1 of 37

SSO Connect On-Prem

Keeper SSO Connect On-Prem

Keeper SSO Connect On-Prem / Customer Hosted Version

Keeper SSO Connect On-Prem provides seamless integration with your SAML 2.0 identity provider in a Zero-Knowledge security architecture.

This technical guide provides detailed information on how to deploy Keeper SSO Connect On-Prem in your public cloud, private cloud or on-prem environment and use the powerful features of the Keeper Enterprise platform.

For customers looking for a 100% cloud-based integration, see Keeper SSO Connect Cloud

We recommend all new customers implement Keeper SSO Connect Cloud

Setup time: Up to 1 hour

1. Configure the Keeper Admin Console for SSO Integration.

2. Download, install, and configure the Keeper SSO Connect Service on any private or public cloud instance(s) or on-prem if desired.

3. Configure the Keeper Application on the IdP.

Proceed to the next page for a more in-depth overview followed by the system requirements.

Overview

SSO Connect On-Prem Overview

Keeper SSO Connect is a SAML 2.0 application that leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision users to the platform. Keeper SSO Connect works with popular SSO IdP platforms such as Okta, Microsoft Azure, Google G Suite, Microsoft ADFS, F5 BIG-IP APM, Centrify, OneLogin, Ping Identity, and CAS to provide businesses the utmost in authentication flexibility.

Keeper SSO Connect is a software application that is installed on the enterprise’s on-premise, private cloud, or public cloud infrastructure. All user encryption keys are managed by Keeper SSO Connect, providing the customer with full control over the keys that are used to encrypt end-user vaults.

The Keeper SSO Connect service application can be installed on a private on-premise or cloud-based server. Windows and Linux-based operating systems are supported.

System Requirements

System Requirements for Keeper SSO Connect service

The Keeper SSO Connect is a lightweight service that can be installed on a private on-premise or cloud-based server. The application is hosted by the customer in order to preserve zero knowledge and provide compatibility with any SAML 2.0 compatible identity provider.

Supported Server Platforms

The following server platforms are currently supported:

Supported Windows Server Versions Windows Server 2019 Standard Windows Server 2019 Datacenter Windows Server 2022 Standard Windows Server 2022 Datacenter Windows Server 2025 Standard Windows Server 2025 Datacenter

Supported Linux versions: Ubuntu 18+ CentOS 7+ Debian 9.8+ openSUSE Tumbleweed openSUSE Leap 15.1+ Red Hat Enterprise Linux 6.8+

Supported Java versions Java 11+

Java Dependencies

Keeper SSO Connect requires at least Java 11. The installer for Windows provides the option to bundle the latest LTS Amazon Corretto 11 version. If you have a different version of Java installed we recommend uninstalling that version and install Java 11 first before you proceed. Otherwise you may experience service hanging during installation.

Keeper SSO Connect requires at least Java 11. You can obtain Java 11 from OpenJDK or Amazon Corretto. OpenJDK project: Amazon Corretto: Note: Reboot is required after Java installation

After the reboot, check the java installation version 1. Open an Administrator Command Prompt. 2. Type java -version. 3. Verify the java version installed is found.

If Java isn't recognized on the command line, follow the steps below.

Open 'Advanced system settings'
Click Environment Variables. In the section System variables, find thePATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.

Server Hardware Requirements

The following table outlines the minimum hardware requirements per each server.

Scalability and High Availability

The Keeper Connect service on a single instance can handle thousands of simultaneous users.

However, both scalability and high availability can be achieved by placing a load balancer in front of a cluster of Keeper SSO Connect servers. The Keeper Cloud backend will take care of configuration synchronization. Changes applied to one server are automatically distributed to all servers in the same SSO node cluster. This includes the user database.

Further scalability, for example to scale to 100,000 users or more, can be achieved by splitting groups of users up into multiple SSO Connect domains. This will require creating separate SSO-enabled node(s) in the Keeper Admin Console and a separate SSO server or server cluster for each node.

HSM Integration (Optional)

SSO Connect can optionally be integrated with Amazon CloudHSM or Gemalto HSM solutions to protect the private encryption keys. The following HSM modules are currently supported:

Network Deployment Requirements

The following network requirements apply to Keeper SSO Connect deployments.

Keeper SSO Connect network connections to Keeper Cloud servers at keepersecurity.com (US) or keepersecurity.eu (EU customers) is TCP/443 (TLS 1.2) outbound stateful.
End-user devices must connect to SSO Connect via the advertised public FQDN/IP and TCP port. For example, keepersso.mycompany.com.
Local server bind port and the external advertised connection port are configurable separately. In that scenario the ports need to be translated via a load balancer, firewall or locally (eg. iptables).

Installation and Setup

Steps to install and set up Keeper SSO Connect

The basic steps for setting up Keeper SSO Connect are listed in the steps below. Detailed instructions are annotated further in this guide.

Security Note: The server or virtual machine running the SSO Connect service must be strictly protected from unauthorized local access. Any user with access to the host system can interact with and potentially modify the SSO Connect service. Ensure that only trusted administrators have access to the system running SSO Connect, and follow best practices for server hardening and access control.

GUI Configuration

Setup of Keeper SSO Connect on a Linux instance via the graphical interface.

Access the web interface

In order configure Keeper SSO Connect via the web interface, access to the configuration portal is necessary. If the server has a graphical user interface and a web browser the admin can launch it directly through local access. However if the server doesn't have a GUI or browser, use of an SSH Tunnel will be necessary. Please determine which method meets your needs and after the web interface is accessible proceed to the the configuration steps.

Running Keeper SSO Connect as a Service on Linux

Setting up a service on Linux

Once your server is setup and operational you should setup SSO Connect as a service. This operation will vary depending on your OS.

