Identity Provider Setup
Configuration of SSO Connect On-Prem with popular IdP platforms
Once you have installed Keeper SSO Connect On-Prem on a server in your environment, the next step is to configure the SAML 2.0 authentication into your identity provider.
Keeper SSO Connect On-Prem can be integrated with any SAML 2.0 compliant identity provider. We have documented the steps for several popular platforms in the pages that follow.
Azure
Okta
Google Workspace
Microsoft AD FS
Ping Identity
OneLogin
JumpCloud
RSA SecurID Access
F5
Centrify
AWS SSO
If your Identity Provider is not listed here, don't worry. Keeper is compatible with all SAML 2.0 SSO identity providers. You can just follow the step by step instructions of a similar provider in the list above, and it will be generally the same setup flow.
(If you create a setup guide for your identity provider, please share it with us and we'll post it here!)
AD FS Configuration
How to configure Keeper SSO Connect On-Prem with Microsoft AD FS for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with AD FS, see Keeper SSO Connect Cloud
Microsoft AD FS
Obtain Federation Metadata XML
Inside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically /FederationMetadata/2007-06/FederationMetadata.xml as seen below:
To download the metadata file, this can typically be found by loading the URL in the browser on the server. For example: https://<your hostname>/FederationMetadata/2007-06/FederationMetadata.xml Download this file and save to the computer.
Import Federation Metadata
Import the FederationMetadata.xml file into Keeper SSO Connect’s configuration screen by dragging and dropping the file:
Select Save to save the configuration.
Please Note: ADFS signing certificates typically are only valid for a year. ADFS may automatically rotate to the most current certificate. This breaks the trust between Keeper SSO Connect and ADFS. A new federationMetadata.xml file will need to be generated and uploaded to the Keeper SSO Connect to ensure operation. We strongly recommend setting a reminder before the expiration of the certificate so this step can be performed to maintain operation.
Export Keeper SSO Connect Metadata
Select the Export Metadata link on Keeper SSO Connect and copy the sso_connect.xml file to your IdP.
Finish AD FS Configuration
Create Relying Trust Party
Create Keeper SSO Connect as a Relying Trust Party:
Import Keeper Metadata
Import the Keeper Metadata that was exported previously from Keeper SSO Connect by completing the Relying Party Trust Wizard as seen in the steps below:
To prevent a logout error, change the SAML Logout Endpoints on the Relying Party Trust to: https://<YourADFSserverDomain>/adfs/ls/?wa=wsignout1.0
Create Claim Issuance Policy Rules
To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with Send LDAP Attributes as Claims and map the LDAP attributes to Keeper Connect attributes.
Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above.
For Logout support we need to add two more Claim Issuance Policy rules:
To copy the syntax to add in the claims rule, copy the following text and paste it into the custom rule:
Incoming claim type: http://mycompany/internal/sessionid
Should I put my company's name in there? No, actually literally put "http://mycompany/internal/sessionid"
Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier
SAML Signing Configuration
a. Open Powershell as Administrator on the AD FS server. b. Identify your SSO Connect Relying Party Trust "Identifier" string which you can obtain by running:
Running this command will generate a long list of output, you are looking for the SSO Connect section and the "Identifier" string. This string will look something like: https://xyx.company.com:8443/sso-connect
c. Run the below command, replacing <Identifier> with the string found in step (b).
If you run Get-ADFSRelyingPartyTrust again, you'll see that the SamlResponseSignature section is set to "MessageAndAssertion".
Restart AD FS services
From the services manager, restart AD FS service.
SAML assertion signing must be configured properly on your AD FS environment. If signing has not been configured, you will need to set this up, then exchange metadata again between AD FS and Keeper SSO Connect after the re-configuration.
Troubleshooting
If after setting up Keeper SSO Connect user gets SSO is not configured (undefined) a possible root cause is missing or incorrect CRL configuration. A simple fix/workaround is to disable all Certificate Revocation Check.
