Identity Provider configuration for SSO Connect Cloud
The previous section of Admin Console Configuration applies to every SAML 2.0 compatible identity provider. To help with any IdP-specific configuration of common identity providers, we have added some helpful screens in this next section.
If your Identity Provider is not listed here, don't worry. Keeper is 100% compatible with all SAML 2.0 SSO identity providers and Passwordless authentication products. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.
(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)
How to configure Keeper SSO Connect Cloud with Amazon AWS SSO for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Log into AWS and select on AWS Single Sign-On.
On the SSO Dashboard, select Configure SSO access to your cloud applications.
On the Applications menu, select Add a new application.
Next select Keeper Security and select Add.**
Keeper is working with AWS to develop an Application Connector.
Fill in the Display name and Description (optional) in the application details section.
In the AWS SSO metadata section, select the download button to export the AWS SSO SAML metadata file. This file gets imported in the SSO Connect IdP Metadata section on the configuration screen.
Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by either browsing to or dragging and dropping the file into the Configuration screen's SAML Metadata area:
Next download the Keeper metadata file and upload it to the AWS Application metadata file. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file.
Back on the Ping Identity application configuration, select the Select File button and choose the config.xml file downloaded in the above step.
After saving changes the Configuration for Keeper Password Manager has been saved success message will be displayed.
Note: The Keeper SSL certificate cannot be larger than 2048K or the below error will be received.
Either, generate a smaller SSL certificate, re-export and import the metadata file or manually set the ACS URL and Audience URL in the AWS SSO application configuration.
Next, Ensure the Keeper application attributes that are to be mapped to AWS SSO are correct (These should be set by default. Select the Attribute mappings tab. The AWS string value to ${user:subject} and format is blank or unspecified. The Keeper Attributes are set as follows:
Keeper Attribute
AWS SSO String Value **
Format
${user:email}
unspecified
First
${user:givenName}
unspecified
Last
${user:familyName}
unspecified
Note: If your AWS email is mapped to the AD UPN (which may not be the actual email address of your users) it can be re-mapped to the email address associated in the users AD profile.
To make this change navigate to the Connect Directory on the AWS SSO page.
Select on the Edit attribute mappings button.
Change the AWS SSO email attribute from ${dir:windowsUpn} to ${dir:email} .
Select on the the Assigned users tab and then the Assign users button to select users or groups to assign the application.
On the Assign Users window:
Select either Groups or Users
Type the name of a group or user
Select on the Search connect directory to initiate the search.
The results of the directory search will display under the search window.
Select the users/groups that are desired to have access to the application and then select the Assign users button.
Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that your identity provider is configured to sign SAML responses.
Your Keeper SSO Connect setup is now complete!
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Auth0 for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Login to the Admin section of the Auth0 portal.
Select the Applications tab and click Create Application. Choose Regular Web Applications.
Next, go to the Addons tab and click SAML2 WEB APP.
On the Settings page that comes up next, you will need the “Assertion Consumer Service (ACS) Endpoint” that comes from the Keeper Admin Console.
Example Assertion Consumer Service (ACS) Endpoint: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX
This value can be found under the SSO Connect Cloud configuration as part of the Service Provider information, as seen below:
Paste the Assertion Consumer Service (ACS) Endpoint into the Application Callback URL field in the Auth0 screen.
Next, remove the sample JSON in the SAML2 Web App editor window, and replace with the following:
The value for “audience” is the Entity ID. This can also be found under the SSO Connect Cloud configuration as part of the Service Provider information:
Once you've added the Entity ID, you can click the Debug button to verify there are no formatting issues.
Next, scroll down to the bottom of the SAML2 Web App window and click Save.
Next, click on the Usage tab and download the Identity Provider Metadata file.
On the Keeper side, edit the SSO configuration and select GENERIC as the IDP Type. You can upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication. They won't have to enter the Enterprise Domain.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Centrify for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Login to the Centrify Admin portal via the cloud login.
Switch to the Admin Portal from the pull down menu.
Close the Quick Start Wizard if it pops up. Select Apps from the menu then Add Web Apps.
On the Add Web Apps window, select the Custom tab and then scroll down and choose Add for SAML.
Select Yes to “Do you want to add this application?”.
Close the Add Web Apps Window.
The next step is to upload Keeper’s SSO Metadata to Centrify. On the Keeper Admin Console, export the SAML Metadata file
Go to View -> Export Metadata
In the SAML Application Settings section in Centrify, select Upload SP Metadata.
Select Upload SP Metadata from a file and browse for the KeeperSSOMetadata.xml file. Select Ok.
Download the Identity Provider SAML Metadata. This will be uploaded to Keeper SSO Connect.
On the Description section enter Keeper SSO Connect in the Application Name field and select Security in the Category field.
Download the Keeper logo. Select Select Logo and upload the Keeper logo (keeper60x60.png).
On the User Access section select the roles that can access the Keeper App:
Under the Account Mapping section, select "Use the following..." and input mail.
On the Advanced section, append the script to include the following lines of code:
The above script reads the display name from the User Account section. The FirstName attribute is parsed from the first string of DisplayName and the LastName attribute is parsed from the second string of DisplayName.
Select Save to finish the setup.
Upload the Identity Provider SAML Metadata file into the Keeper SSO Connect Cloud instance interface by dragging and dropping the file into the edit screen:
When upload is complete, revert back one screen. The SSO integration is ready to test.
How to configure Keeper SSO Connect Cloud with CloudGate for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
(1) Log into the CloudGate Administrator console.
Click the Administration tile on the menu.
(2) Next, Select the Service Provider menu item and click Add Service Provider.
On the "Add Service Provider" page, search for Keeper in the search bar. Select and click the "Keeper SSO Connect Cloud" icon.
