All pages
Powered by GitBook
1 of 24

SSO Identity Providers

Identity Provider configuration for SSO Connect Cloud

The previous section of Admin Console Configuration applies to every SAML 2.0 compatible identity provider. To help with any IdP-specific configuration of common identity providers, we have added some helpful screens in this next section.

  • Microsoft ADFS

  • Amazon AWS

  • Auth0

  • Entra ID (Azure AD)

  • Centrify

  • Duo SSO

  • F5

  • Google Workspace

  • JumpCloud

  • Okta

  • OneLogin

  • Ping Identity

  • PingOne

  • Rippling

  • RSA SecurID Access

  • SecureAuth

  • Shibboleth

  • HENNGE

  • CloudGate UNO

  • Other SAML 2.0 Providers

If your Identity Provider is not listed here, don't worry. Keeper is 100% compatible with all SAML 2.0 SSO identity providers and Passwordless authentication products. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.

(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)

Amazon AWS

How to configure Keeper SSO Connect Cloud with Amazon AWS SSO for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

AWS SSO

Log into AWS and select on AWS Single Sign-On.

On the SSO Dashboard, select Configure SSO access to your cloud applications.

On the Applications menu, select Add a new application.

Next select Keeper Security and select Add.**

Keeper is working with AWS to develop an Application Connector.

Fill in the Display name and Description (optional) in the application details section.

In the AWS SSO metadata section, select the download button to export the AWS SSO SAML metadata file. This file gets imported in the SSO Connect IdP Metadata section on the configuration screen.

Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by either browsing to or dragging and dropping the file into the Configuration screen's SAML Metadata area:

Next download the Keeper metadata file and upload it to the AWS Application metadata file. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.

Enter View Screen

Click the "Export Metadata" button to download the config.xml file.

Export Keeper Metadata

Back on the Ping Identity application configuration, select the Select File button and choose the config.xml file downloaded in the above step.

After saving changes the Configuration for Keeper Password Manager has been saved success message will be displayed.

Note: The Keeper SSL certificate cannot be larger than 2048K or the below error will be received.

  • Either, generate a smaller SSL certificate, re-export and import the metadata file or manually set the ACS URL and Audience URL in the AWS SSO application configuration.

Next, Ensure the Keeper application attributes that are to be mapped to AWS SSO are correct (These should be set by default. Select the Attribute mappings tab. The AWS string value to ${user:subject} and format is blank or unspecified. The Keeper Attributes are set as follows:

Keeper Attribute

AWS SSO String Value **

Format

Email

${user:email}

unspecified

First

${user:givenName}

unspecified

Last

${user:familyName}

unspecified

Note: If your AWS email is mapped to the AD UPN (which may not be the actual email address of your users) it can be re-mapped to the email address associated in the users AD profile.

To make this change navigate to the Connect Directory on the AWS SSO page.

Select on the Edit attribute mappings button.

Change the AWS SSO email attribute from ${dir:windowsUpn} to ${dir:email} .

Select on the the Assigned users tab and then the Assign users button to select users or groups to assign the application.

On the Assign Users window:

  • Select either Groups or Users

  • Type the name of a group or user

  • Select on the Search connect directory to initiate the search.

The results of the directory search will display under the search window.

Select the users/groups that are desired to have access to the application and then select the Assign users button.

Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that your identity provider is configured to sign SAML responses.

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Auth0

How to configure Keeper SSO Connect Cloud with Auth0 for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Auth0 SSO Configuration

Login to the Admin section of the Auth0 portal.

Select the Applications tab and click Create Application. Choose Regular Web Applications.

Applications > Create Application > Regular Web Applications

Next, go to the Addons tab and click SAML2 WEB APP.

Addons > SAML2 WEB APP

On the Settings page that comes up next, you will need the “Assertion Consumer Service (ACS) Endpoint” that comes from the Keeper Admin Console.

Example Assertion Consumer Service (ACS) Endpoint: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX

This value can be found under the SSO Connect Cloud configuration as part of the Service Provider information, as seen below:

View Configuration
Copy the Assertion Consumer Service (ACS) Endpoint

Paste the Assertion Consumer Service (ACS) Endpoint into the Application Callback URL field in the Auth0 screen.

Next, remove the sample JSON in the SAML2 Web App editor window, and replace with the following:

{
  "audience": "https://keepersecurity.eu/api/rest/sso/saml/XXXXX",
  "mappings": {
    "email": "Email",
    "given_name": "First",
    "family_name": "Last"
  },
  "createUpnClaim": false,
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

The value for “audience” is the Entity ID. This can also be found under the SSO Connect Cloud configuration as part of the Service Provider information:

Copy the IDP Initiated Login Endpoint

Once you've added the Entity ID, you can click the Debug button to verify there are no formatting issues.

Next, scroll down to the bottom of the SAML2 Web App window and click Save.

Save changes made to the SAML2 Web App settings

Next, click on the Usage tab and download the Identity Provider Metadata file.

Download IdP metadata

On the Keeper side, edit the SSO configuration and select GENERIC as the IDP Type. You can upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:

Edit the SSO Configuration
Drag and Drop the Metadata File you downloaded from Auth0 into Keeper

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication. They won't have to enter the Enterprise Domain.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Centrify

How to configure Keeper SSO Connect Cloud with Centrify for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Centrify

Login to the Centrify Admin portal via the cloud login.

Switch to the Admin Portal from the pull down menu.

Close the Quick Start Wizard if it pops up. Select Apps from the menu then Add Web Apps.

On the Add Web Apps window, select the Custom tab and then scroll down and choose Add for SAML.

Select Yes to “Do you want to add this application?”.

Close the Add Web Apps Window.

The next step is to upload Keeper’s SSO Metadata to Centrify. On the Keeper Admin Console, export the SAML Metadata file

Go to View -> Export Metadata

In the SAML Application Settings section in Centrify, select Upload SP Metadata.

Select Upload SP Metadata from a file and browse for the KeeperSSOMetadata.xml file. Select Ok.

Download the Identity Provider SAML Metadata. This will be uploaded to Keeper SSO Connect.

On the Description section enter Keeper SSO Connect in the Application Name field and select Security in the Category field.

Download the Keeper logo. Select Select Logo and upload the Keeper logo (keeper60x60.png).

On the User Access section select the roles that can access the Keeper App:

Under the Account Mapping section, select "Use the following..." and input mail.

On the Advanced section, append the script to include the following lines of code:

setAttribute("Email", LoginUser.Get("mail"));
setAttribute("First", LoginUser.FirstName);
setAttribute("Last", LoginUser.LastName);
setSignatureType("Response");
  • The above script reads the display name from the User Account section. The FirstName attribute is parsed from the first string of DisplayName and the LastName attribute is parsed from the second string of DisplayName.

Select Save to finish the setup.

Upload the Identity Provider SAML Metadata file into the Keeper SSO Connect Cloud instance interface by dragging and dropping the file into the edit screen:

When upload is complete, revert back one screen. The SSO integration is ready to test.

CloudGate UNO

How to configure Keeper SSO Connect Cloud with CloudGate for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

CloudGate SSO Configuration

(1) Log into the CloudGate Administrator console.

Click the Administration tile on the menu.

(2) Next, Select the Service Provider menu item and click Add Service Provider.

On the "Add Service Provider" page, search for Keeper in the search bar. Select and click the "Keeper SSO Connect Cloud" icon.

(3) Set the Display name at General Settings tab to “Keeper_SSO_Cloud_Connet” or whatever you prefer.

(4) Next, at the SSO Settings tab, you need the "Entity ID" and Other information that comes from the Keeper Admin Console.

Copy and Paste the Entity ID and Other information into the SSO Settings page in the CloudGate screen.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794

(5) Click Add the Additional Attributes, and set Field Name to "Email" and the Value to "${MAIL_ADDRESS}". Now you can save the configuration.