If the application is still running because you configured it with the web interface, stop the running instance on the command line by entering CTRL-C.
As the root user, create a system startup file /etc/systemd/system/ssoconnect.service with the following content (replace /path/to/keeper with your exact path and replace <user> with your username that will be running the process

"chmod" the file:

Enable the service to auto-start.

Run systemctl to start the service.

Troubleshooting Linux

To test the service response or to monitor the health of the Keeper SSO Connect instances, you can query the "Ping URL" which in the above example is:

Note the local ping is being used here because we connected to the local instance via port forward. To check the service running from the outside (external users) you can use the public port:

Example request/response:

You can review log files which are located by default in /path/to/keeper/logs/ssoconnect.log. The logging is done through a standard log4j2.xml file located in the install directory. You may change the log4j2.xml file to place your log files anywhere you wish.

The next section provides Identity Provider setup instructions for each major vendor.

Identity Provider Setup

Configuration of SSO Connect On-Prem with popular IdP platforms

Once you have installed Keeper SSO Connect On-Prem on a server in your environment, the next step is to configure the SAML 2.0 authentication into your identity provider.

Keeper SSO Connect On-Prem can be integrated with any SAML 2.0 compliant identity provider. We have documented the steps for several popular platforms in the pages that follow.

Azure
Okta
Google Workspace
Microsoft AD FS
Ping Identity
OneLogin
JumpCloud
RSA SecurID Access
F5
Centrify
AWS SSO

If your Identity Provider is not listed here, don't worry. Keeper is compatible with all SAML 2.0 SSO identity providers. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.

(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)

Centrify Configuration

How to configure Keeper SSO Connect On-Prem with Centrify for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with Centrify, see Keeper SSO Connect Cloud

Centrify

Switch to the Admin Portal from the pull down menu.

Close the Quick Start Wizard if it pops up. Select Apps from the menu then Add Web Apps.

On the Add Web Apps window, select the Custom tab and then scroll down and choose Add for SAML.

Select Yes to “Do you want to add this application?”.

Close the Add Web Apps Window.

The next step is to upload Keeper’s SSO Metadata to Centrify. In Keeper SSO connect, export the Keeper SSO Connect metadata using the Export Metadata link and save this file for the next step.

In the SAML Application Settings section in Centrify, select Upload SP Metadata.

Select Upload SP Metadata from a file and browse for the KeeperSSOMetadata.xml file. Select Ok.

Download the Identity Provider SAML Metadata. This will be uploaded to Keeper SSO Connect.

On the Description section enter Keeper SSO Connect in the Application Name field and select Security in the Category field.

Download the Keeper logo. Select Select Logo and upload the Keeper logo (keeper60x60.png).

On the User Access section select the roles that can access the Keeper App:

Under the Account Mapping section, select "Use the following..." and input mail.

On the Advanced section, append the script to include the following lines of code:

The above script reads the display name from the User Account section. The FirstName attribute is parsed from the first string of DisplayName and the LastName attribute is parsed from the second string of DisplayName.

Select Save to finish the setup.

Upload the Identity Provider SAML Metadata file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:

Select Save and Your Keeper SSO Connect setup is now complete!

F5 Configuration

How to configure Keeper SSO Connect On-Prem with F5 BIG-IP APM for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with F5, see Keeper SSO Connect Cloud

F5

On the F5 BIG-IP APM, configure a new SAML IdP service for your Keeper platform: Go to Access Policy -> SAML -> BIG-IP as IdP -> Local IdP services

Navigate to: Access Policy > SAML : BIG-IP as IdP - Local IdP Services. Select your applicable IdP connection point and "Export Metadata".

Upload this file to the server where Keeper SSO Connect is installed. We'll need it in the next step. Import the Metadata file extracted from F5 BIG-IP APM into SSO Connect.

Select Save to save the configuration and verify all settings look correct. Export the Keeper SSO Connect Metadata file for configuration of F5 BIG-IP APM from the Export Metadata link.

Your Keeper SSO Connect setup is now complete!

JumpCloud Configuration

How to configure Keeper SSO Connect On-Prem with JumpCloud for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with JumpCloud, see Keeper SSO Connect Cloud

JumpCloud

JumpCloud instructions for setting up Single Sign On (SSO) with Keeper Security. As listed in the JumpCloud SSO Prerequisites a public certificate and a private key pair are required. Instructions can be found here:

Log into the JumpCloud Administrator console.

Select the Applications tab on the side menu.

Next, select the + icon in the upper left corner.

Search for Keeper in the Application list search bar. Select Configure on the Keeper Application.

Next, on Keeper Application connector page, enter the IDP ENTITY ID:

The IDP ENTITY ID is a unique, case-sensitive identifier used by JumpCloud for this Service Provider (SP). This value should match the value specified in the Entity ID field of the Keeper SSO Connect. Your domain name, SSO Connect server name or IP address are possible examples. Next, Upload the IdP Private Key (private.pem file) and IDP Certificate (cert.pem file).

In the SP Entity ID field, enter the value found in the Entity ID field of the Service Provider Section from Keeper SSO Connect.

In the ACS URL field, enter the value found in the ACS URL field of the Service Provider Section from Keeper SSO Connect.

In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector. (i.e. keepersecurity)

In the Display Label field, enter a label that will appear under the Service Provider logo within the JumpCloud User console. (i.e. Keeper Security)

Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that JumpCloud is configured to sign SAML responses.

To complete the configuration, select the activate button.

Last step is to export the metadata from this connector to import it into the Keeper SSO Connect in Step 8.

Upload this file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:

Select Save and Your Keeper SSO Connect setup is now complete!

User Provisioning SSO+SCIM

JumpCloud® supports Automated Provisioning with SCIM (System for Cross Domain Identity Management) which will update and deactivate Keeper user accounts as changes are made in JumpCloud®. Step-by-Step instructions can be found here,

Okta Configuration

How to configure Keeper SSO Connect On-Prem with Okta for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with Okta, see

Okta SSO Configuration

OneLogin Configuration

How to configure Keeper SSO Connect On-Prem with OneLogin for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with OneLogin, see Keeper SSO Connect Cloud

Be sure to first perform the steps in the Admin Console Configuration section.