(3) Set the Display name at General Settings tab to “Keeper_SSO_Cloud_Connet” or whatever you prefer.
(4) Next, at the SSO Settings tab, you need the "Entity ID" and Other information that comes from the Keeper Admin Console.
Copy and Paste the Entity ID and Other information into the SSO Settings page in the CloudGate screen.
Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794
(5) Click Add the Additional Attributes, and set Field Name to "Email" and the Value to "${MAIL_ADDRESS}". Now you can save the configuration.
If you would like to enable the Single Logout feature in CloudGate, go to the SSO Settings tab and enter Logout URL and then upload the SP Cert which comes from the Keeper Admin Console.
To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.
Next, Copy and Paste the SLO Endpoint information into the SSO Settings page in the CloudGate screen.
(6) Last step is to export the metadata from "IDP Information for SMAL2.0" at SSO Settings tab to import it into the Keeper SSO Connect Cloud™.
Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:
From CloudGate, you can now add users at User Settings tab on User Management page.
Please make sure if there is "Email address" value at at User Settings tab on User Management page.
Click "Save" to complete the configuration of Keeper SSO Connect Cloud with CloudGate.
Your Keeper SSO Connect setup is now complete!
To enable CloudGate SCIM user and group provisioning please follow the instructions found in this page within the Keeper Enterprise Guides.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with DUO SSO for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
These instructions assume Duo has already been successfully enabled and configured with an authentication source (Active Directory or IdP). To activate Duo SSO, visit your Duo Admin Panel and visit the "Single Sign-On" section.
Log in to the Duo Admin Panel and click Protect an Application. Search for Keeper and choose Keeper Security with type "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list then click "Protect" (shown below as Configure).
The Download section is where you can download the SAML metadata file to upload into your SSO provisioning method.
Back on the Keeper Admin console, locate your DUO SSO Connect Cloud Provisioning method and select Edit.
Scroll down to the Identity Provider section, set IDP Type to DUO SSO, select Browse Files and select the DUO Metadata file previously downloaded.
Still within the Keeper Admin Console, exit Edit View and select View on your DUO SSO Connect Cloud Provisioning method. Within the Service Provider section you will find the metadata values for the Entity ID, IDP Initiated Login Endpoint and Assertion Consumer Service (ACS) Endpoint.
Single Logout Service (SLO) Endpoint is optional.
Return to the application page in your Duo Admin Panel, copy and Paste the Entity ID, Login Endpoint and ACS Endpoint into the Service Provider section.
Within the SAML Response section, scroll down to Map attributes and map the following attributes.
Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen below.
Within the Policy section, defines when and how users will authenticate when accessing this application. Your global policy always applies, but you can override its rules with custom policies.
Within the Global Policy section, Review / Edit / Verify any Global Policy as seen by your DUO and or Keeper administrator.
Success! Your Keeper Security EPM - Single Sign-On setup is now complete!
If you need assistance implementing the Keeper Security EPM - Single Sign-On application within your DUO environment, please contact the Keeper support team.
Users created in the root node (top level) in the Keeper Admin Console will need to be moved to the SSO node if you want the users to login with Duo. An admin cannot move themselves to the SSO enabled node, another admin must perform this action.
After the user is moved to the SSO enabled node, they can login to the Keeper vault by simply typing their email address and clicking "Next". If this does not work, please ensure that your email domain (e.g. company.com) has been reserved to your enterprise and ensure that Just-In-Time provisioning is enabled.
To onboard with the Enterprise Domain, the user can select the "Enterprise SSO" pull down and type in the Enterprise Domain configured in the Keeper Admin Console.
Once the user has authenticated with SSO for the first time, they only need to use their email address next time to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Microsoft Entra ID (formerly Azure AD) for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Keeper is compatible with all Microsoft Azure AD / Entra ID environments for SAML 2.0 authentication and automated provisioning.
Keeper applications (including Web Vault, Browser Extension, Desktop App and iOS/Android apps) are 100% compatible with conditional access policies.
Keeper supports both commercial (portal.azure.com) and Azure Government Cloud (portal.azure.us) environments.
Watch the following video to learn more about setting up Azure with SSO Connect Cloud.
Please follow the below steps.
(1) Add the Keeper Enterprise Application
Go to your Azure Admin account at https://portal.azure.com and click on Azure Active Directory > Enterprise Applications. Note: If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application.
For US Public Sector entities, login to https://portal.azure.us and follow the same steps as outlined in this document.
(2) Click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault".
(3) Click "Create" to create the application.
(4) Click on the "Set up single sign on" then click "SAML"
(5) On the Keeper Admin Console, export the SAML Metadata file.
Go to View -> Export Metadata
(6) Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button.
and selecting the file just downloaded from the Keeper admin console and pressing the Add button.
(7) Azure will open up the SAML configuration screen.
The red error on the missing "Sign on URL" field is expected.
To fix the error, copy the URL from the "IDP Initiated Login Endpoint" from the Admin Console SSO Cloud instance "view" screen, and paste it into the "Sign on URL" field.
Single Logout Service Endpoint ("SLO")
This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.
For control over Keeper-initiated Single Logout behavior with the identity provider, see this page.
By default, Keeper will force a logout session with Entra/Azure after logging out. If you would like to remove this behavior, edit the Azure metadata file before uploading to Keeper and remove the SingleLogoutService line. For security reasons, we recommend keeping this in place.
(8) Click on Save then close the window with the SAML configuration.
(9) After saving, you'll be asked to test the configuration. Don't do this. Wait a couple seconds then reload the Azure portal page on the web browser. Now, there should be a certificate section that shows up in the "SAML Signing Certificate" area.
