# Installation - Windows

### Java Runtime

As described in the [System Requirements](/en/sso-connect-on-prem/system-requirements.md#java-dependencies) page, the Java runtime is required to run Keeper SSO Connect. It can be installed by the admin or it can be optionally included in the Keeper installer. Make sure to install a compatible version of the Java runtime.

### SSL Certificate

Keeper SSO Connect requires a valid signed SSL certificate that has been signed by a public certificate authority. Self-signed certificates may work for testing however most client applications will fail to connect.

You can obtain an SSL certificate from your web hosting company, or you can utilize one of the no-cost options available such as [ZeroSSL](https://zerossl.com/). You can also have more control over the steps by using OpenSSL.

OpenSSL for Windows - <https://slproweb.com/products/Win32OpenSSL.html>

You can use the latest "Win32 OpenSSL Light" version.

### Download SSO Connect

To get the download link, in the Keeper admin console under provisioning (in your SSO node), add method "SSO Connect On-Prem".

After adding the provisioning, you will see a button to download Keeper SSO Connect.

Copy the downloaded file to the SSO Connect server.

![Download SSO Connect](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LTyMp7XGU8wh-hRPBiB%2Fuploads%2Fe5fSV3SJ4G9YXnTFdvSf%2Fchrome_4b7Za1Sc9S.png?alt=media\&token=d6507ace-b49f-4e80-b6a0-acbbed9cd049)

### Download Metadata Files and SSL Certificate

Installation of SSO Connect requires the creation of an SSL certificate file that is utilized for the endpoint. Generate the SSL certificate and download the SSL certificate file (`.pfx`, `.p12`, or `.jks`) and your IDP's SAML XML metadata file to the server.

## Installation - Windows

Extract the Keeper SSO Connect installer file.

Run KeeperSSOConnect **as Administrator**.

<figure><img src="https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LTyMp7XGU8wh-hRPBiB%2Fuploads%2FecmFGQ9hXdBkVJYoRaQr%2FScreenshot%202024-07-23%20at%201.45.12%E2%80%AFPM.png?alt=media&#x26;token=674c10e4-b001-421f-aef6-0016ea88e201" alt=""><figcaption></figcaption></figure>

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlE7J_RlTriwBoFyXYc%2F-LlE87gFRFlAz6-uPgjk%2FWizzard4.PNG?alt=media\&token=1922a7ac-57f6-4078-a6be-90a83c22d4d4)

The new desktop icon "Keeper SSO Connect" will launch a browser for configuration (we recommend using Google Chrome to perform the initial setup).

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlE7J_RlTriwBoFyXYc%2F-LlE91Qu2xgtIpAyKMFZ%2FAlias.PNG?alt=media\&token=b92d1273-61c8-467d-ac9b-acfee8320a5c)

If you receive an error connecting to the Keeper SSO Connect service, you need to **reboot the server.** Also, you need to ensure that your web browser is able to connect to keepersecurity.com over **port 443**. Keeper SSO Connect does not support the use of proxy servers or firewalls that perform SSL packet inspection.

## SSO Connect Web UI Configuration

Login to the SSO Connect Web UI, with a Keeper Administrator Master Password account, by navigating to **<http://127.0.0.1:8080/config>** or by utilizing the Keeper SSO Connect Desktop Icon.

{% hint style="info" %}
**In order to successfully login to the SSO Connect Web UI, you must utilize a Keeper Administrator account in which meet several requirements:**

1. The account MUST be a Master Password Authentication account.
2. The account can not live within the SSO provisioning node.
3. The account must be in an Administrative Role in which has Manage Bridge/SSO permissions over the node.
   {% endhint %}

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEFuQasFEIvcjdvy0M%2F-LlEAIeaf9TU-piXT0Ll%2FLogin_B.PNG?alt=media\&token=75f17d64-d30e-43cc-bf90-428edefc80c5)

Enter a Two Factor Authentication code if prompted.

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEFuQasFEIvcjdvy0M%2F-LlEF36LVjbKQBYSDZrC%2FLogin_C.PNG?alt=media\&token=038a7368-2105-45c9-89e0-9e5ed540a047)

Select the SSO Connection (Enterprise Domain).

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEFuQasFEIvcjdvy0M%2F-LlEFmr6cCK6SFt1pHOU%2FLogin_D.png?alt=media\&token=c78ab2ae-239c-46a6-92c6-b8fdc045d423)

Once you successfully authenticate Keeper SSO Connect to your Admin Console you will see the status tab:

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEGa_bRaQ8Pykmh8Yl%2F-LlEGdUGzHqER5qbh05X%2FConfig_1_B.png?alt=media\&token=53d37c64-079a-41d0-abad-10340cc5e681)

Select on the Configuration link to begin the setup.

