Keeper SSO Connect is a SAML 2.0 compatible Service Provider (SP) application that allows Keeper Business customers to seamlessly login to their Keeper Vault using their existing identity provider (IdP). This application complies with Keeper's zero-knowledge security architecture while giving business customers the ability of providing seamless SSO login to their Keeper Vault. Keeper SSO Connect is a software service that is installed on the enterprise customer's on-premise, private or cloud servers. User's account master passwords are generated dynamically by Keeper SSO Connect. The user's encryption keys are generated and encrypted by the Keeper SSO Connect service, and can be further protected with the use of an on-premise HSM module.
The steps for setting up Keeper SSO Connect are below:
Login to the Admin Console and turn on Show Node Structure from Configurations
Create a new node
From the Provisioning tab, add an SSO provisioning method
Install Keeper SSO Connect on your server (supports Windows, Mac, Unix/Linux)
Configure Keeper as a service provider on your existing Identity Provider
System Requirements (For Hosted Server)
Mac OS 10.7+
Linux OS with Java 8
Keeper integrates out-of-the-box with every major SSO IdP including Microsoft AD FS, Azure, Okta, G Suite, OneLogin, Centrify, Ping Identity, F5, JumpCloud, AWS and more. Keeper SSO Connect supports full High-Availability configurations and integration into Gemalto HSM for enhanced key protection.
When installing and configuring SSO on a node within your Keeper account, you will be asked to select an Enterprise Domain. This is a unique string that will be typed in by your end-users to login to Keeper when accessing their account on a device. We recommend informing your users of the Enterprise Domain name so that they are able to access their Keeper vault on any device and platform. The Enterprise Domain is not needed when logging in to Keeper directly from the Identity Provider portal.
For detailed setup instructions, FAQs and workflow questions please see the Keeper SSO Connect Guide. Our implementation engineers are also available by emailing email@example.com. Most implementation issues can be addressed quickly via a screen sharing session or email.
Enterprise customers may want the benefit of automated provisioning of users, roles, and team through Active Directory integration while also leveraging Single Sign-On (SSO) authentication through Active Directory Federated Services (AD FS).
While the specific instructions on installation and configuration can be found in the Keeper Bridge Guide and in the Keeper SSO Connect Guide for specific identity providers, the below high level instructions will provide some best practices to leverage both integrations simultaneously.
1. Login to the Admin Console and turn on Show Node Structure from Advanced Configuration.
2. Create a Node to configure for your Bridge and SSO provider beneath the root node. Both Bridge and SSO will be activated in this node via the Provisioning tab.
3. Create a new Role for the node created in step 2. This will become the default role that all auto-provisioned users will receive.
4. Set the role enforcement policies:
Set desired enforcement settings like, 2FA, Sharing, etc.
Optional but recommended: Set up Account Transfer for break glass vault access.
Optional: Enable the Don’t Send Email Invitations if dynamic provisioning will be configured for SSO or if users will be notified of their vault access at a later time.
After the Role enforcement settings are configured. Check the Add role to new users created in the Node and Sub nodes.
5. Install and setup Keeper SSO Connect. Following our Keeper SSO Connect Guide, configure your identity provider with Keeper to automatically authenticate users into their Vault. Users will be provisioned into the default role for the node as set up in step 4.
6. Install and configure the Keeper AD Bridge. Following the instructions in the Keeper Bridge Guide. When the bridge is deployed your users, roles, and teams that meet the LDAP Query syntax will be added/invited to your Keeper subscription.
If you opt to enforce the Don’t Send Email Invitations role enforcement setting, users will not receive notification upon their first Keeper vault access.
We recommend sending a separate email to your end-users to communicate the onboarding process. The email should guide users to either login directly to their IdP and select the Keeper icon, or to sign in directly to Keeper using the Enterprise Domain that was configured in your Keeper SSO Connect installation. You may also provide your end-users with a Keeper Enterprise User Guide.
We recommend testing with a small user subset to validate configuration and workflow before rolling out to a larger group of users.
Install and configure SSO Connect before the AD Bridge. Choosing to implement SSO at a later time will cause more user friction by requiring existing users to change their login method from master password to SSO-based authentication. We recommend having SSO set up at the initial onboarding.
After successful testing, onboard the remaining users and send users instructions to create their accounts.
Users in an SSO-enabled node will not be able to change their master password. This enforcement is by design to ensure users who authenticated via SSO do not have the ability to bypass IdP authentication for access to their vault.
The end-user experience for SSO authentication is very clean and seamless. The below video demonstrates this flow:
Keeper SSO Connect fully integrates with on-premise and cloud HSM solutions for added protection of encryption keys.
Step by step instructions for integrating Keeper with SSO and your Gemalto Luna HSM infrastructure, please see our Keeper SSO Connect administrative guide.