SSO Auth (SAML)

Instructions for authenticating users with a SAML 2.0 / SSO Identity Provider

Overview

Keeper Connection Manager can be configured to authenticate users with any SAML 2.0 compatible identity provider. Users can be forced to login with SAML, or you can make SAML an optional login link from the login page.
Optional SAML Login Configuration
By default, this SAML SSO setup will only allow authentication, but it will still require that you, the admin, manually create each user within KCM and assign the exact email address as the username in order to give that user connections/permissions.
It is often easier to have KCM automatically create the user upon the first successful SAML SSO login of each user. To do this you can add one of the following lines:
MYSQL_AUTO_CREATE_ACCOUNTS: "true"
POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
in the guacamole section of your /etc/kcm-setup/docker-compose.yml file as shown below.
After making changes be sure to run sudo ./kcm-setup.run apply to implement the changes.
docker-compose.yml
guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "xxx"
MYSQL_HOSTNAME: "xxx"
MYSQL_DATABASE: "xxx"
MYSQL_USERNAME: "xxx"
MYSQL_PASSWORD: "xxx"
SAML_CALLBACK_URL: "https://demo.lurey.com"
SAML_IDP_METADATA_URL: "file:///etc/guacamole/metadata.xml"
SAML_ENTITY_ID: "https://demo.lurey.com"
SAML_GROUP_ATTRIBUTE: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
ADDITIONAL_GUACAMOLE_PROPERTIES: "extension-priority: *, saml"
MYSQL_AUTO_CREATE_ACCOUNTS: "true"
volumes:
- "common-storage:/var/lib/guacamole"
- "/etc/kcm-setup/metadata.xml:/etc/guacamole/metadata.xml:ro"
Full details on the auto create accounts variables can be found here: https://docs.keeper.io/keeper-connection-manager/installation/docker-compose-install/keeper-guacamole
Instructions for a few popular Identity Providers are linked below.