Setup:

Select Administration to enter the admin section.

From the onelogin menu select Applications then Add App.

In the Search field, do a search for Keeper Password Manager and select it from the search result.

On the Add Keeper Manager screen click Save.

The next step is to download the SAML Metadata from OneLogin. Select the down arrow on the MORE ACTIONS button and select SAML Metadata.

The onelogin_metadata_######.xml file will download to the browser. Copy this file to the Keeper SSO Connect server interface.

On the OneLogin Configuration tab, type in the Assertion Consumer Service Endpoint from your Keeper SSO Connect server: (i.e. https://DOMAIN:8443/sso-connect/saml/sso where DOMAIN is the server name or IP address of your Keeper SSO Connect application) then click Save.

Back on the Keeper Provisioning tab, click on "Add Method" and select SCIM.

Click Generate then copy the URL and Token.

Paste the "URL" into the SCIM Base URL, and paste the "Token" into the SCIM Bearer Token then click Save.

Click Save on the Keeper Admin Console and the integration is complete.

Ping Identity Configuration

How to configure Keeper SSO Connect On-Prem with Ping Identity for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with Ping, see

Ping Identity

PingOne Configuration

How to configure Keeper SSO Connect On-Prem with PingOne for seamless and secure SAML 2.0 authentication.

PingOne

From the PingOne console menu, select Applications > Application Catalog

RSA SecurID Access

How to configure Keeper SSO Connect On-Prem with RSA SecurID Access for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with RSA, see

Keeper Security is RSA SecurID Access Certified.

RSA SecurID Access integrates RSA Authentication Manager and their Cloud Authentication Service. In this setup Cloud Authentication Service can be used as an identity provider in conjunction with Keeper SSO Connect. Detailed documentation is provided on the RSA website via the links below.

Generic SAML Configuration

Keeper is compatible with any SAML 2.0 identity provider. Please use the reference guides in this documentation for configuration. If you need assistance, contact us.

High Availability (HA) Configuration

Operating Keeper SSO Connect On-Prem in HA mode

Keeper SSO Connect On-Prem can be optionally configured to operate in a multi-instance HA environment. Once the first instance is configured (per and instructions in this document) and the service is enabled to start on boot, the instance can be cloned and additional instances can be launched behind a load balancer.

Each HA instance must run the same version of SSO Connect

Upgrading SSO Connect On-Prem

Instructions for upgrading your Keeper SSO Connect On-Prem Service

Keeper Security performs security updates to Keeper SSO Connect On-Prem.

Step by Step Instructions

Follow the instructions in the Update Instructions page to proceed with the upgrade.

Proceed with Step by Step Instructions

Need Help?

If you are not familiar with your environment or if you are not comfortable performing the update, please .

Before you contact support, please provide the following information:

SSO Connect Version
SSO Connect server OS version
Identity Provider name and version

Updating On-Prem Config

Changing the SSL certificate, hostname, or the metadata configuration in SSO Connect On-Prem

SSO Connect On-Prem SSL certificates must be updated on an annual basis, or there may be times that the metadata.xml file needs to be updated on the SSO Connect server. Follow these instructions:

Login to the SSO Connect On-Prem server and click the "Configuration" tab. Make the desired change (update SSL certificate, hostname change, update IdP SAML metadata, etc.).
Save the changes. (This replicates the changes to the Keeper Cloud).
If multiple SSO Connect servers (HA configuration) are present in your architecture, no further steps are required as each subsequent SSO Connect server will synchronize to the cloud and update. However, to force the sync, click on “Full Sync” on the SSO connect menu on each server.

From the Keeper Cloud perspective, there is no primary or secondary SSO Connect server in an HA configuration. There is a single SSO Connect data back up (per SSO Connect provisioning instance) that synchronizes to all the servers architected for HA.

Do not delete the SSO Connect provisioning instance on the Admin Console. Doing so will remove the configuration and orphan your SSO Connect servers.

Migrating to a new SSO Connect Server

How to change SSO Connect On-Prem servers with minimal down time.

Each subsequent server added to an SSO Connect provisioning method will automatically download the configuration and user SSO data when the SSO Connect successfully authenticates as an administrator with the SSO permission. This reduces the amount of "reconfiguration" needed to migrating to a new server or to make the server part of an HA environment.

Do not delete the SSO Connect provisioning instance on the Admin Console. Doing so will remove the configuration and orphan your SSO Connect servers.

1. Install the new SSO Connect server as previously done for Windows or Linux.

Technical Support

If you have any questions or require assistance in configuring Keeper SSO Connect, please contact the Keeper Enterprise Support team at: .

Make sure to provide the following information in your request:

1. SSO Connect Version 2. SSO Connect OS type and version 3. Identity Provider name and version 4. Java version running on your server 5. Your time zone and preferred meeting time

Links and Resources

Additional Security Details

To learn more about the Keeper Encryption Model, see the below link:

Integration with AWS CloudHSM

Keeper SSO Connect On-Prem optionally integrates with cloud-based Amazon HSM (CloudHsmV2) devices for key protection and storage.

Integration with AWS Cavium CloudHsmV2

Keeper SSO Connect HSM Overview

Inside SSO Connect's data folder there are several files. Two of the files contain secret keys generated on the server that must be protected and are utilized to encrypt and decrypt the end-user's auto-generated master passwords. There is also a .sql file which contains a local cache of encrypted data. It is critical that access to this data folder is restricted.

On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.

On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.

You can add an extra layer of security by utilizing an HSM (Hardware Security Module) as described below. When an HSM is available, an encryption key is generated for each SSO Connect instance and stored securely in the HSM. The encryption key is used to encrypt the critical property files in the data/ folder.