Click on "Download" under the Federation Metadata XML section:
(10) Upload the Metadata file into the Keeper Admin Console
In the Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step the SAML Metadata section.
(11) Edit User Attributes & Claims
Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.
We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.
In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.
In the Keeper Admin Console, the option to enforce a new login session with the identity provider is available. When ForceAuthn="true" is set in the SAML request, the Service Provider (Keeper) is telling the IdP that even though the user is already authenticated, they need to force a new authenticated session. This may be a desired behavior depending on your security policies and end-user environment.
Entra ID / Azure AD SAML signing certificates will expire after one year.
Ensure that you set yourself an annual calendar reminder to update the SAML certificate prior to expiration, or your Keeper users will not be able to login until it is updated.
For instructions on renewing the certificate, see the Certificate Renewal page.
Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.
If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.
Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.
On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.
For Step-By-Step instructions, please refer to this URL: https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/azure-ad-provisioning-scim
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.
For any reserved domain that has just-in-time provisioning enabled, the user can simply type in their email address on the Vault login screen and they will be routed to the correct SSO provider. From here, the user can create their vault or login to an existing vault.
If the domain is not reserved, the user can login into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password if they were recently moved from a non-SSO node to the SSO node.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
Keeper supports IdP-initiated login with Azure. Users can simply visit their Apps Dashboard at:
https://myapplications.microsoft.com/ This will load their assigned Keeper application and the user can click the icon.
How to configure Keeper SSO Connect Cloud with F5 BIG-IP APM for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
On the F5 BIG-IP APM, configure a new SAML IdP service for your Keeper platform: Go to Access Policy -> SAML -> BIG-IP as IdP -> Local IdP services
Navigate to: Access Policy > SAML : BIG-IP as IdP - Local IdP Services. Select your applicable IdP connection point and "Export Metadata".
Import the Metadata file extracted from F5 BIG-IP APM into SSO Connect Cloud instance and select F5 as the IDP Type.
Select Save to save the configuration and verify all settings look correct. Export the Keeper SSO Connect Cloud Metadata file for configuration of F5 BIG-IP APM from the Export Metadata link.
Your Keeper SSO Connect setup is now complete!
How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication, user provisioning and group provisioning.
Please complete the steps in the Admin Console Configuration section first.
Google Workspace supports the following integration with Keeper:
SSO authentication with SAML 2.0
Automatic Provisioning with Google Cloud APIs and SCIM (Users and Groups)
Automatic Provisioning with SCIM (Users only)
You can configure with SSO, SSO+Provisioning or Provisioning by itself.
To access Google Workspace Admin Console, login to https://admin.google.com/
Visit the Apps > Web and Mobile Apps screen.
Then select "Add App" and select "Search for apps".
In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.
Use Option 1 to Download IdP metadata and then select Continue.
On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.
To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.
Within the Service Provider section you will find the values for the ACS URL and Entity ID.
Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.
In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.
If you have selected / created a Custom SAML App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.
To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.
To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.
Note: Google does not currently support Group provisioning to Keeper teams.
Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Select Browse Files and select the Google Metadata file previously downloaded.
You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.
As of 2022, Google defaults the configuration to not enable Single Logout. This means logging out of Keeper does not initiate a full logout of Google.
Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:
Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your Google Workspace credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
End-user Video Tour for SSO Users is here: https://vimeo.com/329680541
Next, we'll show how to configure User and Team Provisioning from Google Workspace. There are two methods of integrating with Google Workspace.
Since Google Workspace doesn't natively support SCIM Groups, Keeper has developed a Google Cloud Function that integrates with Google Workspace for automated user and group provisioning. Step by step instructions for setting up this service is documented below:
Google Workspace User and Team Provisioning with Cloud Service
To provision users directly from Google Workspace to Keeper using a direct SCIM integration, follow the guide below (this only provisions users, not groups):
Google Workspace User Provisioning with SCIM
Step by Step guide to automatically provisioning Users and Groups from Google Workspace using a Cloud Function
This document describes how to automatically provision users from Google Workspace to Keeper using a Google Cloud Function, which includes the provisioning of Users, Groups and user assignments. User and Team Provisioning provides several features for lifecycle management:
You can specify which Google Groups and/or users are provisioned to Keeper
Matching of Groups can be performed by Group name or Group email
Google Groups assigned to Keeper are created as Keeper Teams
Keeper Teams can be assigned to Shared Folders in the vault
New users added to the group are automatically invited to Keeper
Group and user assignments are applied every sync
When a user is de-provisioned, their Keeper account will be automatically locked
The process is fully cloud-based. No on-prem infrastructure or services are required.
Processing can be performed on your desired scheduler or on-demand
The setup steps in this section allow you to provision users and groups from your Google Workspace account. Setting up this method requires access to several resources:
Keeper Secrets Manager is used in this implementation to perform the most secure method of integration between Google and Keeper, ensuring least privilege. If you don't use Keeper Secrets Manager, please contact the Keeper customer success team.
Login to Google Cloud and create a project or chose an existing project. The project name can be "Keeper SCIM Push" or whatever you prefer.
In the APIs & Services
click +ENABLE APIS AND SERVICES
In the Search for APIs & Services
enter Admin SDK API
Click ENABLE
The service account created here will be used to access the Google Workspace user and group information.
In the IAM and Admin
menu select Service accounts
Click +CREATE SERVICE ACCOUNT
with suggested service account name: keeper-scim
For newly created service account click Actions
/dots and select Manage Keys
Click ADD KEYS
-> Create New Key.
Choose JSON key type then CREATE
A JSON file with service account credentials will be downloaded to your computer
Rename this file to credentials.json
and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
Navigate to your Service Account and select DETAILS
tab > Advanced Settings
In the Domain-wide delegation
section copy the Client ID
. You will need to grant this Client ID access to the Google Workspace Directory in the next step.
