Header to Add OIDC token
Set the Service account to Default compute service account
Click CONTINUE then CREATE

STEP 15: Test the Scheduler

On the Scheduler Jobs screen, the job will now be listed. To force execution, click on the overflow menu on the right side and select Force run.

This will execute the Cloud Function immediately.

If successful, the status of last execution will show success:

To ensure that Keeper received the sync information, login to the Keeper Admin Console. You will see a list of any pending / invited users, teams and team assignments.

Step 16: Delete Local Files

Once the process is working successfully, delete all local files and secrets created during this process.

IMPORTANT: Delete all local or temporary files on your computer, such as:

config.base64 file
credentials.json file
SCIM tokens
Any other screenshots or local files generated in this process

Destructive Operations

By default, "unmanaged" teams and team assignments in the Keeper Admin Console will not be deleted during the sync process. However, if your preferred method of syncing is to delete any unmanaged teams or team assignments, you can simply create a custom field in the Keeper record with a particular value.

"Destructive" Field Value

Description

-1

Nothing is deleted on the Keeper side during sync

0 (Default)

Only SCIM-controlled Groups and Membership can be deleted during sync. (Default Setting)

Any manually created or SCIM-controlled Groups and Memberships can be deleted during sync.

Debug Logging

The Keeper record can be modified to create verbose logs in the Google Cloud Function logs.

Verbose Field Value

Description

0 (Default)

No logging

Verbose logging enabled

Important Syncing Notes:

Keeper performs exact string matches on the Group Name or Group Email address when performing the Cloud Function provisioning. The group name and email is case sensitive.
Users in an invited state are not added to assigned teams until the user creates their vault and the Keeper administrator logs in to the Admin Console. Team membership can also be performed when another member of the team logs in to the vault. Clicking "Sync" from the Admin Console will also perform the additions.
Some operations such as the creation of Teams can only occur upon logging into the Keeper Admin Console, or when running the Keeper Automator service. This is because encryption keys need to be generated.
For large deployments, we recommend setting up the Keeper Automator service to automate and streamline the process of device approvals, user approvals and team approvals.
When you would like to add new Groups, simply add them to the list inside the Keeper vault record as described in Step 10. Keeper will search on either Group email or Group name when identifying the target.
Nested groups in Google Workspace will be flattened when syncing to Keeper. Users from the nested groups are added to the parent group on the Keeper side.

Updating the Cloud Function Source

When new versions of the Cloud Function are created, updating the code is very simple:

Download a new source.zip file from the Releases page of the ksm-google-scim Github repo
Navigate to the Cloud Functions area of Google Cloud
Click on the cloud function details and click EDIT
Click on Code
Under Source code select "ZIP Upload"
Select the source.zip file saved to your computer
Click DEPLOY
Wait a few minutes for the new function to deploy
Navigate to Cloud Scheduler
Click on Actions > Force Run

AWS Elastic Container Service

Running Keeper Automator with the AWS ECS (Fargate) service

Overview

This example demonstrates how to launch the Keeper Automator service in Amazon ECS in the most simple way, with as few dependencies as needed.

Requirements:

A managed SSL certificate via the AWS

(1) Create an Automator Config key

Generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:

Mac/Linux

openssl rand -base64 32

Windows

[Byte[]]$key = New-Object Byte[] 32; [System.Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($key); [System.Convert]::ToBase64String($key)

Save this value for the environmental variables set in the task definition.

(2) Create a VPC

If your VPC does not exist, a basic VPC with multiple subnets, a route table and internet gateway must be set up. In this example, there are 3 subnets in the VPC with an internet gateway as seen in the resource map below:

(3) Create CloudWatch Log Group

If you would like to capture logs (recommended), Go to CloudWatch > Create log group

Name the log group "automator-logs".

(4) Create an Execution IAM Role

Go to IAM > Create role

Select AWS service

Then search for Elastic Container Service and select it.

Select "Elastic Container Service Task" and click Next

Add the "AmazonECSTaskExecution" policy to the role and click Next

Assign the name "ECSTaskWritetoLogs" and then create the role.

Make note of the ARN for this Role, as it will be used in the next steps.

