All pages
Powered by GitBook
1 of 5

Passwordless Providers

Passwordless configuration for SSO Connect Cloud

The previous section of Admin Console Configuration applies to every SAML 2.0 compatible passwordless provider. To help with configuration of common passwordless providers, we have added some helpful screens in this next section.

Keeper is compatible with all SAML 2.0 SSO passwordless authentication products. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.

(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)

Traitware

How to configure Keeper SSO Connect Cloud with Traitware for Passwordless login to Keeper.

Configure Keeper for Traitware Integration

Visit the Keeper Admin Console and login as the Keeper Administrator. https://keepersecurity.com/console (US / Global) https://keepersecurity.eu/console (EU-hosted customers) https://keepersecurity.com.au/console (AU-hosted customers) https://govcloud.keepersecurity.us/console (GovCloud customers)

Note: Passwordless integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console.

Click on the Admin tab and click Add Node.

From the Provisioning tab, click Add Method

Select Single Sign-On with SSO Connect™ Cloud and click Next

Enter your Configuration Name and Enterprise Domain, then click Save. Take note of the Enterprise Domain. This will be used later for Enterprise SSO login.

The newly-created SAML 2.0 with Cloud SSO Connect provisioning method will be visible. Select View from the menu.

Note the Entity ID and Assertion Consumer Service (ACS) Endpoint. These values will be used when configuring TraitWare.

Configure TraitWare

Log into the TraitWare Admin Console (TCC) https://api.traitware.com/console/login

Generate Application Key

Select the Signing Keys from the left menu. Click Generate new Key Pair button. Enter the application name for the key pair. Select desired Lifetime in Years, Product Key Type and Product Key Size. Click Generate Key.

Create Traitware Application

  1. Select Applications from the left menu and click Add Application.

  2. Select SAML 2.0.

  3. Click Use a Template and select Keeper

  4. Insert your Keeper Entity ID and Assertion Consumer Service (ACS) Endpoint noted previously in the walkthrough and click Submit.

Configure SAML 2.0 Integration

  1. From the Traitware Admin Console Applications tab, select Keeper

  2. Select the Provider Credentials tab and click the download icon for Traitware IdP SAML Metadata (XML)

  3. Click Save Application

  4. Return to the Keeper Admin Console

  5. Edit the SAML 2.0 with Cloud SSO Connect™ provisioning method

  6. Upload the file from step 2 to the SAML Metadata field

Create and Enable Users to Login to Keeper Vault through Traitware

  1. From the Traitware Admin Console Users tab, select Create User

  2. Complete the form and click Save Changes

  3. Click on the newly created user and select the Applications tab

  4. Toggle Application Access on for Keeper

Note: A user with the same email address must also exist within the Keeper Admin Console. For more information on creating Keeper users, see Manual Addition of Users in our enterprise documentation.

Enable All Traitware Users to Login to Keeper Vault through Traitware

  1. From the Traitware Admin Console Applications tab, select Keeper

  2. Click Enable All User Access

  3. Confirm the action and click Enable Access

End User Login

Users may login either using their enterprise domain or email address.

Login Using Email Address

  1. Navigate to the Keeper Vault

  2. Enter your email address and click Next

  3. From your Traitware app on your smart device, scan the QR code on your desktop browser

  4. You will now be logged in to your Keeper vault

Login Using Enterprise Domain

  1. Navigate to the Keeper Vault

  2. Click the Enterprise SSO Login dropdown and select Enterprise Domain

  3. Enter the Enterprise Domain name you specified in the Keeper portion of this walkthrough and click Connect

  4. From your Traitware app on your smart device, scan the QR code dispalyed on your desktop browser

  5. You will now be logged in to your Keeper vault

Trusona

How to configure Keeper SSO Connect Cloud with Trusona for Passwordless login to Keeper.

Configure Keeper for Trusona Integration

Please complete the steps in the Admin Console Configuration section first.

Visit the Keeper Admin Console and login as the Keeper Administrator.

https://keepersecurity.com/console (US / Global) https://keepersecurity.eu/console (EU-hosted customers) https://keepersecurity.com.au/console (AU-hosted customers) https://govcloud.keepersecurity.us/console (GovCloud customers)

Note: Passwordless integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console.