In the Google Workspace Panel (https://admin.google.com):
Navigate to Security
-> API controls
Under the Domain wide delegation
click MANAGE DOMAIN WIDE DELEGATION
Click Add new
in API Clients
Paste the Client ID
(copied from previous step)
Paste the following text into OAuth scopes (comma-delimited)
Click AUTHORIZE
- These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.
In Google Workspace (https://admin.google.com), navigate to Account
-> Account settings
Copy the Primary admin
email into the clipboard (upper right area) for use in the next step.
In your Keeper Vault, create a new Shared Folder. This folder can be named anything, for example "Google SCIM Push". The user and record permissions for this folder can be set any way you prefer.
Assuming that you have Keeper Secrets Manager enabled and activated for this vault, click on Secrets Manager
from the left side and then select Create Application
.
Call the Application name "Google SCIM Push" (or whatever you prefer) and click Generate Access Token
. This token will be discarded and not used in this scenario.
Next, select the "Google SCIM Push" application from the list, and click on Edit
then Add Device
.
Select the base64 configuration and download it to your computer.
Save the file to your computer as config.base64.
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL
and Token
displayed on the screen will be used in the next step. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save. These parameters are used in the next step.
Inside the Shared Folder created in step 7, create a Keeper record that contains the following fields:
Login
Google Workspace admin email
Password
SCIM Token generated from Step 9 above
Website Address
SCIM URL generated from Step 9 above
credentials.json
File attachment from Step 3 with Google Service Account credentials
SCIM Group
Multi-line custom text field containing a list of all groups to be provisioned. The names can either be Group Email or Group Name.
All Groups and users within the specified Groups will be provisioned to Keeper.
You can specify either the Group Email address or the Group Name in the list of groups. Keeper will match either value and provision all associated users and groups.
The Group Name and Group Email is CASE SENSITIVE
At this point, the configuration on Keeper is complete. The remaining steps are performed back on the Google Cloud console by setting up a Cloud Function.
From the Google Cloud console, open Cloud Functions
and then click CREATE FUNCTION
.
Select environment of "2nd gen
"
Select Function name of keeper-scim-push
Select your preferred region and note this for later
Trigger is HTTPS
Authentication set to Require authentication
Memory allocated: 256MiB
CPU: 0.333
Timeout: 120 seconds
Concurrency: 1
Autoscaling min: 0
Autoscaling max: 1
Runtime service account: select
Under Runtime service account, select the Default compute service account
If the Default compute service account does not exist yet, select a different account temporarily then go back and edit the service account after saving.
Below is an example full configuration:
Create two variables:
Set Name 1 to KSM_CONFIG_BASE64
and Value 1 to the contents of the KSM configuration file generated in Step 8
Set Name 2 to KSM_RECORD_UID
and Value 2 to the record UID created in the vault in Step 10.
You can find the Record UID by clicking on the (info) icon from the Keeper vault record. Click on the Record UID to copy the value.
Click on CONNECTIONS and select "Allow internal traffic only"
Scroll down and click NEXT
to upload the Cloud Function source.
Visit the Keeper Google SCIM Push release page: https://github.com/Keeper-Security/ksm-google-scim/releases
Download the source.zip
file and save it to your computer
Select Runtime of Go 1.21
Select Source code of Zip Upload
Type Entry point of GcpScimSyncHttp
Zip upload destination bucket: Create a bucket with any name you choose, using the default bucket permissions (not public).
Zip file: upload the source.zip
file saved from the above step
Click DEPLOY
to create the Cloud Function. After a few minutes, the function will be created and published.
The function is private and requires authentication, so the next step is creating a Cloud Scheduler.
From the Cloud Function screen, copy the URL as seen below:
From the Google Cloud console, search for Cloud Scheduler and open it.
Click SCHEDULE A JOB
Set any description, such as "Keeper SCIM Push for Google Workspace"
Set the frequency, for example 0 * * * *
for running once per hour
Set the Timezone according to your location
Set the Target type to HTTP
Set the URL to the Cloud Function URL copied from Step 13 above
Set the HTTP method to GET
Set the Auth Header to Add OIDC token
Set the Service account to Default compute service account
Click CONTINUE
then CREATE
On the Scheduler Jobs screen, the job will now be listed. To force execution, click on the overflow menu on the right side and select Force run
.
This will execute the Cloud Function immediately.
If successful, the status of last execution will show success:
To ensure that Keeper received the sync information, login to the Keeper Admin Console. You will see a list of any pending / invited users, teams and team assignments.
Once the process is working successfully, delete all local files and secrets created during this process.
IMPORTANT: Delete all local or temporary files on your computer, such as:
config.base64 file
credentials.json file
SCIM tokens
Any other screenshots or local files generated in this process
By default, "unmanaged" teams and team assignments in the Keeper Admin Console will not be deleted during the sync process. However, if your preferred method of syncing is to delete any unmanaged teams or team assignments, you can simply create a custom field in the Keeper record with a particular value.
-1
Nothing is deleted on the Keeper side during sync
0 (Default)
Only SCIM-controlled Groups and Membership can be deleted during sync. (Default Setting)
1
Any manually created or SCIM-controlled Groups and Memberships can be deleted during sync.
The Keeper record can be modified to create verbose logs in the Google Cloud Function logs.
0 (Default)
No logging
1
Verbose logging enabled
Keeper performs exact string matches on the Group Name or Group Email address when performing the Cloud Function provisioning. The group name and email is case sensitive.
Users in an invited state are not added to assigned teams until the user creates their vault and the Keeper administrator logs in to the Admin Console. Team membership can also be performed when another member of the team logs in to the vault. Clicking "Sync" from the Admin Console will also perform the additions.