(Optional) Enable Single Logout

If you would like to enable the Single Logout feature in CloudGate, go to the SSO Settings tab and enter Logout URL and then upload the SP Cert which comes from the Keeper Admin Console.

To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.

Next, Copy and Paste the SLO Endpoint information into the SSO Settings page in the CloudGate screen.

(6) Last step is to export the metadata from "IDP Information for SMAL2.0" at SSO Settings tab to import it into the Keeper SSO Connect Cloud™.

Export HENNGE Metadata

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Assign Users

From CloudGate, you can now add users at User Settings tab on User Management page.

Assign Users

Please make sure if there is "Email address" value at at User Settings tab on User Management page.

Assign Groups

Click "Save" to complete the configuration of Keeper SSO Connect Cloud with CloudGate.

Your Keeper SSO Connect setup is now complete!

CloudGate SCIM Provisioning

To enable CloudGate SCIM user and group provisioning please follow the instructions found in this page within the Keeper Enterprise Guides.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

DUO SSO

How to configure Keeper SSO Connect Cloud with DUO SSO for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Duo Setup

These instructions assume Duo has already been successfully enabled and configured with an authentication source (Active Directory or IdP). To activate Duo SSO, visit your Duo Admin Panel and visit the "Single Sign-On" section.

Step 1: DUO SSO Configuration

Log in to the Duo Admin Panel and click Protect an Application. Search for Keeper and choose Keeper Security with type "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list then click "Protect" (shown below as Configure).

Protect Keeper Security SSO Type

Step 2: Metadata

The Download section is where you can download the SAML metadata file to upload into your SSO provisioning method.

Download DUO Metadata file

Back on the Keeper Admin console, locate your DUO SSO Connect Cloud Provisioning method and select Edit.

Edit DUO SSO Provisioning Method

Scroll down to the Identity Provider section, set IDP Type to DUO SSO, select Browse Files and select the DUO Metadata file previously downloaded.

Still within the Keeper Admin Console, exit Edit View and select View on your DUO SSO Connect Cloud Provisioning method. Within the Service Provider section you will find the metadata values for the Entity ID, IDP Initiated Login Endpoint and Assertion Consumer Service (ACS) Endpoint.

Single Logout Service (SLO) Endpoint is optional.

View DUO SSO Provisioning Method

Return to the application page in your Duo Admin Panel, copy and Paste the Entity ID, Login Endpoint and ACS Endpoint into the Service Provider section.

Keeper Metadata Info

Step 3: Map User Attributes

Within the SAML Response section, scroll down to Map attributes and map the following attributes.

Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen below.

User Attributes

Step 4: Policy (optional)

Within the Policy section, defines when and how users will authenticate when accessing this application. Your global policy always applies, but you can override its rules with custom policies.

User or Group Policy

Step 5: Global Policy

Within the Global Policy section, Review / Edit / Verify any Global Policy as seen by your DUO and or Keeper administrator.

Success! Your Keeper Security EPM - Single Sign-On setup is now complete!

Troubleshooting

If you need assistance implementing the Keeper Security EPM - Single Sign-On application within your DUO environment, please contact the Keeper support team.

Moving Existing Users to Duo SSO

Users created in the root node (top level) in the Keeper Admin Console will need to be moved to the SSO node if you want the users to login with Duo. An admin cannot move themselves to the SSO enabled node, another admin must perform this action.

After the user is moved to the SSO enabled node, they can login to the Keeper vault by simply typing their email address and clicking "Next". If this does not work, please ensure that your email domain (e.g. company.com) has been reserved to your enterprise and ensure that Just-In-Time provisioning is enabled.

To onboard with the Enterprise Domain, the user can select the "Enterprise SSO" pull down and type in the Enterprise Domain configured in the Keeper Admin Console.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO for the first time, they only need to use their email address next time to initiate SSO authentication.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Entra ID (Azure AD)

How to configure Keeper SSO Connect Cloud with Microsoft Entra ID (formerly Azure AD) for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Overview

Keeper is compatible with all Microsoft Azure AD / Entra ID environments for SAML 2.0 authentication and automated provisioning.

  • Keeper applications (including Web Vault, Browser Extension, Desktop App and iOS/Android apps) are 100% compatible with conditional access policies.

  • Keeper supports both commercial (portal.azure.com) and Azure Government Cloud (portal.azure.us) environments.

Azure Setup

Watch the following video to learn more about setting up Azure with SSO Connect Cloud.

Setting Up Azure with SSO Connect Cloud

Please follow the below steps.

(1) Add the Keeper Enterprise Application

Go to your Azure Admin account at https://portal.azure.com and click on Azure Active Directory > Enterprise Applications. Note: If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application.

For US Public Sector entities, login to https://portal.azure.us and follow the same steps as outlined in this document.

Enterprise Applications

(2) Click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault".

(3) Click "Create" to create the application.

(4) Click on the "Set up single sign on" then click "SAML"

The SSO provisioning method MUST be configured on the target node prior to exporting the SAML metadata. See below:

  1. Open the Keeper Admin Console and navigate to the "Admin" screen.

  2. Select the target node and click on the "Provisioning" tab.

  3. Choose "SSO Connect Cloud" and click Next.

  4. Input the required configuration information and click Next.

  5. The Metadata Export button will then appear for download.

(6) Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button.

and selecting the file just downloaded from the Keeper admin console and pressing the Add button.

(7) Azure will open up the SAML configuration screen.

The red error on the missing "Sign on URL" field is expected.

To fix the error, copy the URL from the "IDP Initiated Login Endpoint" from the Admin Console SSO Cloud instance "view" screen, and paste it into the "Sign on URL" field.

Copy-paste the "IdP Initiated Login Endpoint" to "Sign on URL"

Single Logout Service Endpoint ("SLO")

This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.

Logout Url

For control over Keeper-initiated Single Logout behavior with the identity provider, see this page.

By default, Keeper will force a logout session with Entra/Azure after logging out. If you would like to remove this behavior, edit the Azure metadata file before uploading to Keeper and remove the SingleLogoutService line. For security reasons, we recommend keeping this in place.

SingleLogoutService

(8) Click on Save then close the window with the SAML configuration.

(9) After saving, you'll be asked to test the configuration. Don't do this. Wait a couple seconds then reload the Azure portal page on the web browser. Now, there should be a certificate section that shows up in the "SAML Signing Certificate" area.

Click on "Download" under the Federation Metadata XML section:

Download Metadata file

(10) Upload the Metadata file into the Keeper Admin Console

In the Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step the SAML Metadata section.

Upload SAML Metadata into Keeper

(11) Edit User Attributes & Claims

Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.

We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.

Delete Additional Claims

In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

ForceAuthn Setting

In the Keeper Admin Console, the option to enforce a new login session with the identity provider is available. When ForceAuthn="true" is set in the SAML request, the Service Provider (Keeper) is telling the IdP that even though the user is already authenticated, they need to force a new authenticated session. This may be a desired behavior depending on your security policies and end-user environment.

Optional ForceAuthn Setting

Certificate Renewal Reminder

Entra ID / Azure AD SAML signing certificates will expire after one year.

Ensure that you set yourself an annual calendar reminder to update the SAML certificate prior to expiration, or your Keeper users will not be able to login until it is updated.

For instructions on renewing the certificate, see the Certificate Renewal page.

User Provisioning

Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.

Manual

If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.

Properties

Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.

User Assignment Settings

On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.

Assign Users and Groups

Automated provisioning with SCIM

For Step-By-Step instructions, please refer to this URL: https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/azure-ad-provisioning-scim

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.

Vault Login with Email

For any reserved domain that has just-in-time provisioning enabled, the user can simply type in their email address on the Vault login screen and they will be routed to the correct SSO provider. From here, the user can create their vault or login to an existing vault.

