SSO - JIT (Just in Time) Provisioning and Authentication
Keeper supports JIT automatic provisioning and seamless authentication using SAML 2.0.
Keeper SSO Connect™ Cloud leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision user vaults to the platform. Keeper supports all popular SSO IdP platforms such as Okta, Microsoft Azure, Google G Suite, Centrify, OneLogin, Ping Identity, JumpCloud and more.
SSO Connect Cloud Architecture
Keeper SSO Connect™ On-Prem is a SAML 2.0 compatible Service Provider (SP) application that allows Keeper Business customers to seamlessly login to their Keeper Vault using their existing identity provider (IdP). This application complies with Keeper's zero-knowledge security architecture while giving enterprise customers the ability of providing seamless SSO login to their Keeper Vault. Keeper SSO Connect is a software service that is installed on the enterprise customer's on-premise, private or cloud servers. Users' account master passwords are dynamically generated by Keeper SSO Connect. The user's encryption keys are generated and encrypted by the Keeper SSO Connect service, and can be further protected with the use of an on-premise HSM module.
When Just in time (JIT) provisioning is enabled, Keeper will automatically create the user's vault on-demand and provide access to any user that has been assigned to the Keeper application in your identity provider. We recommend enabling this option by default. If you are provisioning users through the on-prem Keeper AD Bridge, disable this option.
Keeper integrates out-of-the-box with every major SSO IdP including Microsoft AD FS, Azure, Okta, G Suite, OneLogin, Centrify, Ping Identity, F5, JumpCloud, AWS and more. Keeper SSO Connect supports full High-Availability configurations and integration into Gemalto HSM for enhanced key protection.
Enterprise customers may benefit from the automated provisioning of users, roles, and team through Active Directory integration while also leveraging Single Sign-On (SSO) authentication through Active Directory Federated Services (AD FS).
2. Create a Node to configure for your Bridge and SSO provider beneath the root node. Both Bridge and SSO will be activated in this node via the Provisioning tab.
3. Create a new Role for the node created in step 2. This will become the default role that all auto-provisioned users will receive.
4. Set the role enforcement policies:
- Set desired enforcement policies like, 2FA, Sharing, etc.
- Optional but recommended: Set up Account Transfer for break glass vault access.
- Optional: Enable the Don’t Send Email Invitations if dynamic provisioning will be configured for SSO or if users will be notified of their vault access at a later time.
- After the Role enforcement policies are configured. Check the Add role to new users created in the Node and Sub nodes.
5. Install and setup Keeper SSO Connect. Following our Keeper SSO Connect Guide, configure your identity provider with Keeper to automatically authenticate users into their Vault. Users will be provisioned into the default role for the node as set up in step 4.
6. Install and configure the Keeper AD Bridge. Following the instructions in the Keeper Bridge Guide. When the bridge is deployed your users, roles, and teams that meet the LDAP Query syntax will be added/invited to your Keeper subscription.
- If you opt to enforce the Don’t Send Email Invitations role enforcement policy, users will not receive notification upon their first Keeper vault access.
- We recommend sending a separate email to your end-users to communicate the onboarding process. The email should guide users to either login directly to their IdP and select the Keeper icon, or to sign in directly to Keeper using the Enterprise Domain that was configured in your Keeper SSO Connect installation. You may also provide your end-users with a Keeper Enterprise User Guide.
- We recommend testing with a small user subset to validate configuration and workflow before rolling out to a larger group of users.
- Install and configure SSO Connect before the AD Bridge. Choosing to implement SSO at a later time will cause more user friction by requiring existing users to change their login method from master password to SSO-based authentication. We recommend having SSO set up at the initial onboarding.
- After successful testing, onboard the remaining users and send users instructions to create their accounts.
- Users in an SSO-enabled node will not be able to change their master password. This enforcement is by design to ensure users who authenticated via SSO do not have the ability to bypass IdP authentication for access to their vault.
The end-user experience for SSO authentication is very clean and seamless. The video below demonstrates this flow.
End-User Experience with SSO Login
Keeper SSO Connect (On-Prem version) optionally integrates with on-premise and cloud HSM solutions for added protection of encryption keys.
Step by step instructions for integrating Keeper with SSO and your HSM infrastructure, please see our Keeper SSO Connect administrative guide.