SSO - JIT (Just in Time) Provisioning and Authentication

Keeper supports JIT automatic provisioning and seamless authentication using SAML 2.0.

Overview of SSO - JIT Provisioning and Authentication

Keeper SSO Connect™ Cloud

Keeper SSO Connect™ Cloud leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision user vaults to the platform. Keeper supports all popular SSO IdP platforms such as Okta, Microsoft Azure, Google G Suite, Centrify, OneLogin, Ping Identity, JumpCloud and more.

System Architecture

SSO Connect Cloud Architecture

Keeper SSO Connect™ On-Prem

Keeper SSO Connect™ On-Prem is a SAML 2.0 compatible Service Provider (SP) application that allows Keeper Business customers to seamlessly login to their Keeper Vault using their existing identity provider (IdP). This application complies with Keeper's zero-knowledge security architecture while giving enterprise customers the ability of providing seamless SSO login to their Keeper Vault. Keeper SSO Connect is a software service that is installed on the enterprise customer's on-premise, private or cloud servers. Users' account master passwords are dynamically generated by Keeper SSO Connect. The user's encryption keys are generated and encrypted by the Keeper SSO Connect service, and can be further protected with the use of an on-premise HSM module.

When Just in time (JIT) provisioning is enabled it provides realtime access to any user that can successfully authenticate against the Identity Provider. If SCIM or Active Directory Bridge is going to be uses for provisioning, disable JIT.

For detailed instructions please refer to our Keeper SSO Connect Guide

System Architecture

End-User Experience

Keeper integrates out-of-the-box with every major SSO IdP including Microsoft AD FS, Azure, Okta, G Suite, OneLogin, Centrify, Ping Identity, F5, JumpCloud, AWS and more. Keeper SSO Connect supports full High-Availability configurations and integration into Gemalto HSM for enhanced key protection.

SSO Connect On-Prem Application

For detailed setup instructions, FAQs and workflow questions please see the Keeper SSO Connect Guide. Our implementation engineers are also available by emailing [email protected] Most implementation issues can be addressed quickly via a screen sharing session or email.

Combining AD and SSO Authentication

Enterprise customers may benefit from the automated provisioning of users, roles, and team through Active Directory integration while also leveraging Single Sign-On (SSO) authentication through Active Directory Federated Services (AD FS).

While the specific instructions on installation and configuration can be found in the Keeper Bridge Guide and in the Keeper SSO Connect Guide for specific identity providers, the high level instructions below, will provide some best practices to leverage both integrations simultaneously.

1. Login to the Admin Console and turn on Show Node Structure from Advanced Configuration.

2. Create a Node to configure for your Bridge and SSO provider beneath the root node. Both Bridge and SSO will be activated in this node via the Provisioning tab.

3. Create a new Role for the node created in step 2. This will become the default role that all auto-provisioned users will receive.

4. Set the role enforcement policies:

  • Set desired enforcement policies like, 2FA, Sharing, etc.

  • Optional but recommended: Set up Account Transfer for break glass vault access.

  • Optional: Enable the Don’t Send Email Invitations if dynamic provisioning will be configured for SSO or if users will be notified of their vault access at a later time.

  • After the Role enforcement policies are configured. Check the Add role to new users created in the Node and Sub nodes.

5. Install and setup Keeper SSO Connect. Following our Keeper SSO Connect Guide, configure your identity provider with Keeper to automatically authenticate users into their Vault. Users will be provisioned into the default role for the node as set up in step 4.

6. Install and configure the Keeper AD Bridge. Following the instructions in the Keeper Bridge Guide. When the bridge is deployed your users, roles, and teams that meet the LDAP Query syntax will be added/invited to your Keeper subscription.

  • If you opt to enforce the Don’t Send Email Invitations role enforcement policy, users will not receive notification upon their first Keeper vault access.

  • We recommend sending a separate email to your end-users to communicate the onboarding process. The email should guide users to either login directly to their IdP and select the Keeper icon, or to sign in directly to Keeper using the Enterprise Domain that was configured in your Keeper SSO Connect installation. You may also provide your end-users with a Keeper Enterprise User Guide.

  • We recommend testing with a small user subset to validate configuration and workflow before rolling out to a larger group of users.

  • Install and configure SSO Connect before the AD Bridge. Choosing to implement SSO at a later time will cause more user friction by requiring existing users to change their login method from master password to SSO-based authentication. We recommend having SSO set up at the initial onboarding.

  • After successful testing, onboard the remaining users and send users instructions to create their accounts.

  • Users in an SSO-enabled node will not be able to change their master password. This enforcement is by design to ensure users who authenticated via SSO do not have the ability to bypass IdP authentication for access to their vault.

The end-user experience for SSO authentication is very clean and seamless. The video below demonstrates this flow.

End-User Experience with SSO Login

Gemalto and AWS HSM Integration

Keeper SSO Connect (On-Prem version) optionally integrates with on-premise and cloud HSM solutions for added protection of encryption keys.

Step by step instructions for integrating Keeper with SSO and your HSM infrastructure, please see our Keeper SSO Connect administrative guide.

For detailed instructions please refer to our Keeper SSO Connect Guide and Keeper SSO Connect Cloud Guide