How to configure Keeper SSO Connect Cloud with Imprivata OneSign for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
You'll need to provide some information about Keeper SSO Connect Cloud to your Identity Provider application such as:
Entity ID
IDP Initiated Login
Assertion Consumer Service (ACS) Endpoint
Single Logout Service (SLO) Endpoint
SP Metadata file or the Keeper SP Certificate file.
To obtain this information, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download the Keeper metadata file, service provider (SP) certificate file as well as the direct URLs and configuration information (if your identity provider application does not support uploading of the metadata file).
Refer to your identity provider application configuration guide for instructions on how to upload service provider metadata and or manually inputting the required SAML response configuration fields.
To import your IdP Metadata into Keeper, you will need to have a properly formatted metadata file. If your SSO Identity Provider Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect Cloud Provisioning method.
If you do not have the ability to export / download your metadata file from your identity provider, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.
Below is an example / template of what a simple identity provider metadata.xml file, against Keeper SSO Connect Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your IdP information, in your preferred .xml or .txt editor.
Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.
Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your identity provider's User Attributes are lined up with Keeper's attributes. Refer to your Identity Provider's configuration guide for instructions.
Once you have completed creating your identity provider metadata file, or if you have downloaded the identity provider metadata file, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.
Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.
If your identity provider requires an icon or logo file for the application, please see the Graphic Assets page.
Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.
If you find that your application is not functional, please review your identity provider application settings and review your metadata file and user attributes for any errors.
Once complete, repeat Step 4.
If you need assistance, please email enterprise.support@keepersecurity.com.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
| Name | Description |
|---|---|
| Your IdP User Attributes | Keeper User Attributes |
|---|---|
EntityDescriptor
This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your IdP application.
X509Certificate
This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your Identity Provider.
NameIDFormat
This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
or
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SingleSignOnService "POST"
This is your identity provider's "POST" binding used as a response to a request from Keeper.
SingleSignOnService "Redirect"
This is your identity provider's "Redirect" binding used as a response to a request from Keeper.
<Email Address>
<First Name>
First
<Last Name>
Last
