Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
How to configure Keeper SSO Connect Cloud with Auth0 for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Login to the Admin section of the Auth0 portal.
Select the Applications tab and click Create Application. Choose Regular Web Applications.
Next, go to the Addons tab and click SAML2 WEB APP.
On the Settings page that comes up next, you will need the “Assertion Consumer Service (ACS) Endpoint” that comes from the Keeper Admin Console.
Example Assertion Consumer Service (ACS) Endpoint: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX
This value can be found under the SSO Connect Cloud configuration as part of the Service Provider information, as seen below:
Paste the Assertion Consumer Service (ACS) Endpoint into the Application Callback URL field in the Auth0 screen.
Next, remove the sample JSON in the SAML2 Web App editor window, and replace with the following:
The value for “audience” is the Entity ID. This can also be found under the SSO Connect Cloud configuration as part of the Service Provider information:
Once you've added the Entity ID, you can click the Debug button to verify there are no formatting issues.
Next, scroll down to the bottom of the SAML2 Web App window and click Save.
Next, click on the Usage tab and download the Identity Provider Metadata file.
On the Keeper side, edit the SSO configuration and select GENERIC as the IDP Type. You can upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication. They won't have to enter the Enterprise Domain.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
High level overview of Keeper SSO Connect™ Cloud
Simply by authenticating through your existing IdP, your employees gain access to all of the capabilities of the top-rated Keeper password management platform, including:
Secure digital vault that can be accessed from any device, running any OS
Automatic password generation & autofill on all devices
Compatibility on any system, browser or app
Zero-knowledge encryption of vault data
This service does not require any on-premises or customer cloud-hosted services and there are no Master Passwords. Configuration is done directly between the IdP and Keeper's Admin Console.
To preserve Zero Knowledge, an Elliptic Curve public/private key pair is generated for each device. The private key on the device encrypts and decrypts the user's vault. Signing into a new device requires a key exchange that is processed by our Keeper Push feature or approved by a designated Admin. Automated admin approvals can be configured in several different ways.
Important: SSO users and provisioning must exist in a dedicated node that you will create (not in the root node). Before completing these steps, create a new node as shown in the image below.
Keeper SSO Connect Cloud can be rolled out in 3 easy steps:
Create a SSO Connect Cloud instance on the Keeper Admin Console under Provisioning
Exchange metadata with your SAML identity provider
Set up automated provisioning and/or manually provision users to Keeper
A unique "device" includes physical devices as well as browsers and browser profiles.
From an administrator's perspective, the cost, risk & labor saving benefits of Keeper SSO Connect Cloud are significant:
Easy setup, all in one place in Keeper’s existing Admin Console.
No hosted software to integrate with the IdP
No additional server costs
No patching software
Eliminates a potential single point of failure
Available 24/7/365 on Keeper’s high availability systems
An Administrative Permission called "Approve Devices" allows an Administrator to perform device approvals. Admin Approvals can also be automated. See the section for details.