Admin Console Configuration

Configuration of Keeper SSO Connect Cloud™ is very simple and should only take a few minutes if you've previously configured other service providers with your IdP. Please follow the general steps in this document.

Step 1. Visit the Keeper Admin Console and login as the Keeper Administrator. US: https://keepersecurity.com/console EU: https://keepersecurity.eu/console AU: https://keepersecurity.com.au/console CA: https://keepersecurity.ca/console JP: https://keepersecurity.jp/console US GovCloud: https://govcloud.keepersecurity.us/console

Step 2. After logging in, click on the Admin menu and select Add Node. This new node is where your SSO users will be provisioned.

Step 3. On the new node, select the Provisioning tab and click Add Method

Step 4. Select Single Sign-On with SSO Connect Cloud™ and click Next

Step 5. Enter the Configuration Name and Enterprise Domain. The Configuration Name will not be seen by your end users and allows you to manage multiple configurations. The Enterprise Domain will be used for logging in, therefore we recommend selecting a name that is unique and easy to remember.

• Configuration Name: Internal use only, your users will not see this.

• Enterprise Domain: Users will type in this name when authenticating in certain flows. It can be your domain name or any unique string.

• Enable Just-In-Time Provisioning: To allow users the ability to self-onboard to your Keeper enterprise tenant, enable the Just-in-Time provisioning feature. This is enabled by default. Just-In-Time Provisioning also allows new users with your domain name to automatically route to the SSO provider if the domain has been reserved. If you are planning to use the Keeper Bridge for provisioning users instead of Just-In-Time SSO provisioning, please leave this option OFF.

Step 6. Click Save to proceed to the next step. Keeper will automatically open the "Edit Configuration" screen next.

Step 7. From the Edit Configuration screen, select your IdP (or "Generic"), upload the metadata file from your identity provider into Keeper and set up the 3 required attribute mappings. Note that Keeper works with any SAML 2.0 compatible identity provider.

There are a couple of additional options available here:

• Enable IsPassive: We recommend leaving this off unless required by your IdP.

• ForceAuthn: For customers who want to force a new SSO login session on every Keeper Vault login, turn this on.

• Identity Provider: To assist you with the configuration of common identity providers, there is a drop-down "IDP Type" which allows you to select pre-defined setups. If your identity provider is not listed, please select "GENERIC".

• SAML Metadata: Drag and drop the IdP Metadata file provided by your IdP into the Keeper configuration screen. This critical file provides Keeper with the URL endpoint and digital certificate to validate signed assertions.

• Identity Provider Attribute Mappings: Keeper expects First Name, Last Name and Email to be called "First", "Last" and "Email" by default, but this can be changed. Make sure your identity provider is mapping to the field names on this screen exactly as written (case sensitive!).

• Single Sign On Endpoint Preferences: This is advanced configuration and defaults to "Prefer HTTP post".

Step 8. At some point during your configuration with the IdP, you'll need to enter a few parameters from Keeper such as "Entity ID" and "ACS URL". This information is available on the "View Configuration" screen. You can get here by going back then clicking on "View".

Make note of the URLs that are provided on this screen that you may need to set within your identity provider.

• Entity ID: This can be referred to as "SP Entity ID", or "Issuer". It's basically a unique identifier that must be known by both sides. Often times, the Entity ID is the same as the ACS URL endpoint.

• Assertion Consumer Service Endpoint ("ACS URL"): This is the URL endpoint at Keeper to which your identity provider will send users after they authenticate. The data sent to Keeper will include a signed assertion that indicates if the user has successfully signed into the identity provider. The assertion is signed with the identity provider's private key. Keeper validates the signature with the identity provider's public key, which is provided in the IdP metadata file.

• Single Logout Service Endpoint ("SLO"): This is the URL endpoint at Keeper to which your identity provider will send logout requests. Single Logout is optional and this is something you configure at your identity provider.

This information is also available in the Keeper XML metadata file which can be optionally downloaded by clicking "Export Metadata". Upload the metadata file to your identity provider if required.

Domain Reservation and Just-In-Time provisioning

If Just In Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.

Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.

If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.