# Entra ID/Azure AD Configuration {% hint style="info" %} For a 100% cloud-based integration with Azure, see [Keeper SSO Connect Cloud](https://docs.keeper.io/sso-connect-cloud) {% endhint %} ### Azure Go to your Azure Admin account at and click on **Azure Active Directory** **> Enterprise Applications.** If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application and should not create a new one. If you have not set up Keeper in Azure yet, click on "**New Application"** then search for Keeper and select "**Keeper Password Manager & Digital Vault"**. On the right side click "**Add**" to add the application. ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEQ-CIjV1sfTOwqRnA%2F-LlEQjlXi-huO7BEDJY6%2FAdd_Application.png?alt=media\&token=ac00491f-f161-49ec-85fa-9db5aeadb62e) After adding the application, click on the "**Single Sign On**" section and select the "**SAML**" option: ![Single sign-on Configuration](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-Le-23j56JkaQaD01HW8%2F-Le-75FyIENK_xqUGEZB%2FScreen%20Shot%202019-05-03%20at%204.55.38%20PM.png?alt=media\&token=82962618-e893-4095-9f92-3225e7b21bf3) ### Edit Basic SAML Configuration Click the pencil icon to edit the "Basic SAML Configuration". ![Edit Basic SAML Configuration](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-Le-23j56JkaQaD01HW8%2F-Le-9ZBHkRepQ2S4OAP6%2FScreen%20Shot%202019-05-03%20at%205.06.18%20PM.png?alt=media\&token=ffe3f9be-0839-4a42-9af4-8af95b57fb08) Type in the **Identifier**, **Reply URL and Sign on URL** that apply to the URLs in your Keeper SSO Connect installation. Ignore the "Patterns" text. ![SAML Configuration URLs](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-Le-23j56JkaQaD01HW8%2F-Le-9oMfeE23SrN_yDCX%2FScreen%20Shot%202019-05-03%20at%205.00.55%20PM.png?alt=media\&token=a9a4f112-414a-4d9c-b11b-8211ec2faa28) **Example Settings:**\ Identifier = Reply URL = Sign on URL = *(replace the domain and port according to your SSO Connect configuration)* Save the settings. ### Edit User Attributes & Claims ![User Attributes & Claims](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-Le-23j56JkaQaD01HW8%2F-Le-ARiotZH8Bga4qFw7%2FScreen%20Shot%202019-05-03%20at%205.10.21%20PM.png?alt=media\&token=d7cf8b0f-df7b-47bf-9a2d-a3c87f68c24b) Under the **User Attributes** section, Azure will automatically create claims for User ID, First, Last and Email. We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed. ![Delete Additional Claims](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-MMwj5AWYMrB-zipNfyh%2F-MMwj9Ro37LGVR7G62MK%2FScreenshot%202020-11-24%20at%2016.02.04.png?alt=media\&token=d792ad82-5568-4a50-bbc0-91a56282b297) {% hint style="info" %} In your environment, if your **user.userprincipalname** (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to **user.mail** as the value for the Email attribute. {% endhint %} ### Edit SAML Signing Certificate SAML Under the SAML Signing Certificate section click Edit. ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LvbGWw3sV_TCsLzdoGn%2F-LvbJkvzsZPL9Y92RXyU%2FScreen%20Shot%202019-12-08%20at%2012.54.34%20PM.png?alt=media\&token=800a174b-bfc1-42d4-96fb-fbcb0e27eff5) Select **Create new certificate**.\ \ Enter the expiration date and save. ![Create New SAML Signing Certificate](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEBQ8YlQ-P1aFEPqt9%2F-LeEFvbV4-K1D0QvZkFv%2FScreen%20Shot%202019-05-06%20at%203.27.54%20PM.png?alt=media\&token=bd1ee83c-8c86-4ebb-a511-03a9954a129c) After creating the certificate select Make new certificate active. ![Make Certificate Active](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEBQ8YlQ-P1aFEPqt9%2F-LeEG1N_2yJkKmYTTTAd%2FScreen%20Shot%202019-05-06%20at%203.28.31%20PM.png?alt=media\&token=a503bbd6-dac7-4bcc-8184-d9491927707c) Select signing option "Sign SAML response and assertion" with SHA-256 signing method. ![Set Signing Options](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LvbGWw3sV_TCsLzdoGn%2F-LvbK4vc6r1e-9cX-cPY%2FScreen%20Shot%202019-12-08%20at%2012.55.25%20PM.png?alt=media\&token=a87aeb83-d598-49c2-baaf-e06b5b932bb9) ### Obtain Metadata XML To complete the integration between Microsoft Azure and Keeper SSO Connect, you must retrieve the Metadata XML file and import this file into the Keeper SSO Connect screen.\ \ Select on the **Federation** **Metadata XML** link: ![Download Metadata XML](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEBQ8YlQ-P1aFEPqt9%2F-LeEGGtpcHflcfebZQFV%2FScreen%20Shot%202019-05-06%20at%203.30.07%20PM.png?alt=media\&token=8aeb7721-af82-415a-8e01-2b0da836c12b) This will download a file **Keeper Password Manager & Digital Vault.xml** to your computer. This file will need to be transferred to the server running Keeper SSO Connect for the next step. ![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU26kDHv1YW5s6Eptju%2F-LU2E7RvJBds_Paypu9b%2Fsso-step-68b.png?alt=media\&token=331b5b54-eb7b-4abb-b449-722f42f3194e) ### Import the Azure Metadata Import the file saved in the previous step into Keeper SSO Connect’s configuration screen by dragging and dropping the file into the **SAML Metadata** section. ![Import XML Metadata to SSO Connect](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEIEvqohDb1Qn-DLQh%2F-LeEIO0p4FtvpTWWDa9h%2FScreen%20Shot%202019-05-06%20at%203.38.51%20PM.png?alt=media\&token=438afe6a-2209-4b58-b46a-fb61fb0da262) {% hint style="info" %} Don’t forget to select **Azure** as the Identity Provider Type. {% endhint %} ### User Provisioning If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to **Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault** and select **Properties**. ![Properties](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEBQ8YlQ-P1aFEPqt9%2F-LeEHVldGeNahKekJen5%2FScreen%20Shot%202019-05-06%20at%203.35.37%20PM.png?alt=media\&token=69009344-92ac-41da-8d2b-4527af4c454f) Change the **User assignment required** to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it. ![User Assignment Settings](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEBQ8YlQ-P1aFEPqt9%2F-LeEHgg0cHhqKuRc5W4w%2FScreen%20Shot%202019-05-06%20at%203.36.28%20PM.png?alt=media\&token=de0d8885-c7d1-49fd-82b9-3169fbf8d184) On the **Users and groups** section select the users and/or groups that are to be provisioned to the Keeper application. ![Assign Users and Groups](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LeEBQ8YlQ-P1aFEPqt9%2F-LeEHrzGR-II-dY2pPsh%2FScreen%20Shot%202019-05-06%20at%203.37.03%20PM.png?alt=media\&token=f548ea52-a55c-4b15-81c7-3d1b9a025f47) Your Keeper SSO Connect setup is now complete! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/sso-connect-on-prem/identity-provider-setup/azure-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.