Possible Root Causes Time skew Ensure that Keeper Connect and the IdP have the same identical system time (within 1 second). Set ntp sync PS C:\Windows\system32>w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,0x8 /reliable:yes /update Certificate Validation Failure
Verify the settings. Run a PowerShell as Administrator and look at ADFSRelyingPartyTrust
Follow the "SAML Signing Configuration" instructions above
If you need to disable certificate validation on the IdP for testing purposes or for internal PKI certificates, you can use the below Powershell commands. Replace <Identifier> with the string found in the "SAML Signing Configuration" instructions above.
Note: Any changes made to signing configuration may require exchange of XML metadata between IdP and SSO Connect.
Entra ID/Azure AD Configuration
How to configure Keeper SSO Connect On-Prem with Microsoft Entra ID / Azure AD for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with Azure, see Keeper SSO Connect Cloud
Azure
Go to your Azure Admin account at https://portal.azure.com and click on Azure Active Directory > Enterprise Applications.
If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application and should not create a new one.
If you have not set up Keeper in Azure yet, click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault". On the right side click "Add" to add the application.
After adding the application, click on the "Single Sign On" section and select the "SAML" option:
Edit Basic SAML Configuration
Click the pencil icon to edit the "Basic SAML Configuration".
Type in the Identifier, Reply URL and Sign on URL that apply to the URLs in your Keeper SSO Connect installation. Ignore the "Patterns" text.
Example Settings: Identifier = https://xyz.domain.com:8443/sso-connect Reply URL = https://xyz.domain.com:8443/sso-connect/saml/sso Sign on URL = https://xyz.domain.com:8443/sso-connect/saml/login
(replace the domain and port according to your SSO Connect configuration)
Save the settings.
Edit User Attributes & Claims
Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.
We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.
In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.
Edit SAML Signing Certificate SAML
Under the SAML Signing Certificate section click Edit.
Select Create new certificate. Enter the expiration date and save.
After creating the certificate select Make new certificate active.
Select signing option "Sign SAML response and assertion" with SHA-256 signing method.
Obtain Metadata XML
To complete the integration between Microsoft Azure and Keeper SSO Connect, you must retrieve the Metadata XML file and import this file into the Keeper SSO Connect screen. Select on the Federation Metadata XML link:
This will download a file Keeper Password Manager & Digital Vault.xml to your computer. This file will need to be transferred to the server running Keeper SSO Connect for the next step.
Import the Azure Metadata
Import the file saved in the previous step into Keeper SSO Connect’s configuration screen by dragging and dropping the file into the SAML Metadata section.
Don’t forget to select Azure as the Identity Provider Type.
User Provisioning
If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.
Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.
On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.
Your Keeper SSO Connect setup is now complete!
AWS SSO Configuration
How to configure Keeper SSO Connect On-Prem with Amazon AWS SSO for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with AWS, see Keeper SSO Connect Cloud
AWS SSO
Log into AWS and select on AWS Single Sign-On.
On the SSO Dashboard, select Configure SSO access to your cloud applications.
On the Applications menu, select Add a new application.
Next select Keeper Security and select Add.**
Keeper is working with AWS to develop an Application Connector.
Fill in the Display name and Description (optional) in the application details section.
In the AWS SSO metadata section, select the download button to export the AWS SSO SAML metadata file. This file gets imported in the SSO Connect IdP Metadata section on the configuration screen.
Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by dragging and dropping the file into the Configuration screen: Select Save.
The remaining step on the Keeper SSO Connect Server is to download the Keeper sso_connect.xml metadata file and upload it to the AWS application. Select Export Metadata on the Keeper SSO Connect.
Import the sso_connect.xml file to the Application metadata section on the application configuration screen.
After saving changes the Configuration for Keeper Password Manager has been saved success message will be displayed.
Note: The Keeper SSL certificate cannot be larger than 2048K or the below error will be received.
Either, generate a smaller SSL certificate, re-export and import the metadata file or manually set the ACS URL and Audience URL in the AWS SSO application configuration.
Next, Ensure the Keeper application attributes that are to be mapped to AWS SSO are correct (These should be set by default. Select the Attribute mappings tab. The AWS string value to ${user:subject} and format is blank or unspecified. The Keeper Attributes are set as follows:
Keeper Attribute
AWS SSO String Value **
Format
${user:email}
unspecified
First
${user:givenName}
unspecified
Last
${user:familyName}
unspecified
Note: If your AWS email is mapped to the AD UPN (which may not be the actual email address of your users) it can be re-mapped to the email address associated in the users AD profile.