AWS Cavium CloudHsmV2 Instructions

HSM Requirements

Amazon currently allows only CloudHsmV2 for new HSM deployments; Keeper supports this version. a. Legacy Cloud HSM v1 hardware is not supported by Keeper.
Amazon HSM software currently supports Linux or Windows installations.

Network Requirements

Port TCP/443 open, stateful outbound from Keeper SSO Connect to www.keepersecurity.com
Port TCP/2223 open, bidirectional from the SSO Connect machine to the HSM hardware
Port TCP/2225 open, bidirectional from the SSO Connect machine to the HSM hardware

Testing network access

CloudHsmV2 software installation

Provision your Amazon HSM cluster and install the HSM software on the SSO Connect machine as described in:

You will need the Java libraries. On Linux the software is installed in /opt/cloudhsm.

Ensure that the cloudhsm_client service is running in the background:

Test the Software Installation

Install SSO Connect as usual.

NOTE: The Amazon HSM Java software is supposed to recognize a file named HsmCredentials.properties on the Java Classpath. However, this may not work for some reason. Instead you may need to set HSM_USER, HSM_PASSWORD, and HSM_PARTITION environment variables. For testing, you will probably have to set the shell variables.

Test the HSM connection:

It should print the keys in the HSM.

Configure SSO Connect as usual via the command line or in the admin interface at http://localhost:8080/config

a. Set the "Advertised Hostname", a. Add the SSL certificate, a. Add the SAML XML metadata file.

In the admin interface, the HSM configuration section is at the bottom of the Configuration page.

a. Select "Amazon CloudHsmV2" as the type, a. Some properties will appear in the box below. You probably don't need to change them. i. An exception would be if the certificate to be used to talk to the HSM is not the same certificate used for SSL in SSO Connect. i. You may need to enter a password for the certificate file (usually the same one used for the SSL certificate file). a. Click the Enabled/Disabled box, a. Click Save

SSO Connect should now restart and connect to the HSM. If the status page shows that HSM is enabled, it worked. In rare situations when startup is very slow you may need to click on the Status command again so that it updates the status.

If it didn't work, check the SSO Connect error log. The most common error is that it can't find the HSM credentials. Set the credentials as environment variables to ensure that they are available.

If it didn't work, check the error log. The most common error is that it can't find the HSM credentials. Set the credentials as environment variables to ensure that they are available.

Troubleshooting

Troubleshooting the Configuration

Verify that SSOconnect is installed on the machine.
- Usually there is a folder called sso_connect, KeeperSSO, or some similar name. The folder will contain many jar files.

Troubleshooting the Operation

Check the log file for errors. The Secure Key Storage subsystem of SSOconnect will print an ERROR line to the log if it encounters a problem.
The error will be a variation of "Unable to use Secure Key Storage". This indicates one of the following problems:

Backup

The data folder contains the SSO Connect configuration files. At a minimum it should be backed up after initial configuration and each time the configuration is modified. In addition to the configuration files, there are data files in data but they will automatically be refreshed if they get out of synch with the Keeper server. Thus, regular periodic backups can be used but are not necessary. The data folder on each SSO Connect instance needs to be backed up independently because not all of the configuration settings are shared among instances.

On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.

On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.

Recovery

Server Failure

If the SSO Connect server dies you will need to reinstall Amazon HSM and SSO Connect on the replacement machine using the standard installation instructions above.

If you have backed up the data folder as described above, restore it before starting SSO Connect. If a data folder already exists (because you started SSO Connect), stop SSO Connect, remove all files in the data folder, copy the files from the backed-up data folder, and restart SSO Connect. SSO Connect should start successfully.

If you did not backup the data folder or if the backup is out-of-date you will need to configure the replacement instance as if it were a new installation. Please follow the SSO Connect installation guide.

HSM Failure

When using an HSM, the HSM stores the encryption key used to decrypt the configuration files in the data folder. The HSM is accessed once, when SSO Connect starts, and also any time the configuration is changed. If the configuration files are encrypted and the encryption key stored on the HSM is lost or inaccessible the SSO Connect instance will need to be configured again in order to create new, unencrypted configuration files. Delete the contents of the data folder and configure SSO Connect from scratch again.

You can disable HSM/SKS use by entering 'no' to the "Enable SKS?" configuration question, or by using the -disableSKS command-line option.

Update Instructions

Step by Step update instructions for SSO Connect On-Prem

Only perform these steps if you are experienced with the installation of SSO Connect On-Prem.

Step 1. Back up your Server

It is recommended that you take a snapshot / back up your server in case you need to revert. Please take the necessary precautions when upgrading the service to limit any risk of downtime.

Step 2. Screenshot the Current Config

Login to the Keeper SSO Connect service on your instance to check the current configuration. Windows: Double-click SSO Connect shortcut on desktop or open http://localhost:8080/config and Login as the Keeper Administrator. Linux: Open http://localhost:8080/config and Login as the Keeper Administrator.

Take a screenshot of the current configuration, and make note of the local bound IP and port. This will be used in Step 7.

Step 3. Download the SSO Connect Installer

The SSO Connect Installer can be found by logging into the Admin Console and clicking on the Download link under the "Provisioning" tab.

Step 4. Stop SSO Connect Service

Windows: Open Windows Services, search for Keeper and Stop the service.

Linux: Run systemctl stop ssoconnect to stop the service, or if you ran the SSO Connect service by hand or another way, you need to CTRL-C or kill the process.

Ensure that all processes are stopped.

Step 5. Check your Java

Check the version of Java running. If you running anything below Java 11, you need to uninstall all versions of Java on your system and then install Java 11.

You can obtain Java 11.0.12 for Windows using the link below:

Linux Java 11 install instructions depend on the platform.

