CloudGate UNO
How to configure Keeper SSO Connect Cloud with CloudGate for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
CloudGate SSO Configuration
(1) Log into the CloudGate Administrator console.
Click the Administration tile on the menu.
(2) Next, Select the Service Provider menu item and click Add Service Provider.
On the "Add Service Provider" page, search for Keeper in the search bar. Select and click the "Keeper SSO Connect Cloud" icon.
(3) Set the Display name at General Settings tab to “Keeper_SSO_Cloud_Connet” or whatever you prefer.
(4) Next, at the SSO Settings tab, you need the "Entity ID" and Other information that comes from the Keeper Admin Console.
Copy and Paste the Entity ID and Other information into the SSO Settings page in the CloudGate screen.
Your SSO ID can be found at the end of your SP Entity ID. Ex: https://keepersecurity.com/api/rest/sso/saml/3534758084794
(5) Click Add the Additional Attributes, and set Filed Name "Email" and the Value "${MAIL_ADDRESS}". Now you can save the configuration.
(Optional) Enable Single Logout
If you would like to enable the Single Logout feature in CloudGate, go to the SSO Settings tab and enter Logout URL and then upload the SP Cert which comes from the Keeper Admin Console.
To first download the SP Cert, view the SSO configuration on Keeper and click the Export SP Cert button.
Next, Copy and Paste the SLO Endpoint information into the SSO Settings page in the CloudGate screen.
(6) Last step is to export the metadata from "IDP Information for SMAL2.0" at SSO Settings tab to import it into the Keeper SSO Connect Cloud™.
Set the IDP Type to GENERIC and upload this file into the Keeper SSO Connect Cloud™ provisioning interface by dragging and dropping the file into the edit screen:
Assign Users
From CloudGate, you can now add users at User Settings tab on User Management page.
Please make sure if there is "Email address" value at at User Settings tab on User Management page.
Click "Save" to complete the configuration of Keeper SSO Connect Cloud with CloudGate.
Your Keeper SSO Connect setup is now complete!
CloudGate SCIM Provisioning
To enable CloudGate SCIM user and group provisioning please follow the instructions found within the Keeper Enterprise Guide: https://docs.keeper.io/enterprise-guide/user-and-team-provisioning/cloudgate-provisioning-with-scim
Move existing users/initial admin to SSO authentication
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
Last updated