To make this change navigate to the Connect Directory on the AWS SSO page.
Select on the Edit attribute mappings button.
Change the AWS SSO email attribute from ${dir:windowsUpn} to ${dir:email} .
Select on the the Assigned users tab and then the Assign users button to select users or groups to assign the application.
On the Assign Users window:
Select either Groups or Users
Type the name of a group or user
Select on the Search connect directory to initiate the search.
The results of the directory search will display under the search window.
Select the users/groups that are desired to have access to the application and then select the Assign users button.
Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that your identity provider is configured to sign SAML responses.
Your Keeper SSO Connect setup is now complete!
Centrify Configuration
How to configure Keeper SSO Connect On-Prem with Centrify for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with Centrify, see Keeper SSO Connect Cloud
Centrify
Login to the Centrify Admin portal via the cloud login.
Switch to the Admin Portal from the pull down menu.
Close the Quick Start Wizard if it pops up. Select Apps from the menu then Add Web Apps.
On the Add Web Apps window, select the Custom tab and then scroll down and choose Add for SAML.
Select Yes to “Do you want to add this application?”.
Close the Add Web Apps Window.
The next step is to upload Keeper’s SSO Metadata to Centrify. In Keeper SSO connect, export the Keeper SSO Connect metadata using the Export Metadata link and save this file for the next step.
In the SAML Application Settings section in Centrify, select Upload SP Metadata.
Select Upload SP Metadata from a file and browse for the KeeperSSOMetadata.xml file. Select Ok.
Download the Identity Provider SAML Metadata. This will be uploaded to Keeper SSO Connect.
On the Description section enter Keeper SSO Connect in the Application Name field and select Security in the Category field.
Download the Keeper logo. Select Select Logo and upload the Keeper logo (keeper60x60.png).
On the User Access section select the roles that can access the Keeper App:
Under the Account Mapping section, select "Use the following..." and input mail.
On the Advanced section, append the script to include the following lines of code:
The above script reads the display name from the User Account section. The FirstName attribute is parsed from the first string of DisplayName and the LastName attribute is parsed from the second string of DisplayName.
Select Save to finish the setup.
Upload the Identity Provider SAML Metadata file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:
Select Save and Your Keeper SSO Connect setup is now complete!
F5 Configuration
How to configure Keeper SSO Connect On-Prem with F5 BIG-IP APM for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with F5, see Keeper SSO Connect Cloud
F5
On the F5 BIG-IP APM, configure a new SAML IdP service for your Keeper platform: Go to Access Policy -> SAML -> BIG-IP as IdP -> Local IdP services
Navigate to: Access Policy > SAML : BIG-IP as IdP - Local IdP Services. Select your applicable IdP connection point and "Export Metadata".
Upload this file to the server where Keeper SSO Connect is installed. We'll need it in the next step. Import the Metadata file extracted from F5 BIG-IP APM into SSO Connect.
Select Save to save the configuration and verify all settings look correct. Export the Keeper SSO Connect Metadata file for configuration of F5 BIG-IP APM from the Export Metadata link.
Your Keeper SSO Connect setup is now complete!
G Suite (Google Workspace) Configuration
How to configure Keeper SSO Connect On-Prem with Google for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with Google Workspace, see Keeper SSO Connect Cloud
G Suite supports the following integration with Keeper:
SSO authentication with SAML 2.0
Automatic Provisioning with SCIM
You can configure SSO, SSO+SCIM or SCIM without SSO.
G Suite Setup
To access G Suite Admin Console, login to https://gsuite.google.com.
Visit the Apps screen.
Click on SAML apps
On the lower right click on the ( + ) button to create a SAML app.
Setup Keeper App
Search for Keeper and select the application.
IdP Information
On the Google IdP Information screen, download the IDP metadata and save it to your computer (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).
Service Provider Details
On the Service Provider Details screen, there are a few fields to fill out. You will replace the {host name] and {port} with the values that you'll be using from your SSO Connect instance.