Reboot is required after Java installation

Step 6. Install SSO Connect

Make sure you have the local bound IP and port written down from Step 2 because this information may be needed after re-install. Windows:

Unzip the KeeperSso.zip file
Run the unzipped .MSI installer.

If you are running SSO Connect version 14.1.0 or earlier on Windows, you will need to uninstall the previous versions of SSO Connect before running the new install.

Linux:

Navigate to your directory where SSO Connect is installed
Back up the folder
Delete all files and the services directories

Example:

If the service doesn't start, or the installation hangs, please follow these steps:

Uninstall all versions of Java that you have currently installed.
Install Java 11 per the instructions in Step 5 above.
Reboot after the install.

It is recommended to reboot the server after the installation.

Step 7. Start SSO Connect Service

Windows: The service should automatically start. It sometimes takes a few minutes. You can also start the Keeper SSO Connect service using the Services manager. Linux: Start the service as you normally do. If you followed our original guide, run systemctl start ssoconnect to start the service. Or, if you ran the process by hand, this could also be started as java -jar SSOConnect.jar. Make sure there is only one process running.

Step 8. Verify the SSO Connect Config

Windows: Double-click SSO Connect shortcut on the desktop or open http://localhost:8080/config and Login as the Keeper Administrator. Linux: Open http://localhost:8080/config and Login as the Keeper Administrator.

You may need to fill in the "Bound IP / Port" fields in the "configuration" screen then click "Save". If the private IP was required for your configuration, leaving this blank might prevent the service from starting up.

Step 9. Verify the Upgrade Version

You can now verify the version running by opening this URL in a browser (replace XXX and port with the advertised hostname and port), for example:

Ensure that the IP/Name and Port are accessible. If the service is active, you will get a JSON response as shown below:

Check that the "version" response contains the version which has been installed.

Step 10. Verify SSO Logins

Ensure that end-user SSO Login is successful through the Keeper Web Vault, Desktop or mobile applications.

Upgrade Complete!

Troubleshooting

Service Won't Start

Check the Java Version. SSO Connect requires Java 11.

Uninstall all versions of Java that you have currently installed.
Install Java 11 per the instructions in Step 5 above.
Reboot after the install.

400 Error

After upgrade, a few customers have experienced a 400 error when attempting to access the SSO Connect service status or to login with SSO. SSO Connect version 16.x and newer contains more strict security policies that enforce proper configuration.

Possible reasons for a 400 error:

SSL certificate loaded into SSO Connect has expired
SSL certificate subject name is mismatched with the front-end load balancer or reverse proxy configuration.
Ensure that the internal network communication between the load balancer or reverse proxy is using the fully qualified domain name (FQDN) as appears in the SSL certificate installed into SSO Connect.

Check the Log Files

Windows: The log files reside within a hidden system directory. This directory can be access by typing the following path into the File Explorer:

Linux: The logs are located with the sso_connect folder and varies depending on the base installation path:

Check the log files for any errors during startup. If there are not enough detailed logs, you can modify the file called log4j2.xml in the folder path and update the log level to Debug as seen below:

After changing to debug, starting the service again will generate additional logs. Be sure to change it back to "info" after the problem has been solved.

SAML Request/Response

On the left side of the SSO Connect interface is a button called "Show SAML debug". This screen will display the latest SAML transaction history, which should contain any errors from the IdP.

Integration with Gemalto HSM

Keeper SSO Connect optionally integrates with on-premise and cloud-based Gemalto HSM devices for key protection and storage.

Integration with Gemalto HSM

Keeper SSO Connect HSM Overview

On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.

On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.

Gemalto Luna HSM Instructions

HSM Requirements

The Gemalto HSM must be running Luna firmware 6.2 or higher.

Network Requirements

Port TCP/443 open, stateful outbound from Keeper SSO Connect to www.keepersecurity.com
Port TCP/22 open, stateful outbound from the HSM management terminal to the HSM system
Port TCP/22 open, inbound to the Keeper SSO Connect server for CLI configuration

Testing network access

Linux-specific requirements

CentOS 6 or 7 is preferred, but the software can run on Ubuntu with the following additions:

If /lib/ld-linux.so.2 exists, go to the next section

Install the Luna Client

The Luna client must be installed and properly configured before Keeper SSO Connect can use the Luna HSM.

Copy the LunaClient software to the SSO Connect server. The file usually has a name like LunaClient_7.3.0-165_Linux.tar.gz.
Login to the SSO Connect server.
Run the Luna Client installer:

Edit $JAVA_HOME/jre/lib/security/java.security
a. find the list of security providers.
b. add security.provider.10=com.safenetinc.luna.provider.LunaProvider.
c. Save the file.

Configure Luna access

Requirements

the IP address or hostname of the HSM machine.
The admin password (also known as the Security Officer password).
A unique string, such as the IP address of your current machine, or your name, etc.

Verify that the HSM is configured

Start the Luna Client:

Configure Keeper SSO Connect for HSM access

In addition to the normal SSO Connect configuration questions there are some HSM-specific questions as shown below.

Troubleshooting

Troubleshooting the Configuration

Verify that the server is appropriate. CentOS 6 or 7 is preferred. We do not support Windows at this time.
Verify that the Luna client is correctly installed on the server. Run the Luna client and login as the Crypto Officer to verify that you can successfully login and display the contents of the partition.
Verify that Java 1.8 or Java 11 is available.

Troubleshooting the Operation

Check the log file for errors. The Secure Key Storage subsystem of SSOconnect will print an ERROR line to the log if it encounters a problem.
The error will be a variation of "Unable to use Secure Key Storage". This indicates one of the following problems:

Backup

On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.

On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.

Recovery

Server Failure

If the SSO Connect server dies you will need to reinstall Luna and SSO Connect on the replacement machine using the normal installation instructions above.

HSM Failure

You can disable HSM/SKS use by entering 'no' to the "Enable SKS?" configuration question, or by using the -disableSKS command-line option.