In this example, it is arn:aws:iam::373699066757:role/ECSTaskWritetoLogs

(5) Create a Security Group for ECS

Go to EC2 > Security Groups and click on "Create security group"

Depending on what region your Keeper tenant is hosted, you need to create inbound rules that allow https port 443 from the Keeper cloud. The list of IPs for each tenant location is located below. In the example below, this is the US data center.

We also recommend adding your workstation's external IP address for testing and troubleshooting.

Assign a name like "MyAutomatorService" and then click "Create".

Keeper Tenant Region

IP1

IP2

54.208.20.102/32

34.203.159.189/32

US GovCloud

18.252.135.74/32

18.253.212.59/32

52.210.163.45/32

54.246.185.95/32

3.106.40.41/32

54.206.208.132/32

35.182.216.11/32

15.223.136.134/32

54.150.11.204/32

52.68.53.105/32

Remember to add your own IP which you can find from this URL:

https://checkip.amazonaws.com

(6) Add the Security Group to the list of inbound rules

After saving the security group, edit the inbound rules again. This time, make the following additions:

Add HTTP port 8089 with the Source set to the security group. This allows traffic from the ALB to the container inside the network and for processing health checks.

(7) Create Elastic Container Service Cluster

Navigate to the Amazon Elastic Container Service.

Select "Create cluster" and assign the cluster name and VPC. In this example we are using the default "AWS Fargate (serverless)" infrastructure option.

The Default namespace can be called "automator"
The "Infrastructure" is set to AWS Fargate (serverless)
Click Create

(8) Create ECS Task Definition

In your favorite text editor, copy the below JSON task definition file and save it.

Important: Make the following changes to the JSON file:

Change the XXX (REPLACE THIS) XXX on line 24 to the secret key created in Step 1 above.
Replace lines 37-39 with the name and location of the log group from Step 3
Change the XXX on line 44 for the role ID as specific to your AWS role (from Step 4, e.g. 373699066757)

{
    "family": "automator",
    "containerDefinitions": [
        {
            "name": "automator",
            "image": "keeper/automator:latest",
            "cpu": 1024,
            "portMappings": [
                {
                    "containerPort": 8089,
                    "hostPort": 8089,
                    "protocol": "tcp",
                    "appProtocol": "http"
                }
            ],
            "essential": true,
            "environment": [
                {
                    "name": "SSL_MODE",
                    "value": "none"
                },
                {
                    "name": "AUTOMATOR_CONFIG_KEY",
                    "value": "XXX (REPLACE THIS) XXX"
                },
                {
                    "name": "AUTOMATOR_PORT",
                    "value": "8089"
                }
            ],
            "mountPoints": [],
            "volumesFrom": [],
            "readonlyRootFilesystem": false,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "automator-logs",
                    "awslogs-region": "eu-west-1",
                    "awslogs-stream-prefix": "container-2"
                }
            }
        }
    ],
    "executionRoleArn": "arn:aws:iam::XXX:role/ecsTaskExecutionRole",
    "networkMode": "awsvpc",
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "cpu": "1024",
    "memory": "3072",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    }
}

Next, go to Elastic Container Service > Task definitions > Create Task from JSON

Remove the existing JSON and copy-paste the modified JSON file into the box, then click Create.

This task definition can be modified according to your instance CPU/Memory requirements.

(9) Upload SSL Cert to AWS Certificate Manager

In order for an application load balancer in AWS to serve requests for Automator, the SSL certificate must be managed by the AWS Certificate Manager. You can either import or create a certificate that is managed by AWS.

From AWS console, open the "Certificate Manager"
Click on Request
Request a public certificate and click Next
Enter the domain name for the automator service, e.g. automator.lurey.com
Select your preferred validation method and key algorithm
Click Request
Click on the certificate request from the list of certs

If you use Route53 to manage the domain, you can click on the certificate and then select "Create Records in Route53" to instantly validate the domain and create the certificate. If you use a different DNS provider, you need to create the CNAME record as indicated on the screen.

Once create the CNAME record, the domain will validate within a few minutes.

This certificate will be referenced in Step 11 when creating the application load balancer.