Some operations such as the creation of Teams can only occur upon logging into the Keeper Admin Console, or when running the Keeper Automator service. This is because encryption keys need to be generated.
For large deployments, we recommend setting up the Keeper Automator service to automate and streamline the process of device approvals, user approvals and team approvals.
When you would like to add new Groups, simply add them to the list inside the Keeper vault record as described in Step 10. Keeper will search on either Group email or Group name when identifying the target.
Nested groups in Google Workspace will be flattened when syncing to Keeper. Users from the nested groups are added to the parent group on the Keeper side.
When new versions of the Cloud Function are created, updating the code is very simple:
Download a new source.zip
file from the Releases page of the ksm-google-scim Github repo
Navigate to the Cloud Functions area of Google Cloud
Click on the cloud function details and click EDIT
Click on Code
Under Source code select "ZIP Upload"
Select the source.zip file saved to your computer
Click DEPLOY
Wait a few minutes for the new function to deploy
Navigate to Cloud Scheduler
Click on Actions > Force Run
Directly integrating SCIM into Google Workspace for User provisioning
This document provides instructions for provisioning users from Google Workspace to Keeper using a direct SCIM integration. This method does not support pushing Groups and Group assignments. If you require group push and group assignments, see the next guide: Google Workspace User and Team Provisioning with Cloud Service.
User Provisioning provides several features for lifecycle management:
New users added to Google Workspace will get an email invitation to set up their Keeper vault
Users can be assigned to Keeper on a user or team basis
When a user is de-provisioned, their Keeper account will be automatically locked
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the next screen will be provided to Google in the Google Workspace Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.
Back on the Google Workspace admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.
Select Configure auto-provisioning towards the bottom of the page.
Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Leave the default Attribute mappings as they are and click CONTINUE.
If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.
At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.
Once Auto-provisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active
Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.
You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.
Auto-provisioning is complete. Moving forward, new users who have been configured to use Keeper, in Google Workspace and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of Google Workspace.
If you would like to provision users to Keeper via Google Workspace SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso
Once Keeper application is set up in Google Workspace, turn on the automated provisioning method as described, above, in this document.
Note: Google does not currently support Group provisioning to Keeper teams.
If you receive the error "not_a_saml_app" please ensure that you have turned "Auto-provisioning" to "ON" in the SAML application.
Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.
When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.
Login to Google Workspace Admin Console: https://admin.Google.com
Click on Apps then select Web and Mobile Apps.
Select Keeper app
Expand service provider
Click “Manage Certificates”
Click “ADD CERTIFICATE”
Click “DOWNLOAD METADATA”
Save the metadata file. This is the IdP metadata.
Login to the Keeper Admin Console
Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method
Upload the Google IdP metadata into Keeper
For more information on this topic, see Google's support page:
https://support.google.com/a/answer/7394709
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with HENNGE for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
(1) Log into the HENNGE Administrator console.
Click the Administration tile on the menu.
(2) Next, Select the Connected Services menu item and click Add Service.
On the "Add New Service" page, Click the Add Service Manually at "Add Service for SSO" menu.
(3) Set the Service name to “Keeper Password Manager and Digital Vault” or whatever you prefer, and Add the Attributes Email claim with the value "UsePrincipleName (UPN)", then Click the Submit button.
In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.
Now you can see all values required for Keeper side configuration at Step (5). Click X at the right up and Leave this page for now.
On the Connected Services menu area, Click the Service Name you created and then click the "Upload Using Metadata" button.
The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata
(4) After the metadata has been uploaded, head back to the HENNGE Connected Service configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.
Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794
Complete the configuration by scrolling to the bottom of the page and select the Save Changes button.
(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.
Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:
From HENNGE, you can now add users at Access Policy section on the User list page, or groups at Allowed services section on Access Policy Groups page.
Your Keeper SSO Connect setup is now complete!
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Imprivata OneSign for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
You'll need to provide some information about Keeper SSO Connect Cloud to your Identity Provider application such as:
Entity ID
IDP Initiated Login
Assertion Consumer Service (ACS) Endpoint
Single Logout Service (SLO) Endpoint
SP Metadata file or the Keeper SP Certificate file.
To obtain this information, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download the Keeper metadata file, service provider (SP) certificate file as well as the direct URLs and configuration information (if your identity provider application does not support uploading of the metadata file).
Refer to your identity provider application configuration guide for instructions on how to upload service provider metadata and or manually inputting the required SAML response configuration fields.
To import your IdP Metadata into Keeper, you will need to have a properly formatted metadata file. If your SSO Identity Provider Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect Cloud Provisioning method.
If you do not have the ability to export / download your metadata file from your identity provider, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.
Below is an example / template of what a simple identity provider metadata.xml file, against Keeper SSO Connect Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your IdP information, in your preferred .xml or .txt editor.
Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.
EntityDescriptor
This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your IdP application.
X509Certificate
This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your Identity Provider.
NameIDFormat
This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
or
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SingleSignOnService "POST"
This is your identity provider's "POST" binding used as a response to a request from Keeper.
SingleSignOnService "Redirect"
This is your identity provider's "Redirect" binding used as a response to a request from Keeper.
Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your identity provider's User Attributes are lined up with Keeper's attributes. Refer to your Identity Provider's configuration guide for instructions.
<Email Address>
<First Name>
First
<Last Name>
Last
Once you have completed creating your identity provider metadata file, or if you have downloaded the identity provider metadata file, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.
Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.
If your identity provider requires an icon or logo file for the application, please see the Graphic Assets page.
Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.
If you find that your application is not functional, please review your identity provider application settings and review your metadata file and user attributes for any errors.
Once complete, repeat Step 4.
