Other SAML 2.0 Providers

How to configure Keeper SSO Connect Cloud with your SSO Identity Provider for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

Keeper is compatible with any SAML 2.0 SSO Identity Provider (IdP). If your identity provider is not in our list, you can follow the steps in this guide to complete the configuration. Keeper is a Service Provider (SP) in this configuration.

Step 1: Configure your Identity Provider

You'll need to provide some information about Keeper SSO Connect Cloud to your Identity Provider application such as:

  • Entity ID

  • IDP Initiated Login

  • Assertion Consumer Service (ACS) Endpoint

  • Single Logout Service (SLO) Endpoint

  • SP Metadata file or the Keeper SP Certificate file.

To obtain this information, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download the Keeper metadata file, service provider (SP) certificate file as well as the direct URLs and configuration information (if your identity provider application does not support uploading of the metadata file).

Refer to your identity provider application configuration guide for instructions on how to upload service provider metadata and or manually inputting the required SAML response configuration fields.

Step 2: Obtain your IdP Metadata

To import your IdP Metadata into Keeper, you will need to have a properly formatted metadata file. If your SSO Identity Provider Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect Cloud Provisioning method.

If you do not have the ability to export / download your metadata file from your identity provider, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.

Below is an example / template of what a simple identity provider metadata.xml file, against Keeper SSO Connect Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your IdP information, in your preferred .xml or .txt editor.

Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="MySSOApp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
        <md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"




This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your IdP application.


This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your Identity Provider.


This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.




SingleSignOnService "POST"

This is your identity provider's "POST" binding used as a response to a request from Keeper.

SingleSignOnService "Redirect"

This is your identity provider's "Redirect" binding used as a response to a request from Keeper.

Step 3: Map User Attributes

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your identity provider's User Attributes are lined up with Keeper's attributes. Refer to your Identity Provider's configuration guide for instructions.

Your IdP User Attributes

Keeper User Attributes

<Email Address>


<First Name>


<Last Name>


Step 4: Upload IdP Metadata to Keeper

Once you have completed creating your identity provider metadata file, or if you have downloaded the identity provider metadata file, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.

Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.

Graphic Assets

If your identity provider requires an icon or logo file for the application, please see the Graphic Assets page.

Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.

If you find that your application is not functional, please review your identity provider application settings and review your metadata file and user attributes for any errors.

Once complete, repeat Step 4.

If you need assistance, please email enterprise.support@keepersecurity.com.

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Last updated