(10) Create a Target Group

Go to EC2 > Target Groups and click Create target group

Select "IP Addresses" as the target type
Enter the Target group name of "automatortargetgroup" or whatever you prefer
Select HTTP Protocol with Port 8089
Select the VPC which contains the ECS cluster
Select HTTP1
Under Health checks, select the Health check protocol "HTTP"
Type /health as the Health check path
Expand the "Advanced health check settings"
Select Override and then enter port 8089
Click Next
Don't select any targets yet, just click Create target group

(11) Create Application Load Balancer (ALB)

Go to EC2 > Load balancers > Create load balancer

Select Application Load Balancer > Create

Assign name such as "automatornalb" or whatever you prefer
Scheme is "Internet-facing"
IP address type: IPv4
In the Network Mapping section, select the VPC and the subnets which will host the ECS service.
In the Security groups, select "MyAutomatorService" as created in Step 4.
In the Listeners and routing section, select HTTPS port 443 and in the target group select the Target group as created in the prior step (automatortargetgroup).
In the Secure listener settings, select the SSL certificate "from ACM" that was uploaded to the AWS Certificate Manager in Step 9.
Click Create load balancer

(12) Create ECS Service

Go to Elastic Container Service > Task definitions > Select the task created in Step 8.

From this Task definition, click on Deploy > Create Service

Select Existing cluster of "automator"
Assign Service name of "automatorservice" or whatever name you prefer
For the number of Desired tasks, set this to 1 for now. After configuration is complete, you can increase to the number of tasks you would like to have running.
Under Networking, select the VPC, subnets and replace the existing security group with the ECS security group created in Step 4. In this case, it is called "MyAutomatorService".
For Public IP, turn this ON.
Under Load balancing, select Load balancer type "Application Load Balancer"
Use an existing load balancer and select "automatoralb" created in Step 11.
Use an existing listener, and select the 443:HTTPS listener
Use an existing target group, and select the Target Group from Step 10
Set the Health check path to "/health"
Set the Health check protocol to "HTTP"
Click Create

After a few minutes, the service should start up.

(13) Update DNS

Assuming that the DNS name is hosted and managed by Route53:

Go to Route53 > Create or Edit record

Create an A-record
Set as "Alias"
Route traffic to "Alias to Application and Classic Load Balancer"
Select AWS Region
Select the "automatoralb" Application Load Balancer
Select "Simple Routing"
Select "Save"

The next step is to configure Automator using Keeper Commander while only having one task running.

(14) Install Keeper Commander

At this point, the service is running but it is not able to communicate with Keeper yet.

On your workstation, server or any computer, install the Keeper Commander CLI. This is just used for initial setup. The installation instructions including binary installers are here: Installing Keeper Commander After Commander is installed, you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.

$ keeper shell

My Vault> login [email protected]
.
.
My Vault>

(15) Initialize with Commander

My Vault> automator create --name="My Automator" --node="Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

The output of the command will display the Automator settings, including metadata from the identity provider.

                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).

automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

At this point, the configuration is complete.

For automated health checks, you can use the below URL:

https://<server>/health

Example curl command:

$ curl https://automator.lurey.com/health
OK

In this example setup, the load balancer will be forwarding /health checks to the target instances over HTTP port 8089.

(16) Testing the User Experience

Now that Keeper Automator is deployed with a single task running, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.

The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

Assuming that the approval worked, you can now increase the number of tasks running.

(17) Update Task Definition (Optional)

The Keeper Automator service can run quite well on a single container without any issue due to the low number of requests that it processes. However if you would like to have multiple containers running, please follow the below steps:

Click on the "automatorservice" from the ECS services screen
Click on "Update service"
Select the checkbox on "Force new deployment"
Ensure that the latest task revision is selected
Set the Desired Tasks to the number of containers you would like running
Click "Update"
After a few minutes, the new containers will deploy. Wait until all containers are active.
Launch Keeper Commander (or it might still be open)

For every container, the automator setup, automator init and automator enable must be executed.

For example, if there are 3 containers running:

automator setup "My Automator"
automator setup "My Automator"
automator setup "My Automator"

automator init "My Automator"
automator init "My Automator"
automator init "My Automator"

automator enable "My Automator"
automator enable "My Automator"
automator enable "My Automator"

Logging and Monitoring

The Automator logs can be searched and monitored in the "Logs" tab of the ECS service, or in CloudWatch.

