# Amazon AWS
{% hint style="success" %}
Please complete the steps in the [Admin Console Configuration](https://docs.keeper.io/en/sso-connect-cloud/admin-console-configuration) section first.
{% endhint %}
### AWS SSO
Log into AWS and select on AWS Single Sign-On.
On the SSO Dashboard, select Configure SSO access to your cloud applications.
On the Applications menu, select **Add a new application**.
Next select **Keeper Security** and select **Add**.\*\*
{% hint style="info" %}
**Keeper is working with AWS to develop an Application Connector.**
{% endhint %}
Fill in the Display name and Description (optional) in the application details section.
In the AWS SSO metadata section, select the download button to export the AWS SSO SAML metadata file. This file gets imported in the SSO Connect IdP Metadata section on the configuration screen.
Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by either browsing to or dragging and dropping the file into the Configuration screen's SAML Metadata area:\\
\
Next download the Keeper metadata file and upload it to the AWS Application metadata file. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Click the "Export Metadata" button to download the config.xml file.
\
\\
Back on the Ping Identity application configuration, select the **Select File** button and choose the **config.xml** file downloaded in the above step.
After saving changes the **Configuration for Keeper Password Manager has been saved** success message will be displayed.
{% hint style="info" %}
**Note: The Keeper SSL certificate cannot be larger than 2048K or the below error will be received.**
{% endhint %}
* Either, generate a smaller SSL certificate, re-export and import the metadata file or manually set the ACS URL and Audience URL in the AWS SSO application configuration.
Next, Ensure the Keeper application attributes that are to be mapped to AWS SSO are correct (These should be set by default. Select the Attribute mappings tab.\
\
The AWS string value to ${user:subject} and format is blank or unspecified.\
\
The Keeper Attributes are set as follows:
| Keeper Attribute | AWS SSO String Value \*\* | Format |
| ---------------- | ------------------------- | ----------- |
| Email | ${user:email} | unspecified |
| First | ${user:givenName} | unspecified |
| Last | ${user:familyName} | unspecified |
{% hint style="info" %}
**Note: If your AWS email is mapped to the AD UPN (which may not be the actual email address of your users) it can be re-mapped to the email address associated in the users AD profile.**
{% endhint %}
To make this change navigate to the **Connect Directory** on the AWS SSO page.
Select on the **Edit attribute mappings** button.
Change the AWS SSO **email** attribute from ${dir:windowsUpn} to ${dir:email} .
Select on the the **Assigned users** tab and then the **Assign users** button to select users or groups to assign the application.
On the Assign Users window:
* Select either Groups or Users
* Type the name of a group or user
* Select on the **Search connect directory** to initiate the search.
The results of the directory search will display under the search window.
Select the users/groups that are desired to have access to the application and then select the **Assign users** button.
**Note: Keeper SSO Connect expects that the SAML response is signed. Ensure that your identity provider is configured to sign SAML responses.**
Your Keeper SSO Connect setup is now complete!
#### Move existing users/initial admin to SSO authentication
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
{% hint style="warning" %}
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
{% endhint %}
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation [can be found here](https://docs.keeper.io/enterprise-guide/domain-reservation).