1) Click on the Admin tab and click Add Node

2) Name the node and click Add Node

Create a node for Trusona in the Keeper Admin

3) From the Provisioning tab, click Add Method

4) Select Single Sign-On with SSO Connect™ Cloud and click Next

5) Enter your Configuration Name and Enterprise Domain, then click Save. Take note of the Enterprise Domain. This will be used later for Enterprise SSO login.

Configure Trusona for Single Sign-On with SSO Connect™ Cloud

6) The newly-created SAML 2.0 with Cloud SSO Connect provisioning method will be visible. Select View from the menu.

These items will be used when configuring Trusona later in the documentation.

View Trusona Provisioning Settings

7) Note the Entity ID, Assertion Consumer Service (ACS) Endpoint and Single Logout Service Endpoint

8) Click Export SP Cert

Note the highlighted fields and Export SP Cert

Configure Trusona

1) Log into the Trusona Dashboard at https://dashboard.trusona.com/ scanning the QR code from your mobile device using the Trusona app for iOS or Android.

Create Keeper Integration in Trusona

2) From your Trusona account dashboard, select Keeper from the left-hand navigation.

3) Click Create Keeper Integration.

4) Name the integration and click Save.

5) Click Download XML to download the XML metadata for use in the Keeper Admin Console.

6) Select Keeper on the left-hand navigation.

7) Click Edit from the Actions dropdown menu for your integration.

8) Paste the following information noted earlier in the documentation when creating the integration in the Keeper Admin Console in the corresponding field:

  • Assertion Consumer Service (ACS) Endpoint

  • IDP Initiated Login Endpoint

  • Single Logout Service (SLO) Endpoint

9) Under Certificate, upload the SP Cert exported from the Keeper Admin Console and Click Save.

10) Return to the Keeper Admin Console

11) Optionally enable Just-In-Time Provisioning to allow users to create accounts in the node by typing in the Enterprise Domain name when signing up.

12) Under SAML Metadata, upload the metadata.xml file downloaded from the Trusona dashboard.

13) Under Identity Provider Attribute Mappings, enter the following:

  • First Name: given_name

  • Last Name: name

  • Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

User Provisioning

Instructions on how to provision users with SSO Connect Cloud can be found here.

End User Login

Users may login either using their enterprise domain or email address.

Login Using Email Address

  1. Navigate to the Keeper Vault

  2. Enter your email address and click Next

  3. From your Trusona app on your smart device, scan the QR code on your desktop browser

  4. You will now be logged in to your Keeper vault

Login Using Enterprise Domain

  1. Navigate to the Keeper Vault

  2. Click the Enterprise SSO Login dropdown and select Enterprise Domain

  3. Enter the Enterprise Domain name you specified in the Keeper portion of this walkthrough and click Connect

  4. From your Trusona app on your smart device, scan the QR code displayed on your desktop browser

  5. You will now be logged in to your Keeper vault

Veridium

How to configure Keeper SSO Connect Cloud with Veridium for Passwordless login to Keeper.

Please complete the steps in the Admin Console Configuration section first.

(1) Add a new service provider

From the Veridium interface, click on Add Service Provider.

Add New Service Provider

(2) Download Keeper metadata

On the Keeper Admin Console, export the SAML Metadata file.

Go to View -> Export Metadata

View Configuration
Export Metadata

(3) Upload Metadata to Veridium

In the service provider name box enter “Keeper”, upload the metadata file from Keeper and select “Email” as the NameID format.

Upload Metadata

(4) Map Attributes

Map the firstname, lastname and mail attributes and click “Save”.

Map Attributes

Integration is now complete. A video demo of the Veridium login flow can be seen below:

Veridium Login Demo

Beyond Identity

How to configure Keeper SSO Connect Cloud with Beyond Identity for Passwordless login to Keeper.

Configure Keeper for Beyond Identity Integration

Please complete the steps in the Admin Console Configuration section first.