Troubleshooting & FAQs

Resource for answering common questions and resolving errors.

During installation, the SSO Connect service hangs and doesn't start.

Please ensure that you have a compatible Java version installed. See the System Requirements page for supported Java versions. Please note you may need to uninstall all existing Java installations before installing a compatible version.

How to make changes to my SSO Connect configuration to update the SSL certificate or IdP metadata?

Follow the steps outlined on the page of this guide.

We use ADFS, and our SSO Connect is down.

ADFS signing certificates typically are only valid for a year. ADFS may automatically rotate to the most current certificate. This breaks the trust between Keeper SSO Connect and ADFS. A new FederationMetadata.xml file will need to be generated and uploaded to the Keeper SSO Connect to ensure operation (). We strongly recommend setting a reminder before the expiration of the certificate so this step can be performed to maintain operation.

Our IdP is ADFS, when my users exit Keeper they receive a logout error:

To prevent a logout error, change the SAML Logout Endpoint URL

In your ADFS manager server, go to the Relying Party Trusts properties for Keeper SSO Connect.
Under the Endpoints tab, edit the SAML Logout Endpoints and set the URL to: https://<YourADFSserverDomain>/adfs/ls/?wa=wsignout1.0

You can set a different URL if you want it to redirect to another page (like https://keepersecurity.com/vault) but we recommend the ADFS site because it notifies the user that they are logged off.

What information needs to be secured on the SSO Connect server?

There is a "data" folder created when SSO Connect starts up. This data folder is located in C:\ProgramData\Keeper SSO Connect\ on windows, and in the installation folder on Linux.

Inside the data directory there are several files. It is critical that access to this data folder is restricted. You can add an extra layer of security by utilizing an HSM (Hardware Security Module) as described in this document. When an HSM is available, an encryption key is generated for each SSO Connect instance and stored securely in the HSM. The encryption key is used to encrypt the property files in the data/ folder.

If you would like to send users a hyperlink directly to the SSO Login screen of the Web Vault, you can use the following format:

Replace xxxxx with the name of the Enterprise Domain that has been assigned in the Admin Console.

If you are hosted in the EU region, use keepersecurity.eu

If you are hosted in the AU region, use keepersecurity.com.au

If you are hosted in the US GOV region use govcloud.keepersecurity.us

Why don't you just bind the SSO service to all interfaces rather than require me to provide an IP?

The reason is that some customers have multi-homed servers and they do not want to bind to all interfaces for a number of reasons.

If an internal IP is required, why does SSO connect let me leave it blank?

The internal IP is not required. You can leave it blank if the hostname resolves via DNS to the same external IP or even internal IP for Intranet. We have customers who use SSO strictly internally and the FQDN resolves to the internal IP. So that field can be left blank. It depends on your setup.

When I set up an HA SSO Connect server, or recover my SSO Connect server configuration from the cloud sync, the private IP address is not there.

This is by design. The Private IP is unique to the local instance of the SSO Connect. If the Private IP from "Server1" was sync'd and when "Server2" authenticated and sync'd the SSO Connect Config, it would have the incorrect IP from "Server1". For this reason the Private IP of the 1st (on any other) SSO Connect server is not retained.

The SSO Connect service will be in a "Stopped" status if the Private IP address is needed and not configured.

When users authenticate via SSO they receive an error stating "invalid SAML response".

If nothing has changed in the IdP or within Keeper SSO Connect, the most likely culprit is the clock on the SSO Connect has changed and the system time is off by greater than 2 minutes. Older versions of SSO Connect will display this message when the time is off, but the latest version of SSO Connect will specifically give the error: "SAML Validation error: System time is off by > 2 min". It is recommended to have the SSO Connect Server clock to sync with NTP. Another potential cause of this error is if the metadata from the IdP is different than what is on the SSO Connect which causes the SAML certificates to be out of sync and there for untrusted.

Why can’t my non-SSO users change their master password?

When SSO Connect is enabled on a node, all the users in the node and sub-nodes are under an enforcement to prevent the changing of their master password. This is done to prevent SSO users from bypassing authentication through the IdP.

If a user is transitioned to SSO login, but desires to change their master password, they will need to be relocated to a node that doesn’t have the SSO enforcement.

If use of a master password in conjunction with SSO authentication is desired, follow the steps outlined in the Enterprise guide for vault offline access:

I have invited a user; why can’t they create their vault via SSO Connect?

When logging in for the first time the on-boarding process needs to occur on either the Web
or the Desktop application. The Browser Extensions do not facilitate the on-boarding process
of a new user, but will allow existing users to authenticate.

I am receiving the following error when a new user tries to connect for the first time: {“result_code”: ”does_not_exist”, ”message”: ”This user does not exist”}

There are two possible reasons for this error. The invited user is not in an SSO enabled node within the Admin Console or the email address in the IdP doesn’t match the email address of the invited user. For the first issue, move the user into the SSO Enabled node and have them try again. For the second issue, verify the SSO account uses the same email address as the invited user. If they are different, a new account with the email address from the IdP will be created.

I'm getting an error on Linux about writing to /tmp. How do I resolve?

On a Linux system /tmp must have exec privileges. If /tmp does not have exec privileges, execution of java -jar SSOConnect.jar
may show an exception similar to: java.lang.UnsatisfiedLinkError: /tmp/sqlite...
To resolve this, ensure that you have exec permission on /tmp with the command chmod a+x /tmp

Enterprises can have some users configured to natively login and other users configured to use SSO, separated by Node. The Keeper Admin Console also has a role policy which can allow SSO users to also create a Master Password for logging in offline.

How do I convert a federated user to a local user or put another way, disable SSO access and have the user log in natively (username/master password)?

In the admin console, move the user from the SSO enabled node to a node not under the enforcements of the SSO provisioning.
After the move, the user must perform an account recovery (logging in natively with an incorrect password) clicking the ‘Forgot Password’ link. The user will receive an account recovery code to the email address listed on their Keeper account. After inputting the code, the user will be required to have the security question and answer configured at the inception of the vault creation process. This will allow them to create a new master password.