AWS Elastic Container Service with KSM (Advanced)

Running Keeper Automator with the AWS ECS (Fargate) service and Keeper Secrets Manager for secret storage

Overview

This example demonstrates how to launch the Keeper Automator service in Amazon ECS with Fargate, while also demonstrating the use of Keeper Secrets Manager for retrieving the secret configuration for the published Docker container.

Keeper Setup

Since this deployment requires the use of Keeper Secrets Manager, this section reviews the steps needed to set up your Keeper vault and the SSL certificate for publishing the Automator service.

(1) SSL Certificate

Create an SSL Certificate as described from this page

When this step is completed, you will have two files: ssl-certificate.pfx and ssl-certificate-password.txt

(2) Create Shared Folder

Create a Shared Folder in your vault. This folder will not be shared to anyone except the secrets manager application.

(3) Add File Attachments

Create a record in the Shared Folder, and make note of the Record UID. Upload the SSL certificate and SSL certificate password files to a Keeper record in the shared folder.

(4) Add Automator Property File

Upload a new file called keeper.properties which contains the following content:

ssl_mode=certificate
ssl_certificate_file=/config/ssl-certificate.pfx
ssl_certificate_file_password=
ssl_certificate_key_password=
automator_host=localhost
automator_port=443
disable_sni_check=true
persist_state=true

The notable line here is the disable_sni_check=true which is necessary when running the Automator service under a managed load balancer.

Your shared folder and record should look something like this:

(5) Create KSM Application

Create a Keeper Secrets Manager ("KSM") application in your vault. If you are not familiar with secrets manager, follow this guide. The name of this application is "Automator" but the name does not matter.

(6) Attach the KSM application to the shared folder

Edit the Shared Folder and add the Automator application to this folder.

(7) Create a KSM Device Configuration

Open the secrets manager application, click on "Devices" tab and click "Add Device". Select a base64 configuration. Download and save this configuration for use in the ECS task definition.

AWS Setup

(1) Create a VPC

(2) Create CloudWatch Log Group

Go to CloudWatch > Create log group

Name the log group "automator-logs".

(3) Create an Execution IAM Role

Go to IAM > Create role

Select AWS service

Then search for Elastic Container Service and select it.

Select "Elastic Container Service Task" and click Next

Add the "AmazonECSTaskExecution" policy to the role and click Next

Assign the name "ECSTaskWritetoLogs" and then create the role.

Make note of the ARN for this Role, as it will be used in the next steps.

In this example, it is arn:aws:iam::373699066757:role/ECSTaskWritetoLogs

(4) Create a Security Group for ECS

Go to EC2 > Security Groups and click on "Create security group"

Depending on what region your Keeper tenant is hosted, you need to create inbound rules that allow https port 443. The list of IPs for each tenant location is on this page. In the example below, this is the US data center.

We also recommend adding your workstation's external IP address for testing and troubleshooting.

Assign a name like "MyAutomatorService" and then click "Create".

After saving the security group, edit the inbound rules again. This time, add HTTPS port 443 and select the security group in the drop-down. This will allow the load balancer to monitor health status and distribute traffic.

(5) Create Security Group for EFS

We'll create another security group that controls NFS access to EFS from the cluster.

Go to EC2 > Security Groups and click on "Create security group"

Set a name such as "MyAutomatorEFS".

Select Type of "NFS" and then select Custom and then the security group that was created in the prior step for the ECS cluster. Click "Create security group".

Note the security group ID for the next step. In this case, it is sgr-089fea5e4738f3898

(6) Create two Elastic File System volumes

At present, the Automator service needs access to two different folders. In this example setup, we are creating one volume to store the SSL certificate and SSL passphrase files. The second volume stores the property file for the Automator service. These 3 files are in your Keeper record.

Go to AWS > Elastic File System and click Create file system

Call it "automator_config" and click Create

Again, go to Elastic File System and click Create file system. Call this one automator_settings and click Create.

Note the File system IDs displayed. These IDs (e.g. fs-xxx) will be used in the ECS task definition.

After a minute, the 2 filesystems will be available. Click on each one and then select the "Network" tab then click on "Manage".

Change the security group for each subnet to the one created in the above step (e.g. "MyAutomatorEFS") and click Save. Make this network change to both filesystems that were created.