Visit the Keeper Admin Console and login as the Keeper Administrator.

https://keepersecurity.com/console (US / Global) https://keepersecurity.eu/console (EU-hosted customers) https://keepersecurity.com.au/console (AU-hosted customers) https://govcloud.keepersecurity.us/console (GovCloud customers)

Note: Passwordless integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console.

1) Click on the Admin tab and click Add Node

2) Name the node and click Add Node

Create a node for Beyond Identity in the Keeper Admin

3) From the Provisioning tab, click Add Method

4) Select Single Sign-On with SSO Connect™ Cloud and click Next

5) Enter your Configuration Name and Enterprise Domain, then click Save. Take note of the Enterprise Domain. This will be used later for Enterprise SSO login.

Configure Beyond Identity for Single Sign-On with SSO Connect™ Cloud

6) The newly-created SAML 2.0 with Cloud SSO Connect provisioning method will be visible. Select View from the menu.

These items will be used when configuring Beyond Identity later in the documentation.

View Beyond Identity Provisioning Settings

7) Note the Entity ID, Assertion Consumer Service (ACS) Endpoint and Single Logout Service Endpoint

8) Click Export SP Cert

Note the highlighted fields and Export SP Cert

Configure Beyond Identity

1) Download the Beyond Identity Authenticator App for your device.

2) Log into the Beyond Identity Admin Console at https://admin.byndid.com/.

Instructions for registering and using Beyond Identity can be found in Beyond Identity's Documentation.

Create Keeper Integration in Beyond Identity

3) From your Beyond Identity Admin Console, select Integrations from the left-hand navigation.

4) Click the SAML tab.

5) Click Add SAML Connection.

6) In the Edit SAML Connection dialog, use the following table to determine values to enter:

Beyond Identity Field
Value to Use

Name

Display Name for your SAML Connection

SP Single Sign On URL

Assertion Consumer Service (ACS) Endpoint value from Keeper Admin Console

SP Audience URI

Entity ID from Keeper Admin Console

Name ID format

emailAddress

Subject User Attribute

Email

Request Binding

http post

Authentication Context Class

X509

Signed Response

Signed toggled On

X509 Signing Certificate

SP Cert exported from Keeper Admin Console

7) In the Attribute Statements section, add the following two attributes:

Name
Name Format
Value

Email

unspecified

{{Email}}

First

unspecified

{{DisplayName}}

8) Click Save Changes.

Configure SAML Settings for Beyond Identity Integration

9) Click the Download Metadata icon </> to download the XML metadata for use in the Keeper Admin Console.

Download Beyond Identity Metadata

10) Return to the Keeper Admin Console

11) Click Edit on the Beyond Identity provisioning method to view the configuration settings.

Click Edit to view the configuration screen

12) Optionally enable Just-In-Time Provisioning to allow users to create accounts in the node by typing in the Enterprise Domain name when signing up.

13) Under SAML Metadata, upload the metadata.xml file downloaded from the Beyond Identity Admin Console.

Upload metadata and configure Just-In-Time Provisioning

User Provisioning

Instructions on how to provision users with SSO Connect Cloud can be found here.

End User Login

Users may login either using their enterprise domain or email address.

Login Using Email Address on desktop with Beyond Identity Authenticator installed

1) Navigate to the Keeper Vault

2) Enter your email address and click Next

3) You will now be logged in to your Keeper vault

Login Using Enterprise Domain on desktop with Beyond Identity Authenticator installed

1) Navigate to the Keeper Vault

2) Click the Enterprise SSO Login dropdown and select Enterprise Domain

3) Enter the Enterprise Domain name you specified in the Keeper portion of this walkthrough and click Connect

4) You will now be logged in to your Keeper vault

Login Using Enterprise Domain with Beyond Identity installed for iOS or Android

1) Navigate to the Keeper Vault

2) Tap Use Enterprise SSO Login dropdown

3) Enter the Enterprise Domain you specified in the Keeper portion of this walkthrough and tap Connect

4) Accept the push notification from the Beyond Identity App

5) You will now be logged in to your Keeper vault

Login Using Email Address with Beyond Identity installed for iOS or Android

1) Open the Keeper App

2) Enter your email address and click Next

3) Accept the push notification from the Beyond Identity App

4) You will now be logged in to your Keeper vault