Vault Login with Email

Vault Login with Enterprise Domain

If the domain is not reserved, the user can login into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password if they were recently moved from a non-SSO node to the SSO node.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

IdP-Initiated Login

Keeper supports IdP-initiated login with Azure. Users can simply visit their Apps Dashboard at:

https://myapplications.microsoft.com/ This will load their assigned Keeper application and the user can click the icon.

Azure IdP-initiated Login from the Microsoft Apps Dashboard

F5

How to configure Keeper SSO Connect Cloud with F5 BIG-IP APM for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

F5

On the F5 BIG-IP APM, configure a new SAML IdP service for your Keeper platform: Go to Access Policy -> SAML -> BIG-IP as IdP -> Local IdP services

Navigate to: Access Policy > SAML : BIG-IP as IdP - Local IdP Services. Select your applicable IdP connection point and "Export Metadata".

Import the Metadata file extracted from F5 BIG-IP APM into SSO Connect Cloud instance and select F5 as the IDP Type.

Select Save to save the configuration and verify all settings look correct. Export the Keeper SSO Connect Cloud Metadata file for configuration of F5 BIG-IP APM from the Export Metadata link.

Your Keeper SSO Connect setup is now complete!

Google Workspace

How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication, user provisioning and group provisioning.

Please complete the steps in the Admin Console Configuration section first.

Google Workspace supports the following integration with Keeper:

  • SSO authentication with SAML 2.0

  • Automatic Provisioning with Google Cloud APIs and SCIM (Users and Groups)

  • Automatic Provisioning with SCIM (Users only)

You can configure with SSO, SSO+Provisioning or Provisioning by itself.

Google Workspace SAML Configuration

To access Google Workspace Admin Console, login to https://admin.google.com/

Visit the Apps > Web and Mobile Apps screen.

Web and mobile apps

Then select "Add App" and select "Search for apps".

Add new Keeper SAML App

In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.

Select Keeper Web (SAML) app

Setup Keeper App

Use Option 1 to Download IdP metadata and then select Continue.

Download Google Metadata

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.

Keeper SP Details

To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.

SSO Connect Cloud Info

Within the Service Provider section you will find the values for the ACS URL and Entity ID.

ACS URL and Entity ID

Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.

Keeper SP Details Filled

Attribute Mapping

In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.

If you have selected / created a Custom SAML App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.

Google Attributes

Keeper SAML App Details

Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.

Enable SSO Connect on Everyone

To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.

Enable SSO Connect on Groups

To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.

Note: Google does not currently support Group provisioning to Keeper teams.

Import Google Workspace Metadata

Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Edit SSO Connect Cloud

Select Browse Files and select the Google Metadata file previously downloaded.

Upload Google Metadata File

You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.

Note about Single Logout (SLO) Settings with Google Workspace

As of 2022, Google defaults the configuration to not enable Single Logout. This means logging out of Keeper does not initiate a full logout of Google.

SSO Setup Complete!

Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:

  1. Open the Keeper vault and click on "Enterprise SSO Login".

  2. Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".

  3. Click "Connect" and login with your Google Workspace credentials.

For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow

End-user Video Tour for SSO Users is here: https://vimeo.com/329680541

User and Team Provisioning

Next, we'll show how to configure User and Team Provisioning from Google Workspace. There are two methods of integrating with Google Workspace.

Option 1 (Recommended): Provisioning Users and Groups

Since Google Workspace doesn't natively support SCIM Groups, Keeper has developed a Google Cloud Function that integrates with Google Workspace for automated user and group provisioning. Step by step instructions for setting up this service is documented below:

Google Workspace User and Team Provisioning with Cloud Service

Option 2: Provisioning Users Only

To provision users directly from Google Workspace to Keeper using a direct SCIM integration, follow the guide below (this only provisions users, not groups):

Google Workspace User Provisioning with SCIM

Google Workspace User and Group Provisioning with Cloud Function

Step by Step guide to automatically provisioning Users and Groups from Google Workspace using a Cloud Function

Overview

This document describes how to automatically provision users from Google Workspace to Keeper using a Google Cloud Function, which includes the provisioning of Users, Groups and user assignments. User and Team Provisioning provides several features for lifecycle management:

  • You can specify which Google Groups and/or users are provisioned to Keeper

  • Matching of Groups can be performed by Group name or Group email

  • Google Groups assigned to Keeper are created as Keeper Teams

  • Keeper Teams can be assigned to Shared Folders in the vault

  • New users added to the group are automatically invited to Keeper

  • Group and user assignments are applied every sync

  • When a user is de-provisioned, their Keeper account will be automatically locked

  • The process is fully cloud-based. No on-prem infrastructure or services are required.

  • Processing can be performed on your desired scheduler or on-demand

The setup steps in this section allow you to provision users and groups from your Google Workspace account. Setting up this method requires access to several resources:

  • Google Cloud

  • Google Workspace

  • Keeper Admin Console

  • Keeper Vault

  • Keeper Secrets Manager

Keeper Secrets Manager is used in this implementation to perform the most secure method of integration between Google and Keeper, ensuring least privilege. If you don't use Keeper Secrets Manager, please contact the Keeper customer success team.

STEP 1: Create a Google Cloud Project

Login to Google Cloud and create a project or chose an existing project. The project name can be "Keeper SCIM Push" or whatever you prefer.

Create a New Google Cloud Project

STEP 2: Enable the Admin SDK API

  • In the APIs & Services click +ENABLE APIS AND SERVICES

  • In the Search for APIs & Services enter Admin SDK API

  • Click ENABLE

Enable APIs and Services
Enable Admin SDK API

STEP 3: Create a Service Account

The service account created here will be used to access the Google Workspace user and group information.

  • In the IAM and Admin menu select Service accounts

  • Click +CREATE SERVICE ACCOUNT with suggested service account name: keeper-scim

Create Service Account

For newly created service account click Actions/dots and select Manage Keys

Create Keys and credentials.json

Click ADD KEYS -> Create New Key. Choose JSON key type then CREATE

A JSON file with service account credentials will be downloaded to your computer

Create new key
Select JSON format

Rename this file to credentials.json and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.

Save as credentials.json

STEP 4: Copy the Client ID

Navigate to your Service Account and select DETAILS tab > Advanced Settings

In the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

Copy the Client ID

STEP 5: Authorize Service Account on Google Workspace

In the Google Workspace Panel (https://admin.google.com):

  • Navigate to Security -> API controls

  • Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION

  • Click Add new in API Clients

  • Paste the Client ID (copied from previous step)

Paste the following text into OAuth scopes (comma-delimited)

https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
Add a new client ID

Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.

STEP 6: Retrieve the Primary Email

  • In Google Workspace (https://admin.google.com), navigate to Account -> Account settings

  • Copy the Primary admin email into the clipboard (upper right area) for use in the next step.

Get the primary admin email

STEP 7: Create a Shared Folder in your Keeper Vault

In your Keeper Vault, create a new Shared Folder. This folder can be named anything, for example "Google SCIM Push". The user and record permissions for this folder can be set any way you prefer.

Create New Shared Folder

STEP 8: Create a Secrets Manager Application

Assuming that you have Keeper Secrets Manager enabled and activated for this vault, click on Secrets Manager from the left side and then select Create Application.

Create Application

Call the Application name "Google SCIM Push" (or whatever you prefer) and click Generate Access Token. This token will be discarded and not used in this scenario.

Generate Access Token

Next, select the "Google SCIM Push" application from the list, and click on Edit then Add Device.

Edit Application
Add Device

Select the base64 configuration and download it to your computer.

Save the file to your computer as config.base64.

Save config.base64

STEP 9: Create a SCIM Provisioning Method

From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".

Select SCIM and click Next.

SCIM Configuration in Keeper

Click on "Create Provisioning Token"

Create Provisioning Token

The URL and Token displayed on the screen will be used in the next step. Save the URL and Token in a file somewhere temporarily and then click Save.

Save SCIM URL and Token

Make sure to save these two parameters (URL and Token) and then click Save. These parameters are used in the next step.