Type in the ACS URL, Entity ID and select "Signed Response". For example, in the setup below, sso2.lurey.com is the host name and 8443 is the port.
You must also check the box for "Signed Response".
Attribute Mapping
In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.
If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Select on FINISH and your G Suite setup is complete. You will be informed that you still need to import the IDP data on Keeper SSO Connect.
Enable SSO Connect
To enable Keeper SSO Connect, for your users, select the more button and enable:
Alternatively, you can click on the Keeper SAML app and Edit the service to configure specific groups that have access:
Import G Suite Metadata
Back on the Keeper SSO Connect application configuration screen, drag-and-drop the metadata file into the SAML Metadata section of Keeper SSO Connect:
Select on Save and verify that all of the parameters match your G Suite SAML connection screens.
Once you save, assuming that you have already configured the SSL certificate and other parameters, your Keeper SSO Connect instance should show as fully operational in the Status screen:
Note about Single Logout (SLO) Settings with Google G Suite
As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.
If you want to prevent full SAML Logout from all SAML apps you should change the IDP type in the previous step to Default. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.
If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "Default" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:
Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.
From a user perspective this is a more friendly, less disruptive flow
From a security perspective, be aware the Google account therefore controls the session handling of the Keeper vault on that user's browser.
SSO Setup Complete!
Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:
Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your G Suite credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
End-user Video Tour for SSO Users is here: https://vimeo.com/329680541
Next, we'll show how to configure User Provisioning using SCIM.
User Provisioning with SCIM
User Provisioning provides several features for lifecycle management:
New users added to G Suite will be sent an email invitation to set up their Keeper vault
Users can be assigned to Keeper on a user or team basis
When a user is de-provisioned, their Keeper account will be automatically locked
Note: Google does not support Group provisioning to Keeper teams. When they implement this feature, this will allow the Keeper user to be placed into Teams that are synchronized between G Suite and Keeper.
From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.
Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.
Click on Set Up User Provisioning
Paste the provisioning token that was saved above into this next screen and click Next.
Paste the URL saved from above and paste into the endpoint URL field and click Next.
Leave the Map attributes to default settings and click Next.
If you would like to assign Keeper to a specific group, you can set the Provisioning Scope in the next screen. If you are using SSO, ensure that the groups with provisioning access are also assigned Keeper SSO access. Click Finish when complete.
Ignore this error message below, it's a Google bug.
Next, you can activate provisioning.
You may need to click "Activate Provisioning" to turn it on.
User Provisioning will display as ON.
User provisioning setup is complete. Moving forward, new users who have been configured to use Keeper in G Suite and are within the provisioning scope definitions will receive invites to Keeper and be under the control of G Suite.
User Provisioning without using SSO
If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
Using this guide, follow the steps of SSO configuration but use SSO url and Entity ID that point to a domain name which you control, but is not actually a live SSO Connect instance (e.g. null.mycompany.com)
Once Keeper application is set up in G Suite, turn on the automated provisioning method as described in this document.
Google Certificate Updates
Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.
When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.
Login to Google Workspace Admin Console: https://admin.Google.com
Click on Apps then select Web and Mobile Apps.
Select Keeper app
Expand service provider
Click “Manage Certificates”
Click “ADD CERTIFICATE”
Click “DOWNLOAD METADATA”
Save the metadata file. This is the IdP metadata.
Login to the Keeper Admin Console
Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method
Upload the Google IdP metadata into Keeper
For more information on this topic, see Google's support page:
JumpCloud Configuration
How to configure Keeper SSO Connect On-Prem with JumpCloud for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with JumpCloud, see Keeper SSO Connect Cloud
JumpCloud
JumpCloud instructions for setting up Single Sign On (SSO) with Keeper Security. As listed in the JumpCloud SSO Prerequisites a public certificate and a private key pair are required. Instructions can be found here:
https://jumpcloud.com/configure/keeper-and-sso-configuration/
Log into the JumpCloud Administrator console.
Select the Applications tab on the side menu.
Next, select the + icon in the upper left corner.
Search for Keeper in the Application list search bar. Select Configure on the Keeper Application.
