Inside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically /FederationMetadata/2007-06/FederationMetadata.xml as seen below:
To download the metadata file, this can typically be found by loading the URL in the browser on the server. For example:
Download this file and save to the computer.
Import Federation Metadata
Select ADFS as the IdP type and import the Federation Metadata file saved in the previous step into Keeper SSO Connect Cloud™ configuration screen to the SAML Metadata section.
Please Note: ADFS signing certificates typically are only valid for a year. ADFS may automatically rotate to the most current certificate. This breaks the trust between Keeper SSO Connect and ADFS. A new federationMetadata.xml file will need to be generated and uploaded to the Keeper SSO Connect to ensure operation. We strongly recommend setting a reminder before the expiration of the certificate so this step can be performed to maintain operation.
Export Keeper Metadata
Next download the Keeper metadata file so it can be imported during the Relying Part Trust Wizard. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file. This will be used in a few steps ahead.
Finish AD FS Configuration
Create Relying Trust Party
Create Keeper SSO Connect as a Relying Trust Party:
Import Keeper Metadata
Import the Keeper Metadata file that was exported previously from Keeper SSO Connect Cloud™ view screen by completing the Relying Party Trust Wizard as seen in the steps below:
If you run Get-ADFSRelyingPartyTrust again, you'll see that the SamlResponseSignature section is set to "MessageAndAssertion".
Restart AD FS services
From the services manager, restart AD FS service.
SAML assertion signing must be configured properly on your AD FS environment. If signing has not been configured, you will need to set this up, then exchange metadata again between AD FS and Keeper SSO Connect after the re-configuration.
If after setting up Keeper SSO Connect user gets SSO is not configured (undefined) a possible root cause is missing or incorrect CRL configuration.
A simple fix/workaround is to disable all Certificate Revocation Check.
Possible Root Causes
Ensure that Keeper Connect and the IdP have the same identical system time (within 1 second).
Set ntp sync
PS C:\Windows\system32>w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,0x8 /reliable:yes /update
Certificate Validation Failure
Verify the settings. Run a PowerShell as Administrator and look at ADFSRelyingPartyTrust
Follow the "SAML Signing Configuration" instructions above
If you need to disable certificate validation on the IdP for testing purposes or for internal PKI certificates, you can use the below Powershell commands. Replace <Identifier> with the string found in the "SAML Signing Configuration" instructions above.