LogoLogo
SSO Connect On-Prem
SSO Connect On-Prem
  • Keeper SSO Connect On-Prem
  • Overview
  • System Requirements
  • Installation and Setup
    • Admin Console Configuration
    • Installation - Windows
    • Installation - Linux
      • GUI Configuration
      • Linux Command-line Configuration
      • Running Keeper SSO Connect as a Service on Linux
  • Identity Provider Setup
    • AD FS Configuration
    • Entra ID/Azure AD Configuration
    • AWS SSO Configuration
    • Centrify Configuration
    • F5 Configuration
    • G Suite (Google Workspace) Configuration
    • JumpCloud Configuration
    • Okta Configuration
    • OneLogin Configuration
    • Ping Identity Configuration
    • PingOne Configuration
    • RSA SecurID Access
    • Generic SAML Configuration
  • SSL Certificate Creation
  • High Availability (HA) Configuration
  • Integration with AWS CloudHSM
  • Integration with Gemalto HSM
  • Upgrading SSO Connect On-Prem
  • Update Instructions
  • Updating On-Prem Config
  • Migrating to a new SSO Connect Server
  • Service Management
  • Troubleshooting & FAQs
  • SSO Migration to Cloud
  • Technical Support
  • Links and Resources
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Azure
  • Edit Basic SAML Configuration
  • Edit User Attributes & Claims
  • Edit SAML Signing Certificate SAML
  • Obtain Metadata XML
  • Import the Azure Metadata
  • User Provisioning

Was this helpful?

Export as PDF
  1. Identity Provider Setup

Entra ID/Azure AD Configuration

How to configure Keeper SSO Connect On-Prem with Microsoft Entra ID / Azure AD for seamless and secure SAML 2.0 authentication.

PreviousAD FS ConfigurationNextAWS SSO Configuration

Last updated 1 year ago

Was this helpful?

For a 100% cloud-based integration with Azure, see

Azure

Go to your Azure Admin account at and click on Azure Active Directory > Enterprise Applications.

If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application and should not create a new one.

If you have not set up Keeper in Azure yet, click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault". On the right side click "Add" to add the application.

After adding the application, click on the "Single Sign On" section and select the "SAML" option:

Edit Basic SAML Configuration

Click the pencil icon to edit the "Basic SAML Configuration".

Type in the Identifier, Reply URL and Sign on URL that apply to the URLs in your Keeper SSO Connect installation. Ignore the "Patterns" text.

Example Settings: Identifier = https://xyz.domain.com:8443/sso-connect Reply URL = https://xyz.domain.com:8443/sso-connect/saml/sso Sign on URL = https://xyz.domain.com:8443/sso-connect/saml/login

(replace the domain and port according to your SSO Connect configuration)

Save the settings.

Edit User Attributes & Claims

Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.

We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.

In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

Edit SAML Signing Certificate SAML

Under the SAML Signing Certificate section click Edit.

Select Create new certificate. Enter the expiration date and save.

After creating the certificate select Make new certificate active.

Select signing option "Sign SAML response and assertion" with SHA-256 signing method.

Obtain Metadata XML

To complete the integration between Microsoft Azure and Keeper SSO Connect, you must retrieve the Metadata XML file and import this file into the Keeper SSO Connect screen. Select on the Federation Metadata XML link:

This will download a file Keeper Password Manager & Digital Vault.xml to your computer. This file will need to be transferred to the server running Keeper SSO Connect for the next step.

Import the Azure Metadata

Import the file saved in the previous step into Keeper SSO Connect’s configuration screen by dragging and dropping the file into the SAML Metadata section.

Don’t forget to select Azure as the Identity Provider Type.

User Provisioning

If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.

Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.

On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.

Your Keeper SSO Connect setup is now complete!

Keeper SSO Connect Cloud
https://portal.azure.com
Single sign-on Configuration
Edit Basic SAML Configuration
SAML Configuration URLs
User Attributes & Claims
Delete Additional Claims
Create New SAML Signing Certificate
Make Certificate Active
Set Signing Options
Download Metadata XML
Import XML Metadata to SSO Connect
Properties
User Assignment Settings
Assign Users and Groups