If my email address changes on the IdP, and I authenticate with SSO, what do I need to do within Keeper?

Both the IdP and Keeper need to identify the same user based on their email address. So if email changes in one, but not the other, authentication will not work. It has to be a coordinated effort on both fronts.
From the Keeper side, only the user can change their email address. (Ensure the user is not part of a role based enforcement preventing email changes.) To change the email address in Keeper, click on Settings > General > Email Address - Reset Now.

If more than a few emails need to change at the same time, please contact support to coordinate this change.

If using Duo for 2FA, have user disable their 2FA prior to the email change. (Admin may have to change the role to temporarily allow no 2FA on the account). This because if the email changes outside of Keeper and the vault is still associated with the old email, it may not correspond to what is in Duo.

IE has difficulty handling cross-domain redirects due to their multiple security zones. IE requires security zone settings to be configured in order to work properly with SSO. These security zone settings can be pushed out by the admin or manually configured if allowed. See the section on for settings.

After I install SSO Connect, the configuration page comes up with a "Can't reach this page" at http://127.0.0.1:8080/config/.

If JRE has been installed and the server has been rebooted, this error is most like caused by a competing service like IIS listening to the port 8080. To alleviate the competition IIS can be uninstalled if not needed, or the port that SSO Connect uses for the configuration page can be changed.
Stop the SSO Connect service if running
Edit the instance.properties file located at:

Change the port of the admin_port. (i.e. 8081)
Restart the SSO Connect service and relaunch the admin page on the newly defined port. (i.e. http://127.0.0.1:8081/config/).

Where are the Keeper SSO Connect log files located?

On Microsoft Server installations, the log files reside within a hidden system directory. This directory can be access by typing the following path into the File Explorer:

On Linux distributions, the logs are located with the sso_connect folder and varies depending on the base installation path:

What's the process for upgrading SSO Connect to the latest version?

See the "" section of this document.

When my users log out of Keeper it logs them out of all SAML connected applications and the IdP.

To disable Single Logout (SLO), edit the IdP metadata file to remove the line found in the metadata that gets inputed into the Keeper SSO Connect Server: <md:SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your-sso_connect:8443/sso-connect/saml/slo"/>

And re-import the file to the SSO Connect server.

Getting blank white screen or error when logging into Desktop App

If you're receiving a blank white or error message on the dialog when logging into Keeper with SSO, this means that you probably used an invalid or self-signed SSL certificate in your Keeper SSO Connect configuration.

The Keeper Desktop application and several devices & web browsers do not like self-signed certificates and will produce an error to users. Please re-configure your Keeper SSO Connect instance to use a proper signed SSL certificate (either a wildcard cert or domain-specific certificate). The SSL certificate must be signed by a trusted public certificate authority that is recognized by Chrome, Safari and other browsers.

If you're getting error messages like seen below.... it's likely that you are logged into Keeper in your Admin account or a different user account on another tab or window. If you are in the process of testing or setting up your SSO environment, it could get confusing if you're also logged into Keeper as the Admin.

To avoid these errors, we recommend logging into Keeper as the Admin using either another web browser (e.g. Firefox) or download the Keeper Desktop App and use that app while setting up your SSO environment.

G Suite (Google Workspace) Configuration

How to configure Keeper SSO Connect On-Prem with Google for seamless and secure SAML 2.0 authentication.

For a 100% cloud-based integration with Google Workspace, see Keeper SSO Connect Cloud

G Suite supports the following integration with Keeper:

SSO authentication with SAML 2.0
Automatic Provisioning with SCIM

You can configure SSO, SSO+SCIM or SCIM without SSO.

G Suite Setup

To access G Suite Admin Console, login to .

Visit the Apps screen.

Click on SAML apps

On the lower right click on the ( + ) button to create a SAML app.

Setup Keeper App

Search for Keeper and select the application.

IdP Information

On the Google IdP Information screen, download the IDP metadata and save it to your computer (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the {host name] and {port} with the values that you'll be using from your SSO Connect instance.

Type in the ACS URL, Entity ID and select "Signed Response". For example, in the setup below, sso2.lurey.com is the host name and 8443 is the port.

You must also check the box for "Signed Response".

Attribute Mapping

In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.

If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.

Select on FINISH and your G Suite setup is complete. You will be informed that you still need to import the IDP data on Keeper SSO Connect.

Enable SSO Connect

To enable Keeper SSO Connect, for your users, select the more button and enable:

Alternatively, you can click on the Keeper SAML app and Edit the service to configure specific groups that have access:

Import G Suite Metadata

Back on the Keeper SSO Connect application configuration screen, drag-and-drop the metadata file into the SAML Metadata section of Keeper SSO Connect:

Select on Save and verify that all of the parameters match your G Suite SAML connection screens.

Once you save, assuming that you have already configured the SSL certificate and other parameters, your Keeper SSO Connect instance should show as fully operational in the Status screen:

Note about Single Logout (SLO) Settings with Google G Suite

As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.

If you want to prevent full SAML Logout from all SAML apps you should change the IDP type in the previous step to Default. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.

If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "Default" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:

Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.

SSO Setup Complete!

Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:

Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your G Suite credentials.

For the end-user experience (Keeper-initiated Login Flow) see the guide below:

End-user Video Tour for SSO Users is here:

Next, we'll show how to configure User Provisioning using SCIM.

User Provisioning with SCIM

User Provisioning provides several features for lifecycle management:

New users added to G Suite will be sent an email invitation to set up their Keeper vault
Users can be assigned to Keeper on a user or team basis
When a user is de-provisioned, their Keeper account will be automatically locked

Note: Google does not support Group provisioning to Keeper teams. When they implement this feature, this will allow the Keeper user to be placed into Teams that are synchronized between G Suite and Keeper.

