Linux Command-line Configuration
Configuration on Linux without a GUI
If you would like to configure SSO Connect on the command line then please see the sections below. If SSO Connect is already configured, skip to the Identity Provider Setup section.
Linux configuration with interactive mode
Keeper SSO Connect can be started in configuration mode, which prompts you for the necessary parameters.
Stop the running SSOConnect process, if any, by hitting CTRL-C or killing the process.
Copy the SSL Certificate to the SSO Connect server. It must be in PKCS#12 or Java Keystore format, meaning a file ending with
.pfx
,.p12
, or.jks
.Copy the IdP's SAML XML Metadata file to the server.
This is obtained from your IDP admin site (Active Directory, Azure, F5, Google, Okta, etc.).
This is usually an .xml file.
In the SSO Connect directory start SSO Connect in configuration mode:
$ java -jar SSOConnect.jar -config
You will be prompted to supply the following parameters:
Keeper Administrator email address (to login to the Keeper Admin Console for your company)
Keeper Administrator Master Password
Two-Factor code (if enabled on account)
SSO Domain Name (this attribute is defined on the SSO Connect provisioning screen on the Keeper Admin Console)
Note that each Domain configured in Keeper will require a separate SSO Connect installation.
Next you will be able to configure each individual parameter. Leave the setting blank (hit <Enter>) to accept the default setting.
SSO Connect External Hostname or IP Address
External SSL Port (default = 8443)
Local (private) IP
Local (private) Port
Use Certificates to decrypt and sign the saml response and requests (True/False)
SAML Attribute mapping for "First Name"
SAML Attribute mapping for "Last Name"
SAML Attribute mapping for "Email"
IdP Type (Google, Okta, Azure, etc...)
Key Store Password (if using Java Keystore)
PKCS#12 Passphrase (if using SSL Key)
Full path and name of Key File
Full path and name of IdP SAML Metadata file
The following questions relate to using an HSM (Hardware Security Module) for secure key storage. If you do not have an HSM or do not want SSO Connect to use one you can skip this section.
Configure Secure Key Storage (y/N):
Type of Secure Key Storage (Gemalto SafeNet Luna HSM):
Enter
(AWS Cavium CloudHsmV2 is also supported)Secure storage device access parameters (slot,password):
Enter
slot:
<your slot>
(required for Gemalto, often 0 or 1)password:
********
(required for Gemalto, this is the Crypto Officer password on the HSM)Certificate chain file (/home/ubuntu/keeperSSO/data/sso_keystore.jks):
Enter
(required)Certificate chain file password (none):
Enable Secure Key Storage (Y/n):
Once the settings have been successfully implemented, they will sync to all other SSO Connect services upon restart of the service on each instance. Once the settings are sufficient for SSO Connect to start up and contact the Keeper server, the settings will sync to all other SSO Connect instances on the same domain when they are restarted.
Note: JKS Keystore type may require both Key Store and Passphrase to be the same
SSO Connect will not automatically start after a configuration session so you need to start it:
Linux configuration through SSH with full command-line parameters
SSO Connect supports many command-line options that can be scripted to automate operations such as rotation of SSL keys.
For a full list of command line parameter options, use the "-h" flag:
Option | Description |
-h or -help | Display this help text. |
-c or -config | Configure SSOConnect via prompts. |
-v or -version | Output the version. |
-l or -list | Output the configuration to the console. |
-d or -debug | Output the class path and other information to the console for trouble shooting. |
-s or -sync | Performs a full sync. System must already be initialized. |
SSOConnect can also be configured via the following command line switches.
Setting | Argument | Description |
-username | string | Username of admin who can configure this instance of SSO Connect |
-password | string | Keeper Master Password |
-twofactor | string | Two factor token |
-initialize | string | SSO name to initialize the instance to. |
-enableSKS | none | turn on Secure Key Storage (e.g. a Hardware Security Module) |
-disableSKS | none | turn off Secure Key Storage (e.g. a Hardware Security Module) |
Note: if the instance is already initialized, you cannot re-initialize without deleting the contents in the data directory
numberSetting | Argument | Description |
-export | string | Export the SSOConnect Service Provider XML to the file name supplied as the argument. Instance must already be initialized. |
-sso_connect_host | string | Public / advertised FQDN (fully qualified domain name) |
-sso_ssl_port | number | Public / advertised SSO Connect port |
-private_ip | string | IP Address to bind ssl service to (if not supplied will default to the resolved ip of sso_connect_host) |
-private_port | number | Port to bind ssl service to (if not supplied use sso_ssl_port) |
-key_store_type | string | Either jks or p12 |
-key_store_password | string | Password for the keystore |
-key_password | string | Password for each key in the keystore |
-key_type | string | The value can be “rsa” or “ec” (case-insensitive) |
-ssl_file | path | Location of the ssl file to convert |
-saml_file | path | Location of the saml file |
-sign_idp_traffic | boolean | True if all incoming and outgoing traffic are signed |
-idp_type | number | The number corresponding to the desired IDP: 0 Default, 1 F5 Networks BIG-IP, 2 Google, 3 Okta, 4 Microsoft ADFS, 5 Microsoft Azure, 6 OneLogin |
-map_first_name | string | Field the IDP sends the user's first name as |
-map_last_name | string | Field the IDP sends the user's last name as |
-map_email | string | Field the IDP sends the user's email as |
-admin_port | number | Http port for 127.0.0.1 the administrative configuration web server runs on. Note: this value is per instance. To disable the configuration web server for a given machine, simply set this to 0. |
Command-line options require username, password, and two-factor values (if 2FA is enabled). Either set them as an option or you will be prompted for them.
For example, to rotate the SSL key of a running environment, the command will look something like this:
You will be prompted to supply passwords through the interactive shell if left unset.
After you configure an instance, the changes will be immediately pushed to all other SSO Connect instances in your HA environment.
SSOConnect will uses the standard log4j2 libraries as its logger. It will look for the configuration file in the following order:
Value of the system environment variable 'logging.config'
log4j2.xml in the current working directory
log4j2.xml in the directory the SSOConnect.jar file is in
a log4j2 configuration file according to the standard log4j2 search criteria
the default log4j2.xml included inside the SSOConnect.jar file
Modifying the log4j2.xml file will only take affect after the service is restarted and only if it is the first log4j2 configuration file found.
Last updated