STEP 10: Create a Keeper Record in the Shared Folder

Inside the Shared Folder created in step 7, create a Keeper record that contains the following fields:

Field
Value

Login

Google Workspace admin email

Password

SCIM Token generated from Step 9 above

Website Address

SCIM URL generated from Step 9 above

credentials.json

File attachment from Step 3 with Google Service Account credentials

SCIM Group

Multi-line custom text field containing a list of all groups to be provisioned. The names can either be Group Email or Group Name.

All Groups and users within the specified Groups will be provisioned to Keeper.

Keeper Vault Record

You can specify either the Group Email address or the Group Name in the list of groups. Keeper will match either value and provision all associated users and groups.

The Group Name and Group Email is CASE SENSITIVE

At this point, the configuration on Keeper is complete. The remaining steps are performed back on the Google Cloud console by setting up a Cloud Function.

STEP 11: Create the Google Cloud Function

From the Google Cloud console, open Cloud Functions and then click CREATE FUNCTION.

Create Function

Under Basics:

  • Select environment of "2nd gen"

  • Select Function name of keeper-scim-push

  • Select your preferred region and note this for later

  • Trigger is HTTPS

  • Authentication set to Require authentication

Under Advanced -> Runtime:

  • Memory allocated: 256MiB

  • CPU: 0.333

  • Timeout: 120 seconds

  • Concurrency: 1

  • Autoscaling min: 0

  • Autoscaling max: 1

  • Runtime service account: select

  • Under Runtime service account, select the Default compute service account

If the Default compute service account does not exist yet, select a different account temporarily then go back and edit the service account after saving.

Below is an example full configuration:

Runtime Settings

In the Runtime environment variables:

Create two variables:

  • Set Name 1 to KSM_CONFIG_BASE64 and Value 1 to the contents of the KSM configuration file generated in Step 8

  • Set Name 2 to KSM_RECORD_UID and Value 2 to the record UID created in the vault in Step 10.

You can find the Record UID by clicking on the (info) icon from the Keeper vault record. Click on the Record UID to copy the value.

Runtime environment variables

Click on CONNECTIONS and select "Allow internal traffic only"

Allow internal traffic only

Scroll down and click NEXT to upload the Cloud Function source.

Click NEXT

STEP 12: Upload the Cloud Function Source

  • Visit the Keeper Google SCIM Push release page: https://github.com/Keeper-Security/ksm-google-scim/releases

  • Download the source.zip file and save it to your computer

Cloud Function Code Source
  • Select Runtime of Go 1.21

  • Select Source code of Zip Upload

  • Type Entry point of GcpScimSyncHttp

  • Zip upload destination bucket: Create a bucket with any name you choose, using the default bucket permissions (not public).

  • Zip file: upload the source.zip file saved from the above step

Click DEPLOY to create the Cloud Function. After a few minutes, the function will be created and published.

The function is private and requires authentication, so the next step is creating a Cloud Scheduler.

STEP 13: Copy the Cloud Function URL

From the Cloud Function screen, copy the URL as seen below:

Copy Cloud Function URL

STEP 14: Create the Cloud Scheduler

From the Google Cloud console, search for Cloud Scheduler and open it.

Cloud Scheduler
  • Click SCHEDULE A JOB

Define the schedule:

  • Set any description, such as "Keeper SCIM Push for Google Workspace"

  • Set the frequency, for example 0 * * * * for running once per hour

  • Set the Timezone according to your location

  • Set the Target type to HTTP

  • Set the URL to the Cloud Function URL copied from Step 13 above

  • Set the HTTP method to GET

  • Set the Auth Header to Add OIDC token

  • Set the Service account to Default compute service account

  • Click CONTINUE then CREATE

STEP 15: Test the Scheduler

On the Scheduler Jobs screen, the job will now be listed. To force execution, click on the overflow menu on the right side and select Force run.

This will execute the Cloud Function immediately.

If successful, the status of last execution will show success:

Scheduler Success

To ensure that Keeper received the sync information, login to the Keeper Admin Console. You will see a list of any pending / invited users, teams and team assignments.

Step 16: Delete Local Files

Once the process is working successfully, delete all local files and secrets created during this process.

IMPORTANT: Delete all local or temporary files on your computer, such as:

  • config.base64 file

  • credentials.json file

  • SCIM tokens

  • Any other screenshots or local files generated in this process

Destructive Operations

By default, "unmanaged" teams and team assignments in the Keeper Admin Console will not be deleted during the sync process. However, if your preferred method of syncing is to delete any unmanaged teams or team assignments, you can simply create a custom field in the Keeper record with a particular value.

"Destructive" Field Value
Description

-1

Nothing is deleted on the Keeper side during sync

0 (Default)

Only SCIM-controlled Groups and Membership can be deleted during sync. (Default Setting)

1

Any manually created or SCIM-controlled Groups and Memberships can be deleted during sync.

Debug Logging

The Keeper record can be modified to create verbose logs in the Google Cloud Function logs.

Verbose Field Value
Description

0 (Default)

No logging

1

Verbose logging enabled

Example of Verbose and Destructive Settings in Keeper Record

Important Syncing Notes:

  • Keeper performs exact string matches on the Group Name or Group Email address when performing the Cloud Function provisioning. The group name and email is case sensitive.

  • Users in an invited state are not added to assigned teams until the user creates their vault and the Keeper administrator logs in to the Admin Console. Team membership can also be performed when another member of the team logs in to the vault. Clicking "Sync" from the Admin Console will also perform the additions.

  • Some operations such as the creation of Teams can only occur upon logging into the Keeper Admin Console, or when running the Keeper Automator service. This is because encryption keys need to be generated.

  • For large deployments, we recommend setting up the Keeper Automator service to automate and streamline the process of device approvals, user approvals and team approvals.

  • When you would like to add new Groups, simply add them to the list inside the Keeper vault record as described in Step 10. Keeper will search on either Group email or Group name when identifying the target.

  • Nested groups in Google Workspace will be flattened when syncing to Keeper. Users from the nested groups are added to the parent group on the Keeper side.

Updating the Cloud Function Source

When new versions of the Cloud Function are created, updating the code is very simple:

  • Download a new source.zip file from the Releases page of the ksm-google-scim Github repo

  • Navigate to the Cloud Functions area of Google Cloud

  • Click on the cloud function details and click EDIT

  • Click on Code

  • Under Source code select "ZIP Upload"

  • Select the source.zip file saved to your computer

  • Click DEPLOY

  • Wait a few minutes for the new function to deploy

  • Navigate to Cloud Scheduler

  • Click on Actions > Force Run

Google Workspace User Provisioning with SCIM

Directly integrating SCIM into Google Workspace for User provisioning

This document provides instructions for provisioning users from Google Workspace to Keeper using a direct SCIM integration. This method does not support pushing Groups and Group assignments. If you require group push and group assignments, see the next guide: Google Workspace User and Team Provisioning with Cloud Service.

Overview

User Provisioning provides several features for lifecycle management:

  • New users added to Google Workspace will get an email invitation to set up their Keeper vault

  • Users can be assigned to Keeper on a user or team basis

  • When a user is de-provisioned, their Keeper account will be automatically locked

From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".

Select SCIM and click Next.

Click on "Create Provisioning Token"

The URL and Token displayed on the next screen will be provided to Google in the Google Workspace Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.

Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.

Back on the Google Workspace admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.

Select Configure auto-provisioning towards the bottom of the page.

SCIM Provisioning

STEP 1: App authorization

Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.

STEP 2: Endpoint URL

Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.

STEP 3: Default Attribute Mappings

Leave the default Attribute mappings as they are and click CONTINUE.

Default Attribute Mappings

STEP 4: Provisioning Scope

If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.

SCIM all Users

STEP 5: Deprovisioning

At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.

Activate Auto-provisioning

Once Auto-provisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active

Inactive Auto-Provisioning

Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.