(7) Create Elastic Container Service Cluster

Navigate to the Amazon Elastic Container Service.

Select "Create cluster" and assign the cluster name and VPC. In this example we are using the default "AWS Fargate (serverless)" infrastructure option.

The Default namespace can be called "automator"
The "Infrastructure" is set to AWS Fargate (serverless)
Click Create

(8) Create ECS Task Definition

In your favorite text editor, copy the below JSON task definition file and save it.

Make the following changes to the JSON file:

Change the XXXCONFIGXXX value to a base64 config from Keeper Secrets Manager created in the beginning of this guide
Change the 3 instances of "XXXXX" to the Record UID containing the SSL certificate, SSL certificate password and settings file in your vault shared folder which KSM is accessing.
Change the two File system IDs (fs-XXX) to yours from the above steps
Change the XXX for the role ID as specific to your AWS role
Change the eu-west-1 value in two spots to the region of your ECS service

{
    "family": "automator",
    "containerDefinitions": [
        {
            "name": "init",
            "image": "keeper/keeper-secrets-manager-writer:latest",
            "cpu": 1024,
            "memory": 1024,
            "portMappings": [],
            "essential": false,
            "environment": [
                {
                    "name": "KSM_CONFIG",
                    "value": "XXXCONFIGXXX"
                },
                {
                    "name": "SECRETS",
                    "value": "XXXXX/file/ssl-certificate.pfx > file:/usr/mybin/config/ssl-certificate.pfx\nXXXXX/file/ssl-certificate-password.txt > file:/usr/mybin/config/ssl-certificate-password.txt\nXXXXX/file/keeper.properties > file:/usr/mybin/settings/keeper.properties"
                }
            ],
            "mountPoints": [
                {
                    "sourceVolume": "automatorconfig",
                    "containerPath": "/usr/mybin/config"
                },
                {
                    "sourceVolume": "automatorsettings",
                    "containerPath": "/usr/mybin/settings"
                }
            ],
            "volumesFrom": [],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "automator-logs",
                    "awslogs-region": "eu-west-1",
                    "awslogs-stream-prefix": "container-1"
                }
            }
        },
        {
            "name": "main",
            "image": "keeper/automator:latest",
            "cpu": 1024,
            "memory": 4096,
            "portMappings": [
                {
                    "containerPort": 443,
                    "hostPort": 443,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "environment": [],
            "mountPoints": [
                {
                    "sourceVolume": "automatorconfig",
                    "containerPath": "/usr/mybin/config"
                },
                {
                    "sourceVolume": "automatorsettings",
                    "containerPath": "/usr/mybin/settings"
                }
            ],
            "volumesFrom": [],
            "dependsOn": [
                {
                    "containerName": "init",
                    "condition": "SUCCESS"
                }
            ],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "automator-logs",
                    "awslogs-region": "eu-west-1",
                    "awslogs-stream-prefix": "container-2"
                }
            }
        }
    ],
    "executionRoleArn": "arn:aws:iam::XXX:role/ECSTaskWritetoLogs",
    "networkMode": "awsvpc",
    "volumes": [
        {
            "name": "automatorconfig",
            "efsVolumeConfiguration": {
                "fileSystemId": "fs-XXX",
                "rootDirectory": "/",
                "transitEncryption": "ENABLED"
            }
        },
        {
            "name": "automatorsettings",
            "efsVolumeConfiguration": {
                "fileSystemId": "fs-XXX",
                "rootDirectory": "/",
                "transitEncryption": "ENABLED"
            }
        }
    ],
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "cpu": "2048",
    "memory": "5120"
}

Next, go to Elastic Container Service > Task definitions > Create Task from JSON

Remove the existing JSON and copy-paste the contents of the JSON file above into the box, then click Create.

This task definition can be modified according to your instance CPU/Memory requirements.

(9) Upload SSL Cert to AWS Certificate Manager

In order for an application load balancer in AWS to serve requests for Automator, the SSL certificate must be managed by the AWS Certificate Manager.

Go to AWS Certificate Manager and Click on Import

On your workstation, we need to convert the SSL certificate (.pfx) file to a PEM-encoded certificate body, PEM-encoded private key and PEM-encoded certificate chain.