From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.

Select SCIM and click Next.

Click on "Create Provisioning Token"

The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.

Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.

Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.

Click on Set Up User Provisioning

Paste the provisioning token that was saved above into this next screen and click Next.

Paste the URL saved from above and paste into the endpoint URL field and click Next.

Leave the Map attributes to default settings and click Next.

If you would like to assign Keeper to a specific group, you can set the Provisioning Scope in the next screen. If you are using SSO, ensure that the groups with provisioning access are also assigned Keeper SSO access. Click Finish when complete.

Ignore this error message below, it's a Google bug.

Next, you can activate provisioning.

You may need to click "Activate Provisioning" to turn it on.

User Provisioning will display as ON.

User provisioning setup is complete. Moving forward, new users who have been configured to use Keeper in G Suite and are within the provisioning scope definitions will receive invites to Keeper and be under the control of G Suite.

User Provisioning without using SSO

If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:

Using this guide, follow the steps of SSO configuration but use SSO url and Entity ID that point to a domain name which you control, but is not actually a live SSO Connect instance (e.g. null.mycompany.com)
Once Keeper application is set up in G Suite, turn on the automated provisioning method as described in this document.

Google Certificate Updates

Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.

When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.

Login to Google Workspace Admin Console:
Click on Apps then select Web and Mobile Apps.
Select Keeper app

For more information on this topic, see Google's support page:

SSO Connect On-Prem

Keeper SSO Connect On-Prem

hashtagSetup time: Up to 1 hour

Overview

System Requirements

hashtagSupported Server Platforms

hashtagJava Dependencies

hashtagServer Hardware Requirements

hashtagScalability and High Availability

hashtagHSM Integration (Optional)

hashtagNetwork Deployment Requirements

Installation and Setup

GUI Configuration

hashtagAccess the web interface

Running Keeper SSO Connect as a Service on Linux

hashtagTroubleshooting Linux

Identity Provider Setup

Centrify Configuration

hashtagCentrify

F5 Configuration

hashtagF5

JumpCloud Configuration

hashtagJumpCloud

hashtagUser Provisioning SSO+SCIM

Okta Configuration

hashtagOkta SSO Configuration

OneLogin Configuration

hashtagSetup:

Ping Identity Configuration

hashtagPing Identity

PingOne Configuration

hashtagPingOne

RSA SecurID Access

Generic SAML Configuration

High Availability (HA) Configuration

Upgrading SSO Connect On-Prem

hashtagStep by Step Instructions

hashtagNeed Help?

Updating On-Prem Config

Migrating to a new SSO Connect Server

Technical Support

Links and Resources

hashtagAdditional Security Details

Keeper SSO Connect On-Prem

hashtagSetup time: Up to 1 hour

Overview

Identity Provider Setup

Generic SAML Configuration

Installation and Setup

High Availability (HA) Configuration

RSA SecurID Access

Technical Support

hashtagSetup Steps

hashtagLinux

Updating On-Prem Config

hashtagKeeper Password Manager Integration Guides

System Requirements

hashtagSupported Server Platforms

hashtagJava Dependencies

hashtagServer Hardware Requirements

hashtagScalability and High Availability

hashtagHSM Integration (Optional)

hashtagNetwork Deployment Requirements

Running Keeper SSO Connect as a Service on Linux

hashtagTroubleshooting Linux

F5 Configuration

hashtagF5

Links and Resources

hashtagAdditional Security Details

PingOne Configuration

hashtagPingOne

Migrating to a new SSO Connect Server

Centrify Configuration

hashtagCentrify

OneLogin Configuration

hashtagSetup:

JumpCloud Configuration

hashtagJumpCloud

hashtagUser Provisioning SSO+SCIM

Upgrading SSO Connect On-Prem

Setup time: Up to 1 hour

Supported Server Platforms

Java Dependencies

Server Hardware Requirements

Scalability and High Availability

HSM Integration (Optional)

Network Deployment Requirements

Access the web interface

Troubleshooting Linux

Centrify

F5

JumpCloud

User Provisioning SSO+SCIM

Okta SSO Configuration

Setup:

Ping Identity

PingOne

Step by Step Instructions

Need Help?

Additional Security Details

Setup time: Up to 1 hour

Setup Steps

Linux

Keeper Password Manager Integration Guides

Supported Server Platforms

Java Dependencies

Server Hardware Requirements

Scalability and High Availability

HSM Integration (Optional)

Network Deployment Requirements

Troubleshooting Linux

F5

Additional Security Details

PingOne

Centrify

Setup:

JumpCloud

User Provisioning SSO+SCIM

Step by Step Instructions

Need Help?

Access the web interface

Okta SSO Configuration

Ping Identity

Configure through the web GUI via an SSH Tunnel

Configure SSO connect via the web console.

SSO Connect SSL Key and Certificate

IdP Metadata

Identity Provider Attribute Mappings

SSO Connect Status

Okta SCIM Provisioning

Azure

Edit Basic SAML Configuration

Edit User Attributes & Claims

Edit SAML Signing Certificate SAML

Obtain Metadata XML

Import the Azure Metadata

User Provisioning

Java Runtime

Overview

Download SSO Connect

Download Metadata Files and SSL Certificate

Installation - Windows

SSO Connect Web UI Configuration

SSO Connect SSL Key and Certificate

IdP Metadata

Identity Provider Attribute Mappings

SSO Connect Status

Restarting the Keeper SSO Connect Service on Windows

Prerequisites

Setting up Migration to SSO Connect Cloud

AWS SSO

Node Structure

Add a Node for SSO

Add SSO Connection

Enterprise Domain

Just-In-Time (JIT) Provisioning

Access Controls

Integration with AWS Cavium CloudHsmV2

Keeper SSO Connect HSM Overview

AWS Cavium CloudHsmV2 Instructions