Configuration of Keeper SSO Connect Cloud™ is very simple and should only take a few minutes if you've previously configured other service providers with your IdP. Please follow the general steps in this document.
1) Visit the Keeper Admin Console and login as the Keeper Administrator. https://keepersecurity.com/console (US / Global) https://keepersecurity.eu/console (EU-hosted customers) https://keepersecurity.com.au/console (AU-hosted customers) https://govcloud.keepersecurity.us/console (GovCloud customers)
Note: Cloud SSO integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console.
2) After logged in, click on the Admin menu and create a new node
3) Add a node then visit Provisioning and click Add Method
4) Select Cloud SSO Connect and Next
5) Enter the Configuration Name and Enterprise Domain. The Configuration Name will not be seen by your end users and allows you to manage multiple configurations. The Enterprise Domain will be used for logging in, therefore we recommend selecting a name that is unique and easy to remember.
Configuration Name: Internal use only, your users will not see this.
Enterprise Domain: Users will type in this name when authenticating in certain flows.
Enable Just-In-Time Provisioning: To allow users the ability to join your Keeper enterprise account on their own, enable the Just-in-Time provisioning feature. Otherwise, if you are using Automated Provisioning features from your identity provider (aka "SCIM" or "Automated Provisioning"), performing manual invitations or using the Keeper Bridge, we recommend leaving this OFF. Just In Time Provisioning also allows new users with your domain name to automatically route to the SSO provider. See the Domain Reservation section below.
6) Click Save to proceed to the next step. Keeper will automatically open the "Edit Configuration" screen next.
7) From the Edit Configuration screen, select your IdP (or "Generic"), upload the metadata file from your identity provider into Keeper and set up the 3 required attribute mappings. Note that Keeper works with any SAML 2.0 compatible identity provider.
Identity Provider: To assist you with the configuration of common identity providers, there is a drop-down "IDP Type" which allows you to select pre-defined setups. If your identity provider is not listed, please select "GENERIC".
SAML Metadata: Drag and drop the IdP Metadata file provided by your IdP into the Keeper configuration screen. This critical file provides Keeper with the URL endpoint and digital certificate to validate signed assertions.
Identity Provider Attribute Mappings: Keeper expects First Name, Last Name and Email to be called "First", "Last" and "Email" by default, but this can be changed. Make sure your identity provider is mapping to the field names on this screen exactly as written (case sensitive!).
Single Sign On Endpoint Preferences: This is advanced configuration and defaults to "Prefer HTTP post".
8) At some point during your configuration with the IdP, you'll need to enter a few parameters from Keeper such as "Entity ID" and "ACS URL". This information is available on the "View Configuration" screen. You can get here by going back then clicking on "View".
Make note of the URLs that are provided on this screen that you may need to set within your identity provider.
Entity ID: This can be referred to as "SP Entity ID", or "Issuer". It's basically a unique identifier that must be known by both sides. Often times, the Entity ID is the same as the ACS URL endpoint.
Assertion Consumer Service Endpoint ("ACS URL"): This is the URL endpoint at Keeper to which your identity provider will send users after they authenticate. The data sent to Keeper will include a signed assertion that indicates if the user has successfully signed into the identity provider. The assertion is signed with the identity provider's private key. Keeper validates the signature with the identity provider's public key, which is provided in the IdP metadata file.
Single Logout Service Endpoint ("SLO"): This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.
This information is also available in the Keeper XML metadata file which can be optionally downloaded by clicking "Export Metadata". Upload the metadata file to your identity provider if required.
If Just In Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.
Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.
If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.