If you need assistance, please email enterprise.support@keepersecurity.com.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with JumpCloud for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
(1) Log into the JumpCloud Administrator console.
Select the SSO tab on the side menu.
(2) Next, select the + icon in the upper left corner.
On the "Get Started with SSO Application page, search for Keeper in the search bar. Select Configure on the Keeper Application.
(3) Next, on Keeper Application connector page, General Info section set the Display Label: Keeper Security Password Manager
On the Single Sign-On Configuration area, click the "Upload Metadata" button.
The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata
(4) After the metadata has been uploaded, head back to the JumpCloud SSO configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.
Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/459561502469
Complete the configuration by scrolling to the bottom of the page and select the activate button.
(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.
Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:
Your Keeper SSO Connect setup is now complete!
JumpCloud® supports Automated User and Team Provisioning with SCIM (System for Cross Domain Identity Management) which will update and deactivate Keeper user accounts as changes are made in JumpCloud®. Step-by-Step instructions can be found here, https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/jumpcloud-provisioning-with-scim
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Microsoft AD FS for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Inside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically /FederationMetadata/2007-06/FederationMetadata.xml as seen below:
To download the metadata file, this can typically be found by loading the URL in the browser on the server. For example: https://localhost/FederationMetadata/2007-06/FederationMetadata.xml Download this file and save to the computer.
From the Keeper Admin Console SSO Cloud configuration screen, select "ADFS" as the IdP type and import the Federation Metadata file saved in the previous step.
Go back to the Provisioning screen and click on View.
Next download the Keeper metadata file so it can be imported during the Relying Part Trust Wizard. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file. This will be used in a few steps ahead.
Important: Keeper's Cloud SSO SP Certificate is only valid for a year. On an annual basis, you will need to download the latest Keeper SP Cert from the Admin Console and upload this into the Relying Trust Party settings in AD FS.
Keeper notifies all affected customers when the certificate expiration is coming soon.
Create Keeper SSO Connect as a Relying Party Trust:
Import the Keeper Metadata file that was exported previously from Keeper SSO Connect Cloud view screen by completing the Relying Party Trust Wizard as seen in the steps below.
Select "Claims aware" in the Welcome screen and then select the metadata file saved from Keeper.
To prevent a logout error, change the SAML Logout Endpoints on the Relying Party Trust to: https://<YourADFSserverDomain>/adfs/ls/?wa=wsignout1.0
To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with Send LDAP Attributes as Claims and map the LDAP attributes to Keeper Connect attributes.
Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above.
For Logout support we need to add two more Claim Issuance Policy rules:
To copy the syntax to add in the claims rule, copy the following text and paste it into the custom rule:
Incoming claim type: http://mycompany/internal/sessionid Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier
a. Open Powershell as Administrator on the AD FS server. b. Identify your SSO Connect Relying Party Trust "Identifier" string which you can obtain by running:
Running this command will generate a long list of output, you are looking for the SSO Connect section and the "Identifier" string. This string will look something like: https://keepersecurity.com/api/rest/sso/saml/459561502484
c. Run the below command, replacing <Identifier> with the string found in step (b).
If you run Get-ADFSRelyingPartyTrust again, you'll see that the SamlResponseSignature section is set to "MessageAndAssertion".
From the services manager, restart AD FS service.
SAML assertion signing must be configured properly on your AD FS environment. If signing has not been configured, you will need to set this up, then exchange metadata again between AD FS and Keeper SSO Connect after the re-configuration.
If you need to disable certificate validation on the IdP for testing purposes or for internal PKI certificates, you can use the below Powershell commands. Replace <Identifier> with the string found in the "SAML Signing Configuration" instructions above.
Note: Any changes made to signing configuration may require exchange of XML metadata between IdP and SSO Connect.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Okta for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Login to the Admin section of the Okta portal.
Select the Applications menu item and click Browse App Catalog.
Search for “Keeper Password Manager”, and then select the Add button for the Keeper Password Manager and Digital Vault application.
On the General Settings page that comes up next, you need the "Entity ID" that comes from the Keeper Admin Console.
Example Server Base URL: https://keepersecurity.com/api/rest/sso/saml/XXXXXXXX
The value for XXXXXXXX represents the specific SSO Connect instance associated with your enterprise and can be found on the Admin Console SSO configuration as part of the Service Provider information, as seen below:
Paste the Entity ID into the Server Base URL field in the Okta screen.
Select the Sign On tab.
Scroll down to the SAML Signing Certificates configuration section, and select Actions > View IdP metadata.
Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.
In the Keeper Admin Console, Edit the SSO configuration then Select OKTA as the IDP Type and upload the metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen:
If you would like to enable the Single Logout feature in Okta, go to the Sign On tab and click Edit. Click the Enable Single Logout checkbox and then upload the SP Cert which comes from the Keeper Admin Console.
To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.
Upload the SP cert file and be sure to click Save to save the Sign On settings in Okta.
If you have changed the Single Logout Setting, you'll have to download the latest Okta metadata file once again, and upload the new metadata.xml file into Keeper on the SSO edit screen.
From the Actions menu, select View IdP metadata.
Save the resulting XML file to your computer. In Chrome, Edge and Firefox, select File > Save Page As... and save the metadata.xml file.
In the Keeper Admin Console, Edit the SSO configuration then upload the new metadata.xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen.
To enable Okta SCIM user and group provisioning please follow the instructions found within the Keeper Enterprise Guide: https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/okta-integration-with-saml-and-scim
From Okta, you can now add users or groups on the Assignments page. If you have activated SCIM provisioning per the instructions here then the user will be instantly provisioned to Keeper.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin cannot move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with OneLogin for seamless and secure SAML 2.0 authentication and SCIM provisioning.