You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.

Active Auto-Provisioning

Auto-provisioning is complete. Moving forward, new users who have been configured to use Keeper, in Google Workspace and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of Google Workspace.

User Provisioning / SCIM without SSO

If you would like to provision users to Keeper via Google Workspace SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:

  1. Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso

  2. Once Keeper application is set up in Google Workspace, turn on the automated provisioning method as described, above, in this document.

Note: Google does not currently support Group provisioning to Keeper teams.

Troubleshooting

If you receive the error "not_a_saml_app" please ensure that you have turned "Auto-provisioning" to "ON" in the SAML application.

Google Certificate Updates

Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.

When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.

  1. Login to Google Workspace Admin Console: https://admin.Google.com

  2. Click on Apps then select Web and Mobile Apps.

  3. Select Keeper app

  4. Expand service provider

  5. Click “Manage Certificates”

  6. Click “ADD CERTIFICATE”

  7. Click “DOWNLOAD METADATA”

  8. Save the metadata file. This is the IdP metadata.

  9. Login to the Keeper Admin Console

  10. Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method

  11. Upload the Google IdP metadata into Keeper

For more information on this topic, see Google's support page:

https://support.google.com/a/answer/7394709

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

HENNGE

How to configure Keeper SSO Connect Cloud with HENNGE for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

HENNGE SSO Configuration

(1) Log into the HENNGE Administrator console.

Click the Administration tile on the menu.

(2) Next, Select the Connected Services menu item and click Add Service.

On the "Add New Service" page, Click the Add Service Manually at "Add Service for SSO" menu.

(3) Set the Service name to “Keeper Password Manager and Digital Vault” or whatever you prefer, and Add the Attributes Email claim with the value "UsePrincipleName (UPN)", then Click the Submit button.

In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

Now you can see all values required for Keeper side configuration at Step (5). Click X at the right up and Leave this page for now.

On the Connected Services menu area, Click the Service Name you created and then click the "Upload Using Metadata" button.

The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata

(4) After the metadata has been uploaded, head back to the HENNGE Connected Service configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794

Complete the configuration by scrolling to the bottom of the page and select the Save Changes button.

Activate Keeper on HENNGE

(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.

Export HENNGE Metadata

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Assign Users

From HENNGE, you can now add users at Access Policy section on the User list page, or groups at Allowed services section on Access Policy Groups page.

Assign Users
Assign Groups

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Imprivata

How to configure Keeper SSO Connect Cloud with Imprivata OneSign for seamless and secure SAML 2.0 authentication.


Please complete the steps in the Admin Console Configuration section first.

Step 1: Configure Imprivata

You'll need to provide some information about Keeper SSO Connect Cloud to your Identity Provider application such as:

  • Entity ID

  • IDP Initiated Login

  • Assertion Consumer Service (ACS) Endpoint

  • Single Logout Service (SLO) Endpoint

  • SP Metadata file or the Keeper SP Certificate file.

To obtain this information, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download the Keeper metadata file, service provider (SP) certificate file as well as the direct URLs and configuration information (if your identity provider application does not support uploading of the metadata file).

View Keeper SSO Connect Cloud Provisioning Method
Keeper SSO Connect Cloud Configuration Information

Refer to your identity provider application configuration guide for instructions on how to upload service provider metadata and or manually inputting the required SAML response configuration fields.

Step 2: Obtain your IdP Metadata

To import your IdP Metadata into Keeper, you will need to have a properly formatted metadata file. If your SSO Identity Provider Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect Cloud Provisioning method.

If you do not have the ability to export / download your metadata file from your identity provider, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.

Below is an example / template of what a simple identity provider metadata.xml file, against Keeper SSO Connect Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your IdP information, in your preferred .xml or .txt editor.

Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="MySSOApp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAW2r5jDoMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
                        A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
                        MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0zODk2MDgxHDAaBgkqhkiG9w0BCQEW
                        DWluZm9Ab2t0YS5jb20wHhcNMTkxMDA4MTUwMzEyWhcNMjkxMDA4MTUwNDEyWjCBkjELMAkGA1UE
                        BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiqGcmFuY2lzY28xDTALBgNV
                        BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMzg5NjA4MRwwGgYJ
                        KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
                        hr4wSYmTB2MNFuXmbJkUy4wH3vs8b8MyDwPF0vCcjGLl57etUBA16oNnDUyHpsY+qrS7ekI5aVtv
                        a9BbUTeGv/G+AHyDdg2kNjZ8ThDjVQcqnJ/aQAI+TB1t8bTMfROj7sEbLRM6SRsB0XkV72Ijp3/s
                        laMDlY1TIruOK7+kHz3Zs+luIlbxYHcwooLrM8abN+utEYSY5fz/CXIVqYKAb5ZK9TuDWie8YNnt
                        7SxjDSL9/CPcj+5/kNWSeG7is8sxiJjXiU+vWhVdBhzkWo83M9n1/NRNTEeuMIAjuSHi5hsKag5t
                        TswbBrjIqV6H3eT0Sgtfi5qtP6zpMI6rxWna0QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBr4tMc
                        hJIFN2wn21oTiGiJfaxaSZq1/KLu2j4Utla9zLwXK5SR4049LMKOv9vibEtSo3dAZFAgd2+UgD3L
                        C4+oud/ljpsM66ZQtILUlKWmRJSTJ7lN61Fjghu9Hp+atVofhcGwQ/Tbr//rWkC35V3aoQRS6ed/
                        QKmy5Dnx8lc++cL+goLjFVr85PbDEt5bznfhnIqgoPpdGO1gpABs4p9PXgCHhvkZSJWo5LobYGMV
                        TMJ6/sHPkjZ+T4ex0njzwqqZphiD9jlVcMR39HPGZF+Y4TMbH1wsTxkAKOAvXt/Kp77jdj+slgGF
                        gRfaY7OsPTLYCyZpEOoVtAyd5i6x4z0c</ds:X509Certificate>
		             </ds:X509Data>
            </ds:KeyInfo>
	      </md:KeyDescriptor>
	      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
	            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
	            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>
Name
Description

EntityDescriptor

This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your IdP application.

X509Certificate

This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your Identity Provider.

NameIDFormat

This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

or

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

SingleSignOnService "POST"

This is your identity provider's "POST" binding used as a response to a request from Keeper.

SingleSignOnService "Redirect"

This is your identity provider's "Redirect" binding used as a response to a request from Keeper.

Step 3: Map User Attributes

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your identity provider's User Attributes are lined up with Keeper's attributes. Refer to your Identity Provider's configuration guide for instructions.

Your IdP User Attributes
Keeper User Attributes

<Email Address>

Email

<First Name>

First

<Last Name>

Last

Step 4: Upload IdP Metadata to Keeper

Once you have completed creating your identity provider metadata file, or if you have downloaded the identity provider metadata file, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Edit SSO Provisioning Method

Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.

Upload your Metadata File

Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.

Your SSO Application's Metadata

Graphic Assets

If your identity provider requires an icon or logo file for the application, please see the Graphic Assets page.

Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.

If you find that your application is not functional, please review your identity provider application settings and review your metadata file and user attributes for any errors.

Once complete, repeat Step 4.

If you need assistance, please email enterprise.support@keepersecurity.com.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

JumpCloud

How to configure Keeper SSO Connect Cloud with JumpCloud for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

JumpCloud

(1) Log into the JumpCloud Administrator console.

Select the SSO tab on the side menu.

(2) Next, select the + icon in the upper left corner.

On the "Get Started with SSO Application page, search for Keeper in the search bar. Select Configure on the Keeper Application.

(3) Next, on Keeper Application connector page, General Info section set the Display Label: Keeper Security Password Manager

JumpCloud General Info

On the Single Sign-On Configuration area, click the "Upload Metadata" button.

The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata

(4) After the metadata has been uploaded, head back to the JumpCloud SSO configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/459561502469

Complete the configuration by scrolling to the bottom of the page and select the activate button.

