Google Workspace
Keeper Connection Manager SAML configuration with Google Workspace
Google Workspace Configuration
The first step regardless of installation method is to configure your SAML 2.0 identity provider using Google Workspace.
(1) Login to Google Workspace at https://admin.google.com****
Visit the Apps > Web and Mobile Apps screen.
(2) Select "Add App" and select "Add Custom SAML App".
Enter an application name and description. You can also upload a Keeper Connection Manager logo. The image logo is here:
Click Continue.
(3) Download the metadata.xml file
...and then click Continue
(4) Configure the SAML Settings
Update 3 fields: ACS URL, Entity ID and Name ID format.
The ACS URL needs to start with your Keeper Connection Manager domain followed by "
/api/ext/saml/callback
".The Entity ID is just the Keeper Connection Manager domain.
The Name ID format must be EMAIL
Click Continue.
(5) Assign group membership (Optional)
You can now assign Group Membership to the Keeper Connection Manager application, which is optional. If you would like to assign a group, make sure that the "App Attribute" is groups
(lowercase). Then click FINISH.
Google Group to Keeper Connection Manager Group mapping is through the Group Name. If the Keeper Connection Manager contains a Group that has the name corresponding to the Google Group Name, the user will receive all Keeper connections assigned to that user group.
(6) Enable Access
After creating the SAML app, it is not yet active for all users. To enable access, click on View details and turn the application ON.
The Google Workspace side of the setup is complete. Note if you change anything, you need to re-download a new metadata.xml file.
Next: KCM Configuration
Advanced Linux Install Method
If you have installed Keeper Connection Manager using the advanced linux install method, setting up SAML can be performed following the steps below.
Installing SAML support for Guacamole
Keeper Connection Manager packages Guacamole’s SAML support within the kcm-guacamole-auth-sso-saml
package:
Connecting Guacamole to SAML
Guacamole’s main configuration file, /etc/guacamole/guacamole.properties
, must be modified to point the SAML installation:
The guacamole.properties
file provided with Keeper Connection Manager is organized into sections documented with blocks of comments and example properties. The first section which must be modified is marked “SAML-1” and defines the IdP configuration. Uncomment the saml-idp-metadata-url
and saml-entity-id
property. You'll need to reference the IdP's metadata file and Entity ID.
The second section contains the callback URL that is used by the IdP. This is typically set to the user-facing URL of the Keeper Connection Manager service.
The 4th section contains optional parameters that can be set.
Completing installation
Guacamole will generally only load new extensions and reread guacamole.properties
during the startup process. To apply the configuration changes, Guacamole must be restarted:
KCM Final Setup
Once you have activated the SAML module, there will be a new "Sign in with SAML" link on the login screen of the application as seen below:
When setting up your user identities in the Settings area, if you would like a user to login with SAML / SSO, just leave the "password" field empty.
If you would like to automatically mapping Group assignments in the identity provider to Keeper Connection Manager Groups, simply create a matching group name with the proper assignments. The name of the Group in Keeper Connection Manager needs to match this identifier exactly in order for the mapping to work.
Last updated