Next, on Keeper Application connector page, enter the IDP ENTITY ID:
The IDP ENTITY ID is a unique, case-sensitive identifier used by JumpCloud for this Service Provider (SP). This value should match the value specified in the Entity ID field of the Keeper SSO Connect. Your domain name, SSO Connect server name or IP address are possible examples. Next, Upload the IdP Private Key (private.pem file) and IDP Certificate (cert.pem file).
In the SP Entity ID field, enter the value found in the Entity ID field of the Service Provider Section from Keeper SSO Connect.
In the ACS URL field, enter the value found in the ACS URL field of the Service Provider Section from Keeper SSO Connect.
In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector. (i.e. keepersecurity)
In the Display Label field, enter a label that will appear under the Service Provider logo within the JumpCloud User console. (i.e. Keeper Security)
Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that JumpCloud is configured to sign SAML responses.
To complete the configuration, select the activate button.
Last step is to export the metadata from this connector to import it into the Keeper SSO Connect in Step 8.
Upload this file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:
Select Save and Your Keeper SSO Connect setup is now complete!
User Provisioning SSO+SCIM
JumpCloud® supports Automated Provisioning with SCIM (System for Cross Domain Identity Management) which will update and deactivate Keeper user accounts as changes are made in JumpCloud®. Step-by-Step instructions can be found here, https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/jumpcloud-provisioning-with-scim
Okta Configuration
How to configure Keeper SSO Connect On-Prem with Okta for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with Okta, see Keeper SSO Connect Cloud
Okta SSO Configuration
Login to the Admin section of the Okta portal.
Select Admin
Select the Applications tab and select Applications.
Next, select the Add Application button.
In the application search field, type Keeper Password, and then select the Add button for the Keeper Password Manager and Digital Vault Application.
On the General Settings page, Enter the Entity ID from your Keeper SSO Connect server: (i.e. https://DOMAIN:8443/sso-connect where DOMAIN is the server name or IP address of your Keeper SSO Connect application ). Then select the Done button.
Add users or groups on the Assignments page. (This step can be skipped and returned to after setup is complete.)-
Next, select the Sign On tab.
Select the Edit button.
Next, check the Enable Single Logout setting and choose a certificate to upload.
This can be generated by following the Okta instructions.
After selecting upload the certificate file (.crt) for the Keeper SSO Connect SSL instance endpoint.
After the file is successfully uploaded, select save at the bottom of the Sign On page.
The setting will be saved.
Scroll down to the SAML 2.0 configuration section, download the Identity Provider metadata file. Rename the file to metadata.xml. This will be used in Step 8.
The View Setup Instructions link provides additional setup instructions many of which are also found within this document.
Upload metadata.xml file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:
Select Save and Your Keeper SSO Connect setup is now complete!
Okta SCIM Provisioning
To enable Okta SCIM user and group provisioning please follow the below guide:
OneLogin Configuration
How to configure Keeper SSO Connect On-Prem with OneLogin for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with OneLogin, see Keeper SSO Connect Cloud
Be sure to first perform the steps in the Admin Console Configuration section.
Setup:
Login to the OneLogin portal.
Select Administration to enter the admin section.
From the onelogin menu select Applications then Add App.
In the Search field, do a search for Keeper Password Manager and select it from the search result.
On the Add Keeper Manager screen click Save.
The next step is to download the SAML Metadata from OneLogin. Select the down arrow on the MORE ACTIONS button and select SAML Metadata.
The onelogin_metadata_######.xml file will download to the browser. Copy this file to the Keeper SSO Connect server interface.
On the OneLogin Configuration tab, type in the Assertion Consumer Service Endpoint from your Keeper SSO Connect server: (i.e. https://DOMAIN:8443/sso-connect/saml/sso where DOMAIN is the server name or IP address of your Keeper SSO Connect application) then click Save.
Back on the Keeper Provisioning tab, click on "Add Method" and select SCIM.
Click Generate then copy the URL and Token.
Paste the "URL" into the SCIM Base URL, and paste the "Token" into the SCIM Bearer Token then click Save.
Click Save on the Keeper Admin Console and the integration is complete.