![SSO Connect Configuration](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEGa_bRaQ8Pykmh8Yl%2F-LlEIVJ1Gk7jwcklM7X5%2FConfig_2.PNG?alt=media\&token=c4f9828d-9eac-4d5c-be64-da0b5d25c491)

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1ZJ05cdnFYgau3q_f%2F-LU1ZnCK1BjYHNe4ysud%2Fsso-step-21b.png?alt=media\&token=33c03ba0-f44f-4644-9bc9-1c8689225cd4)

Enter the Advertised Hostname or IP Address. This address is what the Keeper client applications navigate to in order to initiate the SSO authentication process. If installing Keeper SSO Connect in an [HA (High Availability) configuration](/en/sso-connect-on-prem/high-availability-configuration.md), this is the address the that points to the load balancer. This address can be either an IP or a hostname.

Bound IP Address. This is the physical IP address of the NIC on the server. If a hostname is not used and if there is only one address associated with the server this entry will be the same as the Hostname or IP Address field.

In the example above, "sso-1.test-keeper.com" is the Advertised Hostname that gets routed to the local address 10.1.0.4. The Keeper SSO Connect service binds to the Private IP address.

{% hint style="info" %}
The IP/Hostname must be accessible by users who will be accessing Keeper. You may need to update your firewall to allow access over the IP and port.
{% endhint %}

### SSO Connect SSL Key and Certificate

The Keeper SSO Connect service requires an SSL Certificate. It is recommend to use a proper SSL Certificate signed by a Certificate Authority (CA). The SSL cert can be one generated specifically for the SSO Connect server (hostname or IP address) or a wild card certificate that matches your domain (\*.yourcompany.com).

{% hint style="danger" %}
Self-signed certificates will generate security errors for your users on most browsers and mobile devices.
{% endhint %}

The certificate file type must be `.pfx` or `.p12` for a PKCS 12 certificate or `.jks` for a Java Key Store certificate. Most Certificate Authorities have instructions on their sites on how to convert to these file type if they did not initially issue these specific formats.\
\
For assistance in generating a SSL certificate, please refer to the section on [Creating a Certificate](/en/sso-connect-on-prem/appendix.md).

{% hint style="info" %}
**Note: SSL Certificates may expire annually or quarterly. Please set a reminder to renew your certificate prior to the expiration date to prevent unexpected outages.**
{% endhint %}

![PKCS 12 Passphrase](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1_X9CuKpUBZZytSG9%2F-LU1hkKbb4_js8704JFS%2Fsso-step-22b.png?alt=media\&token=d2008484-d13a-43f5-9420-3f02f13f06bd)

{% hint style="info" %}
For SSO Connect version prior to 14.1.0 please enter the password in both fields
{% endhint %}

Select your specific IDP. If your IDP is not in the pull-down menu, select **Default.**

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1_X9CuKpUBZZytSG9%2F-LU1i2LkbvoXXdHjnx1y%2Fsso-step-23b.png?alt=media\&token=f54074c8-40c4-4ce4-8605-86e36a52314f)

### IdP Metadata

Select your IdP Provider. If your provider is not listed select **Default**.

The next step is to upload the IdP SAML metadata file. This file can be downloaded from your IdP.

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1iXwbAyDupbgAsr7X%2F-LU1kgKyzPodT7Fo9Xgd%2Fsso-step-25b.png?alt=media\&token=6ed64952-70b9-46c5-a151-a057b3d7035a)

### Identity Provider Attribute Mappings

Attribute Mappings do not require any changes. Select **Save**.

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1iXwbAyDupbgAsr7X%2F-LU1kwmhMrFRNuC-hvSD%2Fsso-step-26b.png?alt=media\&token=1d6c9562-8c56-49c1-8f28-c03aa0391018)

### SSO Connect Status

Reasons the Status might be listed as Stopped:

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LlEKJMRmmjgQPeO9BHy%2F-LlEKMYuts9IpQ1xChJb%2FConfig_1_C.png?alt=media\&token=37ca0859-818b-410c-9900-62eefc455a5d)

* Your SSL Certificate is missing or incorrect.
* The hostname in the SSL certificate doesn’t match the hostname in SSO Connect. A wildcard SSL certificate can be used or you can use a certificate created for the specific hostname. (i.e. if your hostname is Keeper.DOMAIN.com your cert should be set up for \*.DOMAIN.com).
* By default the **Use Certificate to Decrypt and Sign SAML Response/Request** should be selected.

> See the [Appendix](/en/sso-connect-on-prem/appendix.md) on creating a self-signed SSL cert if you need to create one for testing or troubleshooting your SSL certificate.

### Restarting the Keeper SSO Connect Service on Windows

The Keeper SSO Connect runs as a service on Windows. Closing out the web interface does not stop the service. The service can be stopped and started from the Service MMC in windows.

![](https://2635959690-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LTyMp7XGU8wh-hRPBiB%2F-LU1iXwbAyDupbgAsr7X%2F-LU1l4vDZfm6Zf6ELzNF%2Fsso-step-27b.png?alt=media\&token=2ec31132-51b6-4868-b426-c52948f4141b)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/sso-connect-on-prem/installation-and-setup/install-keeper-sso-connect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.