How to configure Keeper SSO Connect™ Cloud with DUO SSO for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
These instructions assume Duo has already been successfully enabled and configured with an authentication source (Active Directory or an IdP).

Step 1: DUO SSO Configuration

Log in to the Duo Admin Panel and click Protect an Application in the navