Resource for answering common questions and resolving errors.
Please ensure that you have a compatible Java version installed. See the System Requirements page for supported Java versions. Please note you may need to uninstall all existing Java installations before installing a compatible version.
Follow the steps outlined on the Updating the SSO Connect Configuration page of this guide.
ADFS signing certificates typically are only valid for a year. ADFS may automatically rotate to the most current certificate. This breaks the trust between Keeper SSO Connect and ADFS. A new FederationMetadata.xml file will need to be generated and uploaded to the Keeper SSO Connect to ensure operation (https://docs.keeper.io/sso-connect-guide/identity-provider-setup/ad-fs-configuration#obtain-federation-metadata-xml). We strongly recommend setting a reminder before the expiration of the certificate so this step can be performed to maintain operation.
To prevent a logout error, change the SAML Logout Endpoint URL
In your ADFS manager server, go to the Relying Party Trusts properties for Keeper SSO Connect.
Under the Endpoints tab, edit the SAML Logout Endpoints and set the URL to: https://<YourADFSserverDomain>/adfs/ls/?wa=wsignout1.0
There is a "data" folder created when SSO Connect starts up. This data folder is located in C:\ProgramData\Keeper SSO Connect\
on windows, and in the installation folder on Linux.
Inside the data directory there are several files. It is critical that access to this data folder is restricted. You can add an extra layer of security by utilizing an HSM (Hardware Security Module) as described in this document. When an HSM is available, an encryption key is generated for each SSO Connect instance and stored securely in the HSM. The encryption key is used to encrypt the property files in the data/
folder.
If you would like to send users a hyperlink directly to the SSO Login screen of the Web Vault, you can use the following format:
Replace xxxxx with the name of the Enterprise Domain that has been assigned in the Admin Console.
If you are hosted in the EU region, use keepersecurity.eu
If you are hosted in the AU region, use keepersecurity.com.au
If you are hosted in the US GOV region use govcloud.keepersecurity.us
The reason is that some customers have multi-homed servers and they do not want to bind to all interfaces for a number of reasons.
The internal IP is not required. You can leave it blank if the hostname resolves via DNS to the same external IP or even internal IP for Intranet. We have customers who use SSO strictly internally and the FQDN resolves to the internal IP. So that field can be left blank. It depends on your setup.
This is by design. The Private IP is unique to the local instance of the SSO Connect. If the Private IP from "Server1" was sync'd and when "Server2" authenticated and sync'd the SSO Connect Config, it would have the incorrect IP from "Server1". For this reason the Private IP of the 1st (on any other) SSO Connect server is not retained.
The SSO Connect service will be in a "Stopped" status if the Private IP address is needed and not configured.
If nothing has changed in the IdP or within Keeper SSO Connect, the most likely culprit is the clock on the SSO Connect has changed and the system time is off by greater than 2 minutes. Older versions of SSO Connect will display this message when the time is off, but the latest version of SSO Connect will specifically give the error: "SAML Validation error: System time is off by > 2 min". It is recommended to have the SSO Connect Server clock to sync with NTP. Another potential cause of this error is if the metadata from the IdP is different than what is on the SSO Connect which causes the SAML certificates to be out of sync and there for untrusted.
When SSO Connect is enabled on a node, all the users in the node and sub-nodes are under an enforcement to prevent the changing of their master password. This is done to prevent SSO users from bypassing authentication through the IdP.
If a user is transitioned to SSO login, but desires to change their master password, they will need to be relocated to a node that doesn’t have the SSO enforcement.
If use of a master password in conjunction with SSO authentication is desired, follow the steps outlined in the Enterprise guide for vault offline access: https://docs.keeper.io/enterprise-guide/vault-offline-access
When logging in for the first time the on-boarding process needs to occur on either the Web
or the Desktop application. The Browser Extensions do not facilitate the on-boarding process
of a new user, but will allow existing users to authenticate.
There are two possible reasons for this error. The invited user is not in an SSO enabled node within the Admin Console or the email address in the IdP doesn’t match the email address of the invited user. For the first issue, move the user into the SSO Enabled node and have them try again. For the second issue, verify the SSO account uses the same email address as the invited user. If they are different, a new account with the email address from the IdP will be created.