Since you already have the .pfx file, this can be done using the below openssl commands:

Download the ssl-certificate.pfx file and the certificate password locally to your workstation and enter the below commands:

Generate the PEM-encoded certificate body

openssl pkcs12 -in ssl-certificate.pfx -out automator-certificate.pem -nodes
openssl x509 -in automator-certificate.pem -out certificate_body.crt

Generate the PEM-encoded private key

openssl pkey -in automator-certificate.pem -out private_key.key

Generate the PEM-encoded certificate chain

openssl crl2pkcs7 -nocrl -certfile automator-certificate.pem | openssl pkcs7 -print_certs -out certificate_chain.crt

Copy the contents of the 3 files into the screen, e.g.

cat certificate_body.crt | pbcopy
   (paste into Certificate body section)
   
cat private_key.key | pbcopy
   (paste into Certificate private key section)
   
cat certificate_chain.crt | pbcopy
   (paste into Certificate chain section)

(10) Create a Target Group

Go to EC2 > Target Groups and click Create target group

Select "IP Addresses" as the target type
Enter the Target group name of "automatortargetgroup" or whatever you prefer
Select HTTPS Protocol with Port 443
Select the VPC which contains the ECS cluster
Select HTTP1
Under Health checks, select the Health check protocol "HTTPS"
Type /health as the Health check path
Click Next
Don't select any targets yet, just click Create target group

(11) Create Application Load Balancer (ALB)

Go to EC2 > Load balancers > Create load balancer

Select Application Load Balancer > Create

Assign name such as "automatornalb" or whatever you prefer
Scheme is "Internet-facing"
IP address type: IPv4
In the Network Mapping section, select the VPC and the subnets which will host the ECS service.
In the Security groups, select "MyAutomatorService" as created in Step 4.
In the Listeners and routing section, select HTTPS port 443 and in the target group select the Target group as created in the prior step (automatortargetgroup).
In the Secure listener settings, select the SSL certificate "from ACM" that was uploaded to the AWS Certificate Manager in Step 9.
Click Create load balancer

(12) Create ECS Service

Go to Elastic Container Service > Task definitions > Select the task created in Step 8.

From this Task definition, click on Deploy > Create Service

Select Existing cluster of "automator"
Assign Service name of "automatorservice" or whatever name you prefer
Important: For the number of Desired tasks, set this to 1 for right now. After configuration, we will increase to the number of tasks you would like to have running.
Under Networking, select the VPC, subnets and replace the existing security group with the ECS security group created in Step 4. In this case, it is called "MyAutomatorService".
For Public IP, turn this ON.
Under Load balancing, select Load balancer type "Application Load Balancer"
Use an existing load balancer and select "automatoralb" created in Step 11.
Use an existing listener, and select the 443:HTTPS listener
Use an existing target group, and select the Target Group from Step 10
Click Create

After a few minutes, the service should start up.

(13) Update DNS

Assuming that the DNS name is hosted and managed by Route53:

Go to Route53 > Create or Edit record

Create an A-record
Set as "Alias"
Route traffic to "Alias to Application and Classic Load Balancer"
Select AWS Region
Select the "automatoralb" Application Load Balancer
Select "Simple Routing"
Select "Save"

The next step is to configure Automator using Keeper Commander while only having one task running.

(14) Install Keeper Commander

At this point, the service is running but it is not able to communicate with Keeper yet.

$ keeper shell

My Vault> login [email protected]
.
.
My Vault>

(15) Initialize with Commander

My Vault> automator create --name="My Automator" --node="Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

The output of the command will display the Automator settings, including metadata from the identity provider.

                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).

automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

At this point, the configuration is complete.

For automated health checks, you can use the below URL:

https://<server>/health

Example curl command:

$ curl https://automator.lurey.com/health
OK

In this example setup, the load balancer will be sending health checks to the target instances.

(16) Testing the User Experience

The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

Assuming that the approval worked, you can now increase the number of tasks running.

(17) Update Task Definition

From the ECS screen, open the automator service and click "Update Service". Then set the number of tasks that you would like to have running.

Logging and Monitoring

The Automator logs can be searched and monitored in the "Logs" tab of the ECS service, or in CloudWatch.