Comment on page


This page documents the process of integrating PingIdentity with Keeper Connection Manager, which is also known as KCM. We will be adding SAML 2.0 application connectors between the two platforms.

PingIdentity Configuration

  1. 1.
    Login as an Administrator for PingIdentity. From the PingIdentity menu, click Applications > Add Application
  2. 2.
    Give the Application a name such as "KCM," select SAML and Save.
Add Application
  1. 3.
    Next, you'll encounter the SAML configuration. Select Manually Enter, then add the URL of your KCM server to the ACS URLs box as follows: https://<YOUR DOMAIN>/api/ext/saml/callback
  2. 4.
    Then add the URL of your KCM server to the Entity ID box as follows: https://<YOUR DOMAIN> and press Save.
SAML Configs
  1. 5.
    Next, Edit Attribute Mappings. Since saml_subject is immutable, leave it as is. Add an attribute named EMAIL that has a Mapping of Username, and an attribute named groups that has a Mapping of Group Names.
Attribute Mappings
  1. 6.
    Then Edit Configuration and scroll down to SUBJECT NAMEID FORMAT and select the option urn:oasis:names:to:SAML:1.1:nameid-format:emailAddress. And hit Save.
Email to nameid Mapping
  1. 7.
    On the Overview section, verify that Access is for All Users (or the group you specified). Leave the Signon URL as the Default Signon Page. And Enable the Application by clicking the slider at the top of the application.
Settings to Turn Application On
  1. 8.
    Download the Metadata file from the Configuration tab, and ensure that it is named to metadata.xml.
Download the Metadata
  1. 9.
    Ensure that all users are added with a Username that matches the email address of a user in your Keeper Connection Manager. **When you add users to Keeper Connection Manager use the matching email address, but leave the password blank.
Match Email Addresses to KCM Accounts

Video Example

Video Proof of Concept