On a Linux system /tmp
must have exec privileges. If /tmp
does not have exec privileges, execution of java -jar SSOConnect.jar
may show an exception similar to: java.lang.UnsatisfiedLinkError: /tmp/sqlite...
To resolve this, ensure that you have exec permission on /tmp
with the command chmod a+x /tmp
.
Enterprises can have some users configured to natively login and other users configured to use SSO, separated by Node. The Keeper Admin Console also has a role policy which can allow SSO users to also create a Master Password for logging in offline.
In the admin console, move the user from the SSO enabled node to a node not under the enforcements of the SSO provisioning.
After the move, the user must perform an account recovery (logging in natively with an incorrect password) clicking the ‘Forgot Password’ link. The user will receive an account recovery code to the email address listed on their Keeper account. After inputting the code, the user will be required to have the security question and answer configured at the inception of the vault creation process. This will allow them to create a new master password.
Both the IdP and Keeper need to identify the same user based on their email address. So if email changes in one, but not the other, authentication will not work. It has to be a coordinated effort on both fronts.
From the Keeper side, only the user can change their email address. (Ensure the user is not part of a role based enforcement preventing email changes.) To change the email address in Keeper, click on Settings > General > Email Address - Reset Now
.
The user will be prompted via email to confirm the change.
Once the user has changed their email, ensure the SSO IdP email has been changed.
After the address change is made, the administrator will need to perform a sync on the SSO Connect Server.
If more than a few emails need to change at the same time, please contact support to coordinate this change.
If using Duo for 2FA, have user disable their 2FA prior to the email change. (Admin may have to change the role to temporarily allow no 2FA on the account). This because if the email changes outside of Keeper and the vault is still associated with the old email, it may not correspond to what is in Duo.
IE has difficulty handling cross-domain redirects due to their multiple security zones. IE requires security zone settings to be configured in order to work properly with SSO. These security zone settings can be pushed out by the admin or manually configured if allowed. See the section on Trusted Sites Policy for settings.
If JRE has been installed and the server has been rebooted, this error is most like caused by a competing service like IIS listening to the port 8080. To alleviate the competition IIS can be uninstalled if not needed, or the port that SSO Connect uses for the configuration page can be changed.
Stop the SSO Connect service if running
Edit the instance.properties file located at:
Change the port of the admin_port. (i.e. 8081)
Restart the SSO Connect service and relaunch the admin page on the newly defined port. (i.e. http://127.0.0.1:8081/config/).
Where are the Keeper SSO Connect log files located?
On Microsoft Server installations, the log files reside within a hidden system directory. This directory can be access by typing the following path into the File Explorer:
On Linux distributions, the logs are located with the sso_connect folder and varies depending on the base installation path:
See the "Upgrading SSO Connect" section of this document.
To disable Single Logout (SLO), edit the IdP metadata file to remove the line found in the metadata that gets inputed into the Keeper SSO Connect Server: <md:SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your-sso_connect:8443/sso-connect/saml/slo"/>
And re-import the file to the SSO Connect server.
If you're receiving a blank white or error message on the dialog when logging into Keeper with SSO, this means that you probably used an invalid or self-signed SSL certificate in your Keeper SSO Connect configuration.
The Keeper Desktop application and several devices & web browsers do not like self-signed certificates and will produce an error to users. Please re-configure your Keeper SSO Connect instance to use a proper signed SSL certificate (either a wildcard cert or domain-specific certificate). The SSL certificate must be signed by a trusted public certificate authority that is recognized by Chrome, Safari and other browsers.
If you're getting error messages like seen below.... it's likely that you are logged into Keeper in your Admin account or a different user account on another tab or window. If you are in the process of testing or setting up your SSO environment, it could get confusing if you're also logged into Keeper as the Admin.
To avoid these errors, we recommend logging into Keeper as the Admin using either another web browser (e.g. Firefox) or download the Keeper Desktop App and use that app while setting up your SSO environment.