Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
SSO Connect On-Prem Overview
Keeper SSO Connect is a SAML 2.0 application that leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision users to the platform. Keeper SSO Connect works with popular SSO IdP platforms such as Okta, Microsoft Azure, Google G Suite, Microsoft ADFS, F5 BIG-IP APM, Centrify, OneLogin, Ping Identity, and CAS to provide businesses the utmost in authentication flexibility.
Keeper SSO Connect is a software application that is installed on the enterprise’s on-premise, private cloud, or public cloud infrastructure. All user encryption keys are managed by Keeper SSO Connect, providing the customer with full control over the keys that are used to encrypt end-user vaults.
The Keeper SSO Connect service application can be installed on a private on-premise or cloud-based server. Windows and Linux-based operating systems are supported.
Note: Keeper SSO Connect On-Prem can be installed on any instance or environment under the control of the Keeper Enterprise customer, to preserve zero-knowledge encryption.
On Microsoft Windows environments, the Keeper SSO Connect application runs as a standard Windows service. This ensures the service won't exit when anyone logs off the PC and will automatically start up upon reboot. On all platforms SSO Connect can be configured for High Availability (HA). In order to ensure the service is always active, Keeper SSO connect can be installed on multiple servers that are located behind a load balancer.
Keeper SSO Connect On-Prem / Customer Hosted Version
Keeper SSO Connect On-Prem provides seamless integration with your SAML 2.0 identity provider in a Zero-Knowledge security architecture.
This technical guide provides detailed information on how to deploy Keeper SSO Connect On-Prem in your public cloud, private cloud or on-prem environment and use the powerful features of the Keeper Enterprise platform.
For customers looking for a 100% cloud-based integration, see Keeper SSO Connect Cloud
We recommend all new customers implement Keeper SSO Connect Cloud
1. Configure the Keeper Admin Console for SSO Integration.
2. Download, install, and configure the Keeper SSO Connect Service on any private or public cloud instance(s) or on-prem if desired.
3. Configure the Keeper Application on the IdP.
Proceed to the next page for a more in-depth overview followed by the system requirements.
Steps to install and set up Keeper SSO Connect
The basic steps for setting up Keeper SSO Connect are listed in the steps below. Detailed instructions are annotated further in this guide.
In order to successfully complete the SSO Connect setup in the fastest possible time, please have the below items prepared:
Access to a Windows or Linux instance to run the service
Access to either a wildcard SSL certificate or ability to generate a new SSL cert for the endpoint (e.g. sso.mycompany.com)
Ability to configure https browser traffic from the end-user's browser to the service
Access to the Keeper Admin Console web interface
At least one non-sso admin user with Bridge/SSO Admin Permissions is require to log into the the SSO Connect server.
Once you have met the pre-requisites above, the setup steps are as follows:
Enable SSO Connect from the Keeper Admin Console
Install Keeper SSO Connect on your server (any cloud or on-prem Windows/Linux instance)
Configure Keeper SSO Connect with the Identity Provider
Initial installation of Keeper SSO Connect on a Linux instance
Java 11 runtime environment
Inbound port required for SAML communication from end-user device/browser (defaults to port 8443). If users can login from IdP on the public Internet, then this port must be public.
Outbound SSL port 443 opened to keepersecurity.com.
SSL private key (PKCS#12 or Java Keystore). During initial testing, a self-signed certificate is sufficient but users will receive a browser security warning.
FQDN assigned to the instance or to the load balancer.
Initial installation of Keeper SSO Connect can be performed on a single instance prior to being deployed in an HA environment. After the service is configured, the settings will automatically synchronize between load balanced instances. Make sure that the correct version of Java is installed and in your path. Java 1.7, Java 9, and Java 10 are NOT supported.
If java is not found, please install it. For example:
Download and unzip the SSO Connect service:
Then start the Keeper SSO Connect service:
Now that the application is installed, you can configure SSO using the web browser GUI or through the command line. Configuration options are discussed in the next section.
Keeper SSO Connect requires a valid signed SSL certificate that has been signed by a public certificate authority. Self-signed certificates may work for testing however most client applications will fail to connect.