Please complete the steps in the Admin Console Configuration section first.
Login to the OneLogin portal.
2. Select Administration to enter the admin section.
3. From the onelogin menu select Applications then Add App.
In the Search field, do a search for Keeper Password Manager and select it from the search result.
4. On the Add Keeper Manager screen click Save.
5. The next step is to download the SAML Metadata from OneLogin. Select the down arrow on the MORE ACTIONS button and select SAML Metadata.
Drag and drop or browse to this saved file on the SAML Metadata Section of the Single Sign-On with SSO Connect™ Cloud section on the Keeper Admin Console.
6. On the Keeper Admin Console, copy the Assertion Consumer Service (ACS) Endpoint field.
7. Back on the OneLogin Configuration tab, paste in the Keeper SSO Connect Assertion Consumer Service (ACS) Endpoint field and then click Save.
8. If SCIM is desired then go back on the Keeper Provisioning tab, click on "Add Method" and select SCIM. If not skip to step to step 12.
9. Click Generate then copy the URL and Token.
10. Paste the "URL" into the SCIM Base URL, and paste the "Token" into the SCIM Bearer Token.
11. On the Keeper Admin Console make sure to Save the SCIM token.
For more detailed configuration of SCIM visit the User and Team Provisioning section in the Enterprise Guide
12. Click Save and the integration is complete.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Ping Identity for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Login to the Ping Identity portal.
From the Ping Identity menu select Applications.
Then select Add Application and select New SAML Application.
On the Application Details page, add the following data:
Application Name: Keeper Password Manager Application Detail: Password Manager and Digital Vault Category: Compliance (or other) Graphic: Upload the Keeper Graphic [here] https://s3.amazonaws.com/keeper-email-images/common/keeper256x256.png
Then select Continue to Next Step.
The next step is to download the SAML Metadata from Ping Identity. Select the Download link next to SAML Metadata.
The saml2-metadata-idp.xml file will download to the local computer. On the Edit screen of the Keeper SSO Connect Cloud™ provisioning select Generic as the IDP Type and upload the saml2-metadata-idp xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen: Setup screen:
Next download the Keeper metadata file and upload it to the Ping Application configuration. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file.
Back on the Ping Identity application configuration, select the Select File button and choose the config.xml file downloaded in the above step.
Select Continue to Next Step.
The next step is the map the attributes. Select the Add new attribute button.
In attribute 1, type “First” in the Application Attribute column, select First Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.
In attribute 2, type "Last" in the Application Attribute column, select Last Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.
In attribute 3, type "Email" in the Application Attribute column, select Email in the Identity Bridge Attribute or Literal Value column, and check the Required button. Application Attributes: First, Last, Email must begin with a capital letter.
Select the group(s) that should have access to the Keeper Application. When complete click "Continue to Next Step". Review the setup and and then select the Finish button.
Important Note: In the Application Configuration section of your Ping Identity setup, ensure that the "Signing" section has "Sign Response" selected with "RSA_SHA256" as the Signing Algorithm.
The Keeper Application should be added and enabled.
Your Keeper SSO Connect setup is now complete!
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with PingOne for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first. Legacy Ping Identity users who are not on PingOne should view our Ping Identity documentation.
Login to the PingOne portal at https://admin.pingone.com/.
From the PingOne console menu, select Applications > Application Catalog
Search "Keeper" and click on the "Keeper Password Manager - Cloud SSO" link to add the Keeper Password Manager application
Click Setup to proceed to the next step
Click "Continue to Next Step"
From the Keeper Admin Console, view the PingOne SSO Connect Cloud entry and click Export Metadata and save it in a safe location for future use. Also click Export SP Cert and save it in a safe location for future use.
From the PingOne Admin Console, click Select File next to "Upload Metadata" and browse to the saved metadata file from the Keeper Admin Console. This should populate the "ACS URL" and "Entity ID" fields with the proper datapoints.
Click on Choose File next to "Primary Verification Certificate" and browse to the saved .crt
file from the Keeper Admin Console. Click on the checkbox next to "Encrypt Assertion" and then click Choose File next to "Encryption Certificate". Browse to the same saved .crt
file from the Keeper Admin Console.
Validate the certificate and click "Continue to Next Step".
Enter the appropriate values associated with each attribute (see below image) and click Continue to Next Step
Modify the Name to appropriately match the Configuration Name of the SSO node from the Keeper Admin Console. Click Continue to Next Step
You may choose to add PingOne user groups to your application. Click Add next to the group or groups you would like to add and click Continue to Next Step.
PingOne users will have access to Keeper Password Manager by default. Assigning groups to Keeper Password Manager restricts access to only those groups.
Click Download next to "SAML Metadata" and save the .xml
file to a safe location.
Click Finish to complete the application setup wizard.
On the Edit Configuration screen of the Keeper SSO Connect Cloud provisioning in the Keeper Admin Console, select PingOne as the IDP Type.
Upload the SAML Metadata file downloaded in the previous step into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the SAML Metadata section.
The PingOne Keeper SSO Connect Cloud™ entry will now show as Active.
Your PingOne Keeper SSO Connect Cloud™ setup is complete!
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Rippling for seamless and secure SAML 2.0 authentication and SCIM provisioning.
Please complete the steps in the Admin Console Configuration section first.
Login to the Rippling admin account.
2. After logging in, on the left side hover over Home and click App Shop in the bottom left.
3. In the App Shop, search for Keeper in the upper left corner and select it from the search result.
4. After selecting clicking on the Keeper app, click Connect Account to get started with SSO.
5. Rippling has it's own SSO set up walkthrough, continue the walkthrough to set up SSO.
6. Once you have reached this page, the SSO setup is complete, however there is also an option for SCIM provisioning. If you would like SCIM provisioning, select Continue with API and follow the SCIM provisioning walkthrough. Otherwise, click Skip for now, visit app.