Activate Keeper on Jumpcloud

(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.

Export JumpCloud Metadata

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Your Keeper SSO Connect setup is now complete!

User Provisioning SSO+SCIM

JumpCloud® supports Automated User and Team Provisioning with SCIM (System for Cross Domain Identity Management) which will update and deactivate Keeper user accounts as changes are made in JumpCloud®. Step-by-Step instructions can be found here, https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/jumpcloud-provisioning-with-scim

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Microsoft AD FS

How to configure Keeper SSO Connect Cloud with Microsoft AD FS for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Microsoft AD FS

Obtain Federation Metadata XML

Inside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically /FederationMetadata/2007-06/FederationMetadata.xml as seen below:

Locate the Federation Metadata XML File
Metadata Path

Download the Metadata

To download the metadata file, this can typically be found by loading the URL in the browser on the server. For example: https://localhost/FederationMetadata/2007-06/FederationMetadata.xml Download this file and save to the computer.

Download the Metadata XML File

Import Federation Metadata

From the Keeper Admin Console SSO Cloud configuration screen, select "ADFS" as the IdP type and import the Federation Metadata file saved in the previous step.

Select IDP Type and Upload SAML Metadata

Export Keeper Metadata

Go back to the Provisioning screen and click on View.

View Settings

Next download the Keeper metadata file so it can be imported during the Relying Part Trust Wizard. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.

Click the "Export Metadata" button to download the config.xml file. This will be used in a few steps ahead.

Export Metadata

Finish AD FS Configuration

Important: Keeper's Cloud SSO SP Certificate is only valid for a year. On an annual basis, you will need to download the latest Keeper SP Cert from the Admin Console and upload this into the Relying Trust Party settings in AD FS.

Keeper notifies all affected customers when the certificate expiration is coming soon.

Create Relying Trust Party

Create Keeper SSO Connect as a Relying Party Trust:

Add Relying Party Trust

Import Keeper Metadata

Import the Keeper Metadata file that was exported previously from Keeper SSO Connect Cloud view screen by completing the Relying Party Trust Wizard as seen in the steps below.

Select "Claims aware" in the Welcome screen and then select the metadata file saved from Keeper.

Import Keeper Metadata
Enter a Display Name: Keeper SSO Connect Cloud
Choose an access control policy
SAML Logout Endpoints

To prevent a logout error, change the SAML Logout Endpoints on the Relying Party Trust to: https://<YourADFSserverDomain>/adfs/ls/?wa=wsignout1.0

Configure Claims issuance policy
Relying Party Trusts

Create Claim Issuance Policy Rules

To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with Send LDAP Attributes as Claims and map the LDAP attributes to Keeper Connect attributes.

Edit Claim Issuance Policy
Add Rule...
Choose Rule Type
Claim Rule Name - Mapping

Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above.

Issuance Transform Rules

For Logout support we need to add two more Claim Issuance Policy rules:

Send Claims Using a Custom Rule
Create Opaque Persistent ID

To copy the syntax to add in the claims rule, copy the following text and paste it into the custom rule:

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
 => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);

Transform an Incoming Claim
Create Persistant Name Identifier

Incoming claim type: http://mycompany/internal/sessionid Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier

Set Outgoing Claim and Name ID Format

SAML Signing Configuration

a. Open Powershell as Administrator on the AD FS server. b. Identify your SSO Connect Relying Party Trust "Identifier" string which you can obtain by running:

Get-ADFSRelyingPartyTrust

Running this command will generate a long list of output, you are looking for the SSO Connect section and the "Identifier" string. This string will look something like: https://keepersecurity.com/api/rest/sso/saml/459561502484

c. Run the below command, replacing <Identifier> with the string found in step (b).

Set-ADFSRelyingPartyTrust -TargetIdentifier <Identifier> -samlResponseSignature MessageAndAssertion

If you run Get-ADFSRelyingPartyTrust again, you'll see that the SamlResponseSignature section is set to "MessageAndAssertion".

Restart AD FS services

From the services manager, restart AD FS service.

SAML assertion signing must be configured properly on your AD FS environment. If signing has not been configured, you will need to set this up, then exchange metadata again between AD FS and Keeper SSO Connect after the re-configuration.

Troubleshooting

If you need to disable certificate validation on the IdP for testing purposes or for internal PKI certificates, you can use the below Powershell commands. Replace <Identifier> with the string found in the "SAML Signing Configuration" instructions above.

Set-ADFSRelyingPartyTrust -TargetIdentifier 
<Identifier> -EncryptionCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetIdentifier 
<Identifier> -SigningCertificateRevocationCheck None

Note: Any changes made to signing configuration may require exchange of XML metadata between IdP and SSO Connect.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Okta

How to configure Keeper SSO Connect Cloud with Okta for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Okta SSO Configuration

Login to the Admin section of the Okta portal.

Login as Okta Admin

Select the Applications menu item and click Browse App Catalog.

Applications > Browse App Catalog

Search for “Keeper Password Manager”, and then select the Add button for the Keeper Password Manager and Digital Vault application.

Search for Keeper
Add Application

On the General Settings page that comes up next, you need the "Entity ID" that comes from the Keeper Admin Console.

Example Server Base URL: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX

The value for XXXXXXXX represents the specific SSO Connect instance associated with your enterprise and can be found on the Admin Console SSO configuration as part of the Service Provider information, as seen below:

View Configuration
Copy the Entity ID

Paste the Entity ID into the Server Base URL field in the Okta screen.

Select the Sign On tab.

Sign On tab

Scroll down to the SAML Signing Certificates configuration section, and select Actions > View IdP metadata.

View IdP metadata

Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.

Save metadata.xml

In the Keeper Admin Console, Edit the SSO configuration then Select OKTA as the IDP Type and upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:

Edit the SSO Configuration

Drag and Drop the Metadata File from Okta into Keeper

(Optional) Enable Single Logout

If you would like to enable the Single Logout feature in Okta, go to the Sign On tab and click Edit. Click the Enable Single Logout checkbox and then upload the SP Cert which comes from the Keeper Admin Console.

To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.

Export SP Cert from Keeper

Upload the SP cert file and be sure to click Save to save the Sign On settings in Okta.

Upload Certificate

If you have changed the Single Logout Setting, you'll have to download the latest Okta metadata file once again, and upload the new metadata.xml file into Keeper on the SSO edit screen.

From the Actions menu, select View IdP metadata.

View IdP metadata

Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.

In the Keeper Admin Console, Edit the SSO configuration then upload the new metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen.

Upload the new Metadata file with Single Logout config settings

Okta SCIM Provisioning

To enable Okta SCIM user and group provisioning please follow the instructions found within the Keeper Enterprise Guide: https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/okta-integration-with-saml-and-scim

Assign Users

From Okta, you can now add users or groups on the Assignments page. If you have activated SCIM provisioning per the instructions here then the user will be instantly provisioned to Keeper.

Assign Users and Groups

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

OneLogin

How to configure Keeper SSO Connect Cloud with OneLogin for seamless and secure SAML 2.0 authentication and SCIM provisioning.

Please complete the steps in the Admin Console Configuration section first.

OneLogin Setup:

  1. Login to the OneLogin portal.

Log into OneLogin.

2. Select Administration to enter the admin section.

3. From the onelogin menu select Applications then Add App.

In the Search field, do a search for Keeper Password Manager and select it from the search result.

Add Keeper Password Manager

4. On the Add Keeper Manager screen click Save.

5. The next step is to download the SAML Metadata from OneLogin. Select the down arrow on the MORE ACTIONS button and select SAML Metadata.

Save SAML Metadata

Drag and drop or browse to this saved file on the SAML Metadata Section of the Single Sign-On with SSO Connect™ Cloud section on the Keeper Admin Console.