Ping Identity Configuration
How to configure Keeper SSO Connect On-Prem with Ping Identity for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with Ping, see Keeper SSO Connect Cloud
Ping Identity
Login to the Ping Identity portal.
From the Ping Identity menu select Applications.
Then select Add Application and select New SAML Application.
On the Application Details page, add the following data:
Application Name: Keeper Password Manager Application Detail: Password Manager and Digital Vault Category: Compliance (or other) Graphic: Upload the Keeper Graphic http://s3.amazonaws.com/keeper-email-images/common/keeper256x256.png
Then select Continue to Next Step.
The next step is to download the SAML Metadata from Ping Identity. Select the Download link next to SAML Metadata.
The saml2-metadata-idp.xml file will download to the browser. Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen: Select Save.
The remaining step on the Keeper SSO Connect Server is to download the KeeperSsoMetadata.xml file and upload it to the Ping Application configuration Select Export Metadata on the Keeper SSO Connect.
Back on the Ping Identity application configuration, select the Select File button and choose the file KeeperSsoMetadata.xml.
Select Continue to Next Step.
The next step is the map the attributes. Select the Add new attribute button.
In attribute 1, type “First” in the Application Attribute column, select First Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.
In attribute 2, type "Last" in the Application Attribute column, select Last Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.
In attribute 3, type "Email" in the Application Attribute column, select Email in the Identity Bridge Attribute or Literal Value column, and check the Required button. Application Attributes: First, Last, Email must begin with a capital letter.
Select the Save & Publish button. Review the setup and and then select the Finish button.
The Keeper Application should be added and enabled.
Important Note: In the Application Configuration section of your Ping Identity setup, ensure that the "Signing" section has "Sign Response" selected with "RSA_SHA256" as the Signing Algorithm.
Your Keeper SSO Connect setup is now complete!
PingOne Configuration
How to configure Keeper SSO Connect On-Prem with PingOne for seamless and secure SAML 2.0 authentication.
PingOne
Login to the PingOne Admin portal https://admin.pingone.com/
From the PingOne console menu, select Applications > Application Catalog
Search "Keeper" and click on the "Keeper Password Manager - On-Prem SSO" link to add the Keeper Password Manager application
Click Setup to proceed to the next step
Click "Continue to Next Step"
On the Keeper SSO Connect Windows server, download the KeeperSsoMetadata.xml file and save it in a safe location.
Select Export Metadata on the Keeper SSO Connect.
Back on the PingOne application configuration, select the Select File button and choose the file KeeperSsoMetadata.xml.
Then click on Choose File next to "Primary Verification Certificate" and upload a valid SSL certificate file.
Click Continue to Next Step
Enter the appropriate values associated with each attribute (see below image) and click Continue to Next Step
Modify the Name to appropriately match the Configuration Name of the SSO node from the Keeper Admin Console. Click Continue to Next Step.
You may choose to add PingOne user groups to your application. Click Add next to the group or groups you would like to add and click Continue to Next Step.
PingOne users will have access to Keeper Password Manager by default. Assigning groups to Keeper Password Manager restricts access to only those groups.
Click Download next to "SAML Metadata" and save the .xml file to a safe location.
Click Finish to complete the application setup wizard.
The saml2-metadata-idp.xml file will download to the browser. Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen: Select Save.
The Keeper Application should be added and enabled.
Important Note: In the Application Configuration section of your Ping Identity setup, ensure that the "Signing" section has "Sign Response" selected with "RSA_SHA256" as the Signing Algorithm.
Your Keeper SSO Connect setup is now complete!
RSA SecurID Access
How to configure Keeper SSO Connect On-Prem with RSA SecurID Access for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with RSA, see Keeper SSO Connect Cloud
Keeper Security is RSA SecurID Access Certified.
RSA SecurID Access integrates RSA Authentication Manager and their Cloud Authentication Service. In this setup Cloud Authentication Service can be used as an identity provider in conjunction with Keeper SSO Connect. Detailed documentation is provided on the RSA website via the links below.
RSA SecurID Access Overview
Keeper Password Manager Integration Guides
Generic SAML Configuration
Keeper is compatible with any SAML 2.0 identity provider. Please use the reference guides in this documentation for configuration. If you need assistance, contact us.