Admin Console Configuration

Configuration of the Admin Console with Keeper SSO Connect Cloud™

Configuration of Keeper SSO Connect Cloud™ is very simple and should only take a few minutes if you've previously configured other service providers with your IdP. Please follow the general steps in this document.

1) Visit the Keeper Admin Console and login as the Keeper Administrator. https://keepersecurity.com/console (US / Global) https://keepersecurity.eu/console (EU-hosted customers)

Note: SSO integration can be applied to specific nodes (e.g. organizational units) within your Admin Console.

Admin Console Login

2) After logged in, click on the Admin menu and create a new node

3) Add a node then visit Provisioning and click Add Method

4) Select Cloud SSO Connect and Next

5) Enter the Configuration Name and Enterprise Domain. The Configuration Name will not be seen by your end users and allows you to manage multiple configurations. The Enterprise Domain will be used for logging in, therefore we recommend selecting a name that is unique and easy to remember.

JIT Provisioning
  • Configuration Name: Internal use only, your users will not see this.

  • Enterprise Domain: Users will type in this name when authenticating in certain flows.

  • Enable Just-In-Time Provisioning: To allow users the ability to join your Keeper enterprise account on their own, enable the Just-in-Time provisioning feature. Otherwise, if you are using Automated Provisioning features from your identity provider (aka "SCIM" or "Automated Provisioning"), performing manual invitations or using the Keeper Bridge, we recommend leaving this OFF.

If you are planning to use SCIM, Admin Console or Keeper Bridge for provisioning users instead of Just-In-Time SSO provisioning, please leave this option OFF.

6) Click Save to proceed to the next step. Keeper will automatically open the "Edit Configuration" screen next.

7) From the Edit Configuration screen, select your IdP (or "Generic"), upload the metadata file from your identity provider into Keeper and set up the 3 required attribute mappings. Note that Keeper works with any SAML 2.0 compatible identity provider.

IdP Type, Configuration, Enterprise Domain and JIT
SAML Metadata, Attribute and Login/Logout Prefs
  • Identity Provider: To assist you with the configuration of common identity providers, there is a drop-down "IDP Type" which allows you to select pre-defined setups. If your identity provider is not listed, please select "GENERIC".

  • SAML Metadata: Drag and drop the IdP Metadata file provided by your IdP into the Keeper configuration screen. This critical file provides Keeper with the URL endpoint and digital certificate to validate signed assertions.

  • Identity Provider Attribute Mappings: Keeper expects First Name, Last Name and Email to be called "First", "Last" and "Email" by default, but this can be changed. Make sure your identity provider is mapping to the field names on this screen exactly as written (case sensitive!).

  • Single Sign On Endpoint Preferences: This is advanced configuration and defaults to "Prefer HTTP post".

8) At some point during your configuration with the IdP, you'll need to enter a few parameters from Keeper such as "Entity ID" and "ACS URL". This information is available on the "View Configuration" screen. You can get here by going back then clicking on "View".

Go back
View Configuration

Make note of the URLs that are provided on this screen that you may need to set within your identity provider.

  • Entity ID: This can be referred to as "SP Entity ID", or "Issuer". It's basically a unique identifier that must be known by both sides. Often times, the Entity ID is the same as the ACS URL endpoint.

  • Assertion Consumer Service Endpoint ("ACS URL"): This is the URL endpoint at Keeper to which your identity provider will send users after they authenticate. The data sent to Keeper will include a signed assertion that indicates if the user has successfully signed into the identity provider. The assertion is signed with the identity provider's private key. Keeper validates the signature with the identity provider's public key, which is provided in the IdP metadata file.

  • Single Logout Service Endpoint ("SLO"): This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.

This information is also available in the Keeper XML metadata file which can be optionally downloaded by clicking "Export Metadata". Upload the metadata file to your identity provider if required.

After configuring Keeper SSO Connect Cloud™ on the Admin Console the next step is to setup up the application in the Identity Provider. See the Identity Provider Configuration section.