Upload Metadata

6. On the Keeper Admin Console, copy the Assertion Consumer Service (ACS) Endpoint field.

7. Back on the OneLogin Configuration tab, paste in the Keeper SSO Connect Assertion Consumer Service (ACS) Endpoint field and then click Save.

Paste Assertion Consumer Service Endpoint

8. If SCIM is desired then go back on the Keeper Provisioning tab, click on "Add Method" and select SCIM. If not skip to step to step 12.

Add SCIM Method

9. Click Generate then copy the URL and Token.

Click Generate

10. Paste the "URL" into the SCIM Base URL, and paste the "Token" into the SCIM Bearer Token.

11. On the Keeper Admin Console make sure to Save the SCIM token.

For more detailed configuration of SCIM visit the User and Team Provisioning section in the Enterprise Guide

12. Click Save and the integration is complete.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Ping Identity

How to configure Keeper SSO Connect Cloud with Ping Identity for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Ping Identity Configuration

Login to the Ping Identity portal.

From the Ping Identity menu select Applications.

Then select Add Application and select New SAML Application.

On the Application Details page, add the following data:

  • Application Name: Keeper Password Manager Application Detail: Password Manager and Digital Vault Category: Compliance (or other) Graphic: Upload the Keeper Graphic [here] https://s3.amazonaws.com/keeper-email-images/common/keeper256x256.png

Then select Continue to Next Step.

The next step is to download the SAML Metadata from Ping Identity. Select the Download link next to SAML Metadata.

The saml2-metadata-idp.xml file will download to the local computer. On the Edit screen of the Keeper SSO Connect Cloud™ provisioning select Generic as the IDP Type and upload the saml2-metadata-idp xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen: Setup screen:

Next download the Keeper metadata file and upload it to the Ping Application configuration. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.

Enter View Screen

Click the "Export Metadata" button to download the config.xml file.

Export Keeper Metadata

Back on the Ping Identity application configuration, select the Select File button and choose the config.xml file downloaded in the above step.

Upload Keeper Metadata

Select Continue to Next Step.

The next step is the map the attributes. Select the Add new attribute button.

  • In attribute 1, type “First” in the Application Attribute column, select First Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.

  • In attribute 2, type "Last" in the Application Attribute column, select Last Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.

  • In attribute 3, type "Email" in the Application Attribute column, select Email in the Identity Bridge Attribute or Literal Value column, and check the Required button. Application Attributes: First, Last, Email must begin with a capital letter.

Select the group(s) that should have access to the Keeper Application. When complete click "Continue to Next Step". Review the setup and and then select the Finish button.

Important Note: In the Application Configuration section of your Ping Identity setup, ensure that the "Signing" section has "Sign Response" selected with "RSA_SHA256" as the Signing Algorithm.

The Keeper Application should be added and enabled.

Keeper Application on Ping Identity

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

PingOne

How to configure Keeper SSO Connect Cloud with PingOne for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first. Legacy Ping Identity users who are not on PingOne should view our Ping Identity documentation.

PingOne

Login to the PingOne portal at https://admin.pingone.com/.

Login to PingOne

From the PingOne console menu, select Applications > Application Catalog

Search "Keeper" and click on the "Keeper Password Manager - Cloud SSO" link to add the Keeper Password Manager application

Click Setup to proceed to the next step

Click "Continue to Next Step"

From the Keeper Admin Console, view the PingOne SSO Connect Cloud entry and click Export Metadata and save it in a safe location for future use. Also click Export SP Cert and save it in a safe location for future use.

From the PingOne Admin Console, click Select File next to "Upload Metadata" and browse to the saved metadata file from the Keeper Admin Console. This should populate the "ACS URL" and "Entity ID" fields with the proper datapoints.

Click on Choose File next to "Primary Verification Certificate" and browse to the saved .crt file from the Keeper Admin Console. Click on the checkbox next to "Encrypt Assertion" and then click Choose File next to "Encryption Certificate". Browse to the same saved .crt file from the Keeper Admin Console.

Validate the certificate and click "Continue to Next Step".

Enter the appropriate values associated with each attribute (see below image) and click Continue to Next Step

Modify the Name to appropriately match the Configuration Name of the SSO node from the Keeper Admin Console. Click Continue to Next Step

You may choose to add PingOne user groups to your application. Click Add next to the group or groups you would like to add and click Continue to Next Step.

PingOne users will have access to Keeper Password Manager by default. Assigning groups to Keeper Password Manager restricts access to only those groups.

Click Download next to "SAML Metadata" and save the .xml file to a safe location.

Click Finish to complete the application setup wizard.

On the Edit Configuration screen of the Keeper SSO Connect Cloud provisioning in the Keeper Admin Console, select PingOne as the IDP Type.

Upload the SAML Metadata file downloaded in the previous step into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the SAML Metadata section.

Upload PingOne Metadata to Keeper

The PingOne Keeper SSO Connect Cloud™ entry will now show as Active.

View Active Keeper SSO Connect Entry

Your PingOne Keeper SSO Connect Cloud™ setup is complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Rippling

How to configure Keeper SSO Connect Cloud with Rippling for seamless and secure SAML 2.0 authentication and SCIM provisioning.

Please complete the steps in the Admin Console Configuration section first.

Rippling Setup

  1. Login to the Rippling admin account.

2. After logging in, on the left side hover over Home and click App Shop in the bottom left.

3. In the App Shop, search for Keeper in the upper left corner and select it from the search result.

4. After selecting clicking on the Keeper app, click Connect Account to get started with SSO.

5. Rippling has it's own SSO set up walkthrough, continue the walkthrough to set up SSO.

Save SAML Metadata

6. Once you have reached this page, the SSO setup is complete, however there is also an option for SCIM provisioning. If you would like SCIM provisioning, select Continue with API and follow the SCIM provisioning walkthrough. Otherwise, click Skip for now, visit app.

You can assign users to the application and designate who has access to keeper in your Rippling environment here.

For more detailed configuration of SCIM visit the User and Team Provisioning section in the Enterprise Guide

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

RSA SecurID Access

How to configure Keeper SSO Connect Cloud with RSA SecurID Access for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Keeper Security is RSA SecurID Access Certified.

RSA SecurID Access integrates RSA Authentication Manager and their Cloud Authentication Service. In this setup Cloud Authentication Service can be used as an identity provider in conjunction with Keeper SSO Connect. Detailed documentation is provided on the RSA website via the links below.

RSA SecurID Access Overview

https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/identity-packagingwww.rsa.com
RSA SecurID Access Overview

Keeper Password Manager Integration Guides

LogoAuthentication Agent Configuration - Keeper Password Manager 14.4 - RSA Ready SecurID Access Implementation GuideRSA Link
LogoRSA Community
SAML 2.0 Integration Guide

SecureAuth

How to configure Keeper SSO Connect Cloud with SecureAuth for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

SecureAuth can be configured using the same instructions in the Other SAML 2.0 Providers section. Please follow that guide in order to set up the SecureAuth environment.

For reference, use the SecureAuth guide located here:

LogoSAML application integration
SecureAuth SAML application integration

A few additional important items to note regarding SecureAuth:

  • Ensure that "By Post" is selected in the Connection Type section:

Connection Type
  • Ensure to select "Sign SAML Assertion" and "Sign SAML Message".

  • Ensure the Entity ID of the IdP metadata matches the SAML response from SecureAuth.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Shibboleth

How to configure Keeper SSO Connect Cloud with Shibboleth for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Step 1: Export and Save Keeper Metadata File

To obtain your Keeper Metadata file, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download and save the Keeper metadata file.

Export Keeper Metadata File

Step 2: Adding Keeper Metadata to Shibboleth Identity Provider

The Shibboleth IdP must know some basic information about the Keeper relying party, which is defined in SAML metadata. The easiest way to do is to add your Keeper Metadata file to IDP_HOME/metadata/ directory.

