LogoLogo
SSO Connect On-Prem
SSO Connect On-Prem
  • Keeper SSO Connect On-Prem
  • Overview
  • System Requirements
  • Installation and Setup
    • Admin Console Configuration
    • Installation - Windows
    • Installation - Linux
      • GUI Configuration
      • Linux Command-line Configuration
      • Running Keeper SSO Connect as a Service on Linux
  • Identity Provider Setup
    • AD FS Configuration
    • Entra ID/Azure AD Configuration
    • AWS SSO Configuration
    • Centrify Configuration
    • F5 Configuration
    • G Suite (Google Workspace) Configuration
    • JumpCloud Configuration
    • Okta Configuration
    • OneLogin Configuration
    • Ping Identity Configuration
    • PingOne Configuration
    • RSA SecurID Access
    • Generic SAML Configuration
  • SSL Certificate Creation
  • High Availability (HA) Configuration
  • Integration with AWS CloudHSM
  • Integration with Gemalto HSM
  • Upgrading SSO Connect On-Prem
  • Update Instructions
  • Updating On-Prem Config
  • Migrating to a new SSO Connect Server
  • Service Management
  • Troubleshooting & FAQs
  • SSO Migration to Cloud
  • Technical Support
  • Links and Resources
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Access the web interface
  • Configure SSO connect via the web console.
  • SSO Connect SSL Key and Certificate
  • IdP Metadata
  • Identity Provider Attribute Mappings
  • SSO Connect Status

Was this helpful?

Export as PDF
  1. Installation and Setup
  2. Installation - Linux

GUI Configuration

Setup of Keeper SSO Connect on a Linux instance via the graphical interface.

PreviousInstallation - LinuxNextLinux Command-line Configuration

Last updated 4 years ago

Was this helpful?

Access the web interface

In order configure Keeper SSO Connect via the web interface, access to the configuration portal is necessary. If the server has a graphical user interface and a web browser the admin can launch it directly through local access. However if the server doesn't have a GUI or browser, use of an SSH Tunnel will be necessary. Please determine which method meets your needs and after the web interface is accessible proceed to the the configuration steps.

Configure through web GUI with local port access

By default, the configuration port of Keeper SSO Connect is port 8080. If you have local access to the target system, just open your web browser to:

http://127.0.0.1:8080/config/

Configure through the web GUI via an SSH Tunnel

To remotely configure SSO Connect through the web interface, simply open an SSH tunnel to the target system, for example: If you do not have direct browser access to the SSO Connect machine, you may be able to configure a tunnel to the machine:

$ ssh -L 9000:127.0.0.1:8080 ubuntu@12.34.56.78

Then open your web browser on your local system to:

http://127.0.0.1:9000/config/

Configure SSO connect via the web console.

Login with your Keeper Administrator Email address and Master Password and your multi-factor authentication if enabled.

Then you will be ready to configure the SSO Connection instance.

Click on "Configuration" to configure the specific Identity Provider.

Bound IP Address. This is the physical IP address of the NIC on the server. If a hostname is not used and if there is only one address associated with the server this entry will be the same as the Hostname or IP Address field.

In the example above, "sso-1.test-keeper.com" is the Advertised Hostname that gets routed to the local address 10.1.0.4. The Keeper SSO Connect service binds to the Private IP address.

The IP/Hostname must be accessible by users who will be accessing Keeper. You may need to update your firewall to allow access over the IP and port.

In the example above, "sso2.lurey.com" is the Advertised Hostname that gets routed to the local address 10.0.229.63. The Keeper SSO Connect service binds to the Private IP address.

The IP/Hostname must be accessible by users who will be accessing Keeper. You may need to update your firewall to allow access over the IP and port.

Bound IP Address is the physical IP address of the NIC on the server. If a hostname is not used and if there is only one address associated with the server this entry will be the same as the Hostname or IP Address field.

SSO Connect SSL Key and Certificate

The Keeper SSO Connect service requires an SSL Certificate. It is recommend to use a proper SSL Certificate signed by a Certificate Authority (CA). The SSL cert can be one generated specifically for the SSO Connect server (hostname or IP address) or a wild card certificate that matches your domain (*.yourcompany.com).

Self-signed certificates will generate security errors for your users on most browsers and mobile devices.

Note: SSL Certificates may expire annually. Please set a reminder to renew your certificate prior to the expiration date to prevent unexpected outages.

Select your specific IDP. If your IDP is not in the pull-down menu, select Default.

IdP Metadata

Identity Provider Attribute Mappings

Attribute Mappings do not require any changes. Select Save.

SSO Connect Status

After you click Save, the service will start up after a few seconds and the "Status" screen will display the server status information.

The Status might be listed as Stopped. If this happens, please check the following:

  • Your SSL Certificate is missing or incorrect.

  • The hostname in the SSL certificate doesn’t match the hostname in SSO Connect. A wildcard SSL certificate can be used or you can use a certificate created for the specific hostname. (i.e. if your hostname is Keeper.DOMAIN.com your cert should be set up for *.DOMAIN.com).

  • By default the Use Certificate to Decrypt and Sign SAML Response/Request should be selected.

You will be prompted to select the identity provider set up in the Admin Console (from the previous "" step)

Enter the Advertised Hostname or IP Address. This address is what the Keeper client applications navigate to in order to initiate the SSO authentication process. If installing Keeper SSO Connect in an , this is the address the that points to the load balancer. This address can be either an IP or a hostname.

Enter the Advertised Hostname or IP Address. This address is what the Keeper client applications navigate to in order to initiate the SSO authentication process. If installing Keeper SSO Connect in an , this is the address the that points to the load balancer. This address can be either an IP or a hostname.

The certificate file type must be .pfx or .p12 for a PKCS 12 certificate or .jks for a Java Key Store certificate. Most Certificate Authorities have instructions on their sites on how to convert to these file type if they did not initially issue these specific formats. For assistance in generating a SSL certificate, please refer to the section on .

If your provider is not listed select Default. The next step is to upload the IdP SAML metadata file. This file can be downloaded from your identity provider. The specific steps in setting up the identity provider are in the next section ("").

See the on creating a self-signed SSL cert if you need to create one for testing or troubleshooting your SSL certificate.

To set up SSO Connect as a service,

Admin Console Configuration
HA (High Availability) configuration
HA (High Availability) configuration
Creating a Certificate
Identity Provider Setup
Appendix
please visit this section.
Local host configuration of SSO Connect
2FA Login
Select SSO Connection
SSO Connect Status - Not Configured Yet
SSO Configuration Screen
SSL Key and Certificate
IdP Metadata
Service Provider Status