How to configure Keeper SSO Connect Cloud with HENNGE for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.

HENNGE SSO Configuration

(1) Log into the HENNGE Administrator console.

Click the Administration tile on the menu.

(2) Next, Select the Connected Services menu item and click Add Service.

On the "Add New Service" page, Click the Add Service Manually at "Add Service for SSO" menu.

(3) Set the Service name to “Keeper Password Manager and Digital Vault” or whatever you prefer, and Add the Attributes Email claim with the value "UsePrincipleName (UPN)", then Click the Submit button.

In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

Now you can see all values required for Keeper side configuration at Step (5). Click X at the right up and Leave this page for now.

On the Connected Services menu area, Click the Service Name you created and then click the "Upload Using Metadata" button.

The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata

(4) After the metadata has been uploaded, head back to the HENNGE Connected Service configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794

Complete the configuration by scrolling to the bottom of the page and select the Save Changes button.

(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Assign Users

From HENNGE, you can now add users at Access Policy section on the User list page, or groups at Allowed services section on Access Policy Groups page.

Your Keeper SSO Connect setup is now complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Last updated