How to configure Keeper SSO Connect Cloud with JumpCloud for seamless and secure SAML 2.0 authentication.

Please complete the steps in the Admin Console Configuration section first.


(1) Log into the JumpCloud Administrator console.

Select the SSO tab on the side menu.

(2) Next, select the + icon in the upper left corner.

On the "Get Started with SSO Application page, search for Keeper in the search bar. Select Configure on the Keeper Application.

(3) Next, on Keeper Application connector page, General Info section set the Display Label: Keeper Security Password Manager

On the Single Sign-On Configuration area, click the "Upload Metadata" button.

The Keeper metadata is available on the admin console. Go to the provisioning instance -> View -> Export Metadata

(4) After the metadata has been uploaded, head back to the JumpCloud SSO configuration page and input the Login URL as such https://keepersecurity.com/api/rest/sso/ext_login/<YourSSOIdHere>.

Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/459561502469

Complete the configuration by scrolling to the bottom of the page and select the activate button.

(5) Last step is to export the metadata from this connector to import it into the Keeper SSO Connect Cloud™.

Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:

Your Keeper SSO Connect setup is now complete!

User Provisioning SSO+SCIM

JumpCloud® supports Automated User and Team Provisioning with SCIM (System for Cross Domain Identity Management) which will update and deactivate Keeper user accounts as changes are made in JumpCloud®. Step-by-Step instructions can be found here, https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/jumpcloud-provisioning-with-scim

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.

After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.

They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.

Last updated