Keeper SSO Connect certificate renewal instructions
It is critical to ensure that your IdP SAML Signing Certificates are renewed and activated. Typically, this occurs once per year.
If you receive the below error when logging into the Keeper vault, this usually indicates that the SAML Signing Certificate has expired.
"Sorry! There was an unexpected error logging you into Keeper via your company account. We are unable to parse the SAML Response from the IDP"
To resolve this issue, please follow the basic steps below:
Update the SAML signing certificate from your identity provider related to the Keeper application
Download the new SAML signing certificate and/or IdP metadata file
Update the IdP metadata in the Keeper Admin Console
Since Microsoft Azure is the most widely used identity provider, the step by step update guide is documented below. If Azure is not your provider, the process is very similar.
(1) Login to the Azure Portal (https://portal.azure.com) and go to Enterprise Applications > Keeper > Set up Single sign on
(2) Under the SAML Certificates section, note that the certificate has expired. Click Edit.
(3) Click on New Certificate to generate a new cert.
(4) Click the overflow menu and then click "Make certificate active" the Save and apply the changes.
(5) From the SAML Certificates section, download the new Federation Metadata XML file. Save this to your computer.
(6) Update the SAML Metadata in the Keeper Admin Console
From the Keeper Admin Console, login to the Keeper tenant and visit the SSO configuration.
Follow the links below to access the Keeper Admin Console: https://keepersecurity.com/console (US) https://keepersecurity.eu/console (EU) https://keepersecurity.com.au/console (AU) https://keepersecurity.ca/console (CA) https://keepersecurity.jp/console (JP) https://govcloud.keepersecurity.us/console (US Gov)
(Or open KeeperSecurity.com > Login > Admin Console)
Select the SSO node then select the "Provisioning" tab.
Click on "Single Sign-On with SSO Connect Cloud
Click "Edit Configuration"
Click out the existing SAML Metadata
Upload the new XML metadata file from your desktop
At this point, the SAML certificate should be updated with success.
(7) Confirm that SSO is functioning properly
Now that the metadata XML file with the latest certificate is uploaded to Keeper, your users should be able to login with SSO without error.
(8) Delete the metadata XML file from your local computer or store this in your Vault
(9) Make yourself a calendar reminder to update the SAML certificate next year prior to the expiration date.
If you are unable to login to the Keeper Admin Console due to the SSO certificate issue, please select one of the following options to regain access:
Option 1: Use a service account that logs into the Admin Console with a Master Password
Option 2: Contact a secondary admin to login and update the cert for you
If neither option is available, contact Keeper Business Support