Azure / O365
How to configure Keeper SSO Connect Cloud with Microsoft Azure for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
(1) Add the Keeper Enterprise Application
Go to your Azure Admin account at and click on Azure Active Directory > Enterprise Applications. Note: If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application.
Enterprise Applications
(2) Click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault".
(3) Click "Create" to create the application.
(4) Click on the "Set up single sign on" then click "SAML"
(5) On the Keeper Admin Console, export the SAML Metadata file.
Go to View -> Export Metadata
(6) Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button.
and selecting the file just downloaded from the Keeper admin console and pressing the Add button.
(7) Azure will open up the SAML configuration screen.
The error on the missing "Sign on URL" field is anticipated.
To fix the error, copy the URL from the "IDP Initiated Login Endpoint" from the Admin Console SSO Cloud instance "view" screen, and paste it into the "Sign on URL" field.
Copy-paste the "IdP Initiated Login Endpoint" to "Sign on URL"
(8) Click on Save then close the window with the SAML configuration.
(9) After saving, you'll be asked to test the configuration. Don't do this. Wait a couple seconds then reload the Azure portal page on the web browser. Now, there should be a certificate section that shows up in the "SAML Signing Certificate" area.
Click on "Download" under the Federation Metadata XML section:
Download Metadata file
(10) Upload the Metadata file into the Keeper Admin Console
In the Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step the SAML Metadata section.
Upload SAML Metadata into Keeper
Don’t forget to select Azure as the IdP Type.
(11) Edit User Attributes & Claims
Under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email.
We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.
Delete Additional Claims
In your environment, if your user.userprincipalname (UPN) is not the same as the users actual email address, you can edit the Email claim and change it to user.mail as the value for the Email attribute.

User Provisioning

Users can be provisioned to the Keeper application through the Azure portal using manual or automated provisioning.


If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.
Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.
User Assignment Settings
On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.
Assign Users and Groups

Automated provisioning with SCIM

Last modified 16d ago
Export as PDF
Copy link