Please use OpenSSL v1.1.1 to generate your SSL certificates. There is a known compatibility issue between certificates generated on OpenSSL 3.0 and Java 11.
Install and configuration of Keeper SSO Connect on Windows Server environments.
As described in the System Requirements page, the Java runtime is required to run Keeper SSO Connect. It can be installed by the admin or it can be optionally included in the Keeper installer. Make sure to install a compatible version of the Java runtime.
Keeper SSO Connect requires a valid signed SSL certificate that has been signed by a public certificate authority. Self-signed certificates may work for testing however most client applications will fail to connect.
You can obtain an SSL certificate from your web hosting company, or you can utilize one of the no-cost options available such as ZeroSSL. You can also have more control over the steps by using OpenSSL.
OpenSSL for Windows - https://slproweb.com/products/Win32OpenSSL.html
You can use the latest "Win32 OpenSSL Light" version.
To get the download link, in the Keeper admin console under provisioning (in your SSO node), add method "SSO Connect On-Prem".
After adding the provisioning, you will see a button to download Keeper SSO Connect.
Copy the downloaded file to the SSO Connect server.
Installation of SSO Connect requires the creation of an SSL certificate file that is utilized for the endpoint. Generate the SSL certificate and download the SSL certificate file (.pfx
, .p12
, or .jks
) and your IDP's SAML XML metadata file to the server.
Extract the Keeper SSO Connect installer file.
Run KeeperSSOConnect as Administrator.
The new desktop icon "Keeper SSO Connect" will launch a browser for configuration (we recommend using Google Chrome to perform the initial setup).
If you receive an error connecting to the Keeper SSO Connect service, you need to reboot the server. Also, you need to ensure that your web browser is able to connect to keepersecurity.com over port 443. Keeper SSO Connect does not support the use of proxy servers or firewalls that perform SSL packet inspection.
Login to the SSO Connect Web UI, with a Keeper Administrator Master Password account, by navigating to http://127.0.0.1:8080/config or by utilizing the Keeper SSO Connect Desktop Icon.
In order to successfully login to the SSO Connect Web UI, you must utilize a Keeper Administrator account in which meet several requirements:
The account MUST be a Master Password Authentication account.
The account can not live within the SSO provisioning node.
The account must be in an Administrative Role in which has Manage Bridge/SSO permissions over the node.
Enter a Two Factor Authentication code if prompted.
Select the SSO Connection (Enterprise Domain).
Once you successfully authenticate Keeper SSO Connect to your Admin Console you will see the status tab:
Select on the Configuration link to begin the setup.
Enter the Advertised Hostname or IP Address. This address is what the Keeper client applications navigate to in order to initiate the SSO authentication process. If installing Keeper SSO Connect in an HA (High Availability) configuration, this is the address the that points to the load balancer. This address can be either an IP or a hostname.
Bound IP Address. This is the physical IP address of the NIC on the server. If a hostname is not used and if there is only one address associated with the server this entry will be the same as the Hostname or IP Address field.
In the example above, "sso-1.test-keeper.com" is the Advertised Hostname that gets routed to the local address 10.1.0.4. The Keeper SSO Connect service binds to the Private IP address.
The IP/Hostname must be accessible by users who will be accessing Keeper. You may need to update your firewall to allow access over the IP and port.
The Keeper SSO Connect service requires an SSL Certificate. It is recommend to use a proper SSL Certificate signed by a Certificate Authority (CA). The SSL cert can be one generated specifically for the SSO Connect server (hostname or IP address) or a wild card certificate that matches your domain (*.yourcompany.com).
Self-signed certificates will generate security errors for your users on most browsers and mobile devices.
The certificate file type must be .pfx
or .p12
for a PKCS 12 certificate or .jks
for a Java Key Store certificate. Most Certificate Authorities have instructions on their sites on how to convert to these file type if they did not initially issue these specific formats.
For assistance in generating a SSL certificate, please refer to the section on Creating a Certificate.
Note: SSL Certificates may expire annually or quarterly. Please set a reminder to renew your certificate prior to the expiration date to prevent unexpected outages.
For SSO Connect version prior to 14.1.0 please enter the password in both fields
Select your specific IDP. If your IDP is not in the pull-down menu, select Default.