Step 3: Adding a New Relying Party Trust to Shibboleth Identity Provider

Instruct Shibboleth how to behave when talking to Keeper by defining a new RelyingParty element in IDP_HOME/conf/relying-party.xml. The following snippet should be added just after the DefaultRelyingParty element. Be sure to replace the provider attribute to include your "Entity ID" (use whatever provider is configured in the DefaultRelyingParty).

<RelyingParty id="keepersecurity.com"
        provider="https://keepersecurity.com/api/rest/sso/saml/264325172298110"
        defaultSigningCredentialRef="IdPCredential">
    <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

Still in the IDP_HOME/conf/relying-party.xml file, configure Shibboleth to use the keeper metadata file you added in Step 2. Add the following MetadataProvider element next to the existing configured provider (it should have an id value of “FSMD”), making sure to replace IDP_HOME with your actual installation path.

<!-- Keeper Metadata -->
<MetadataProvider id="KeeperMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataFile="IDP_HOME/metadata/keeper-metadata.xml" maintainExpiredMetadata="true" />

Step 4: Configure Attribute Resolver

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Shibboleth’s attribute resolver must be configured to make this data available by modifying IDP_HOME/conf/attribute-resolver.xml.

Your IdP User Attributes

Keeper User Attributes

<Email Address>

Email

<First Name>

First

<Last Name>

Last

When Configuring Shibboleth Identity Provider SAML Attributes, Keeper Expects "NameIDFormat" coming in the form of "emailAddress". You can use / the suggested "NameIDFormat" or input correct value for your environment so long as it provides Keeper the users Email Address for the username login identifier.

Step 5: Configure Attribute FIlter

Finally, configure the Shibboleth attribute filtering engine to release the principal attribute (encoded as a NameID) to Google. Add the following XML snippet to IDP_HOME/conf/attribute-filter.xml alongside the existing policy elements.

<AttributeFilterPolicy>
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="keepersecurity.com" />

    <AttributeRule attributeID="principal">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

Step 6: Obtain the Metadata XML File from Shibboleth

  1. Locate Shibboleth metadata found at "http://shibboleth.example.com/idp/shibboleth" or in the Shibboleth identity provider filesystem in <install_folder>/shibboleth-idp/metadata.

  2. Modify Shibboleth metadata manually and ensure all user endpoints are uncommented (e.g., SingleLogout).

  3. Save the XML file.

Step 7: Upload IdP Metadata to Keeper

Once you have your Shibboleth metadata file ready, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Edit SSO Provisioning Method

Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select your Shibboleth Metadata file.

Upload your Metadata File

Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.

Your SSO Application's Metadata

Graphic Assets

If your Shibboleth instance requires an icon or logo file for the Keeper application, please see the Graphic Assets page.

Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.

If you find that SSO is not functional, please review your Shibboleth settings, review your metadata file and user attributes for any errors.

Once complete, repeat Step 4.

If you need assistance, please email enterprise.support@keepersecurity.com.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Other SAML 2.0 Providers

How to configure Keeper SSO Connect Cloud with your SSO Identity Provider for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Keeper is compatible with any SAML 2.0 SSO Identity Provider (IdP). If your identity provider is not in our list, you can follow the steps in this guide to complete the configuration. Keeper is a Service Provider (SP) in this configuration.

Step 1: Configure your Identity Provider

You'll need to provide some information about Keeper SSO Connect Cloud to your Identity Provider application such as:

  • Entity ID

  • IDP Initiated Login

  • Assertion Consumer Service (ACS) Endpoint

  • Single Logout Service (SLO) Endpoint

  • SP Metadata file or the Keeper SP Certificate file.

To obtain this information, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download the Keeper metadata file, service provider (SP) certificate file as well as the direct URLs and configuration information (if your identity provider application does not support uploading of the metadata file).

View Keeper SSO Connect Cloud Provisioning Method
Keeper SSO Connect Cloud Configuration Information

Refer to your identity provider application configuration guide for instructions on how to upload service provider metadata and or manually inputting the required SAML response configuration fields.

Step 2: Obtain your IdP Metadata

To import your IdP Metadata into Keeper, you will need to have a properly formatted metadata file. If your SSO Identity Provider Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect Cloud Provisioning method.

If you do not have the ability to export / download your metadata file from your identity provider, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.

Below is an example / template of what a simple identity provider metadata.xml file, against Keeper SSO Connect Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your IdP information, in your preferred .xml or .txt editor.

Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="MySSOApp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAW2r5jDoMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
                        A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
                        MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0zODk2MDgxHDAaBgkqhkiG9w0BCQEW
                        DWluZm9Ab2t0YS5jb20wHhcNMTkxMDA4MTUwMzEyWhcNMjkxMDA4MTUwNDEyWjCBkjELMAkGA1UE
                        BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiqGcmFuY2lzY28xDTALBgNV
                        BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMzg5NjA4MRwwGgYJ
                        KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
                        hr4wSYmTB2MNFuXmbJkUy4wH3vs8b8MyDwPF0vCcjGLl57etUBA16oNnDUyHpsY+qrS7ekI5aVtv
                        a9BbUTeGv/G+AHyDdg2kNjZ8ThDjVQcqnJ/aQAI+TB1t8bTMfROj7sEbLRM6SRsB0XkV72Ijp3/s
                        laMDlY1TIruOK7+kHz3Zs+luIlbxYHcwooLrM8abN+utEYSY5fz/CXIVqYKAb5ZK9TuDWie8YNnt
                        7SxjDSL9/CPcj+5/kNWSeG7is8sxiJjXiU+vWhVdBhzkWo83M9n1/NRNTEeuMIAjuSHi5hsKag5t
                        TswbBrjIqV6H3eT0Sgtfi5qtP6zpMI6rxWna0QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBr4tMc
                        hJIFN2wn21oTiGiJfaxaSZq1/KLu2j4Utla9zLwXK5SR4049LMKOv9vibEtSo3dAZFAgd2+UgD3L
                        C4+oud/ljpsM66ZQtILUlKWmRJSTJ7lN61Fjghu9Hp+atVofhcGwQ/Tbr//rWkC35V3aoQRS6ed/
                        QKmy5Dnx8lc++cL+goLjFVr85PbDEt5bznfhnIqgoPpdGO1gpABs4p9PXgCHhvkZSJWo5LobYGMV
                        TMJ6/sHPkjZ+T4ex0njzwqqZphiD9jlVcMR39HPGZF+Y4TMbH1wsTxkAKOAvXt/Kp77jdj+slgGF
                        gRfaY7OsPTLYCyZpEOoVtAyd5i6x4z0c</ds:X509Certificate>
		             </ds:X509Data>
            </ds:KeyInfo>
	      </md:KeyDescriptor>
	      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
	            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
        <md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
	            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Name

Description

EntityDescriptor

This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your IdP application.

X509Certificate

This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your Identity Provider.

NameIDFormat

This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

or

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

SingleSignOnService "POST"

This is your identity provider's "POST" binding used as a response to a request from Keeper.

SingleSignOnService "Redirect"

This is your identity provider's "Redirect" binding used as a response to a request from Keeper.

Step 3: Map User Attributes

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your identity provider's User Attributes are lined up with Keeper's attributes. Refer to your Identity Provider's configuration guide for instructions.

Your IdP User Attributes

Keeper User Attributes

<Email Address>

Email

<First Name>

First

<Last Name>

Last

Step 4: Upload IdP Metadata to Keeper

Once you have completed creating your identity provider metadata file, or if you have downloaded the identity provider metadata file, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Edit SSO Provisioning Method

Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.

Upload your Metadata File

Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.

Your SSO Application's Metadata

Graphic Assets

If your identity provider requires an icon or logo file for the application, please see the Graphic Assets page.

Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.

If you find that your application is not functional, please review your identity provider application settings and review your metadata file and user attributes for any errors.

Once complete, repeat Step 4.

If you need assistance, please email enterprise.support@keepersecurity.com.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.