You can assign users to the application and designate who has access to keeper in your Rippling environment here.
For more detailed configuration of SCIM visit the User and Team Provisioning section in the Enterprise Guide
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with RSA SecurID Access for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Keeper Security is RSA SecurID Access Certified.
RSA SecurID Access integrates RSA Authentication Manager and their Cloud Authentication Service. In this setup Cloud Authentication Service can be used as an identity provider in conjunction with Keeper SSO Connect. Detailed documentation is provided on the RSA website via the links below.
How to configure Keeper SSO Connect Cloud with SecureAuth for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
SecureAuth can be configured using the same instructions in the Other SAML 2.0 Providers section. Please follow that guide in order to set up the SecureAuth environment.
For reference, use the SecureAuth guide located here:
A few additional important items to note regarding SecureAuth:
Ensure that "By Post" is selected in the Connection Type section:
Ensure to select "Sign SAML Assertion" and "Sign SAML Message".
Ensure the Entity ID of the IdP metadata matches the SAML response from SecureAuth.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with Shibboleth for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
To obtain your Keeper Metadata file, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download and save the Keeper metadata file.
The Shibboleth IdP must know some basic information about the Keeper relying party, which is defined in SAML metadata. The easiest way to do is to add your Keeper Metadata file to IDP_HOME/metadata/
directory.
Instruct Shibboleth how to behave when talking to Keeper by defining a new RelyingParty element in IDP_HOME/conf/relying-party.xml
. The following snippet should be added just after the DefaultRelyingParty
element. Be sure to replace the provider attribute to include your "Entity ID" (use whatever provider is configured in the DefaultRelyingParty).
Still in the IDP_HOME/conf/relying-party.xml
file, configure Shibboleth to use the keeper metadata file you added in Step 2. Add the following MetadataProvider
element next to the existing configured provider (it should have an id value of “FSMD”), making sure to replace IDP_HOME with your actual installation path.
Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Shibboleth’s attribute resolver must be configured to make this data available by modifying IDP_HOME/conf/attribute-resolver.xml
.
Your IdP User Attributes
Keeper User Attributes
<Email Address>
<First Name>
First
<Last Name>
Last
When Configuring Shibboleth Identity Provider SAML Attributes, Keeper Expects "NameIDFormat" coming in the form of "emailAddress". You can use / the suggested "NameIDFormat" or input correct value for your environment so long as it provides Keeper the users Email Address for the username login identifier.
Finally, configure the Shibboleth attribute filtering engine to release the principal
attribute (encoded as a NameID) to Google. Add the following XML snippet to IDP_HOME/conf/attribute-filter.xml
alongside the existing policy elements.
Locate Shibboleth metadata found at "http://shibboleth.example.com/idp/shibboleth"
or in the Shibboleth identity provider filesystem in <install_folder>/shibboleth-idp/metadata
.
Modify Shibboleth metadata manually and ensure all user endpoints are uncommented (e.g., SingleLogout
).
Save the XML file.
Once you have your Shibboleth metadata file ready, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select your Shibboleth Metadata file.
Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.
If your Shibboleth instance requires an icon or logo file for the Keeper application, please see the Graphic Assets page.
Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.
If you find that SSO is not functional, please review your Shibboleth settings, review your metadata file and user attributes for any errors.
Once complete, repeat Step 4.
If you need assistance, please email enterprise.support@keepersecurity.com.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
How to configure Keeper SSO Connect Cloud with your SSO Identity Provider for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Keeper is compatible with any SAML 2.0 SSO Identity Provider (IdP). If your identity provider is not in our list, you can follow the steps in this guide to complete the configuration. Keeper is a Service Provider (SP) in this configuration.
You'll need to provide some information about Keeper SSO Connect Cloud to your Identity Provider application such as:
Entity ID
IDP Initiated Login
Assertion Consumer Service (ACS) Endpoint
Single Logout Service (SLO) Endpoint
SP Metadata file or the Keeper SP Certificate file.
To obtain this information, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download the Keeper metadata file, service provider (SP) certificate file as well as the direct URLs and configuration information (if your identity provider application does not support uploading of the metadata file).
Refer to your identity provider application configuration guide for instructions on how to upload service provider metadata and or manually inputting the required SAML response configuration fields.
To import your IdP Metadata into Keeper, you will need to have a properly formatted metadata file. If your SSO Identity Provider Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect Cloud Provisioning method.
If you do not have the ability to export / download your metadata file from your identity provider, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.
Below is an example / template of what a simple identity provider metadata.xml file, against Keeper SSO Connect Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your IdP information, in your preferred .xml or .txt editor.
Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.
Name
Description
EntityDescriptor
This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your IdP application.
X509Certificate
This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your Identity Provider.
NameIDFormat
This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
or
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SingleSignOnService "POST"
This is your identity provider's "POST" binding used as a response to a request from Keeper.
SingleSignOnService "Redirect"
This is your identity provider's "Redirect" binding used as a response to a request from Keeper.
Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your identity provider's User Attributes are lined up with Keeper's attributes. Refer to your Identity Provider's configuration guide for instructions.
Your IdP User Attributes
Keeper User Attributes
<Email Address>
<First Name>
First
<Last Name>
Last
Once you have completed creating your identity provider metadata file, or if you have downloaded the identity provider metadata file, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.
Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.
If your identity provider requires an icon or logo file for the application, please see the Graphic Assets page.
Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.
If you find that your application is not functional, please review your identity provider application settings and review your metadata file and user attributes for any errors.
Once complete, repeat Step 4.
If you need assistance, please email enterprise.support@keepersecurity.com.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.