Select your IdP Provider. If your provider is not listed select Default.
The next step is to upload the IdP SAML metadata file. This file can be downloaded from your IdP.
Attribute Mappings do not require any changes. Select Save.
Reasons the Status might be listed as Stopped:
Your SSL Certificate is missing or incorrect.
The hostname in the SSL certificate doesn’t match the hostname in SSO Connect. A wildcard SSL certificate can be used or you can use a certificate created for the specific hostname. (i.e. if your hostname is Keeper.DOMAIN.com your cert should be set up for *.DOMAIN.com).
By default the Use Certificate to Decrypt and Sign SAML Response/Request should be selected.
See the Appendix on creating a self-signed SSL cert if you need to create one for testing or troubleshooting your SSL certificate.
The Keeper SSO Connect runs as a service on Windows. Closing out the web interface does not stop the service. The service can be stopped and started from the Service MMC in windows.
System Requirements for Keeper SSO Connect service
The Keeper SSO Connect is a lightweight service that can be installed on a private on-premise or cloud-based server. The application is hosted by the customer in order to preserve zero knowledge and provide compatibility with any SAML 2.0 compatible identity provider.
The following server platforms are currently supported:
Supported Windows Server Versions Windows Server 2016 Datacenter Windows Server 2016 Standard Windows Server 2019 Standard Windows Server 2019 Datacenter Windows Server 2022 Standard Windows Server 2022 Datacenter
Supported Linux versions: Ubuntu 18+ CentOS 7+ Debian 9.8+ openSUSE Tumbleweed openSUSE Leap 15.1+ Red Hat Enterprise Linux 6.8+
Supported Java versions Java 11+
Keeper SSO Connect requires at least Java 11. The installer for Windows provides the option to bundle the latest LTS Amazon Corretto 11 version. If you have a different version of Java installed we recommend uninstalling that version and install Java 11 first before you proceed. Otherwise you may experience service hanging during installation.
Keeper SSO Connect requires at least Java 11. You can obtain Java 11 from OpenJDK or Amazon Corretto. OpenJDK project: Amazon Corretto: Note: Reboot is required after Java installation
After the reboot, check the java installation version 1. Open an Administrator Command Prompt. 2. Type java -version. 3. Verify the java version installed is found.
If Java isn't recognized on the command line, follow the steps below.
Open 'Advanced system settings'
Click Environment Variables. In the section System variables, find thePATH
environment variable and select it. Click Edit. If the PATH
environment variable does not exist, click New
.
In the Edit System Variable (or New System Variable) window, specify the value of the PATH
environment variable. Click OK. Close all remaining windows by clicking OK.
The following table outlines the minimum hardware requirements per each server.
The Keeper Connect service on a single instance can handle thousands of simultaneous users.
However, both scalability and high availability can be achieved by placing a load balancer in front of a cluster of Keeper SSO Connect servers. The Keeper Cloud backend will take care of configuration synchronization. Changes applied to one server are automatically distributed to all servers in the same SSO node cluster. This includes the user database.
Further scalability, for example to scale to 100,000 users or more, can be achieved by splitting groups of users up into multiple SSO Connect domains. This will require creating separate SSO-enabled node(s) in the Keeper Admin Console and a separate SSO server or server cluster for each node.
SSO Connect can optionally be integrated with Amazon CloudHSM or Gemalto HSM solutions to protect the private encryption keys. The following HSM modules are currently supported:
The following network requirements apply to Keeper SSO Connect deployments.
Keeper SSO Connect network connections to Keeper Cloud servers at keepersecurity.com (US) or keepersecurity.eu (EU customers) is TCP/443 (TLS 1.2) outbound stateful.
End-user devices must connect to SSO Connect via the advertised public FQDN/IP and TCP port. For example, keepersso.mycompany.com.
Local server bind port and the external advertised connection port are configurable separately. In that scenario the ports need to be translated via a load balancer, firewall or locally (eg. iptables).
The external advertised TCP port that is configured in SSO Connect (default TCP/8443) needs to be allowed inbound into the network subnet where the SSO Connect servers are located. For example if the service is running on Windows, use Windows Firewall to open the port to SSO Connect. 8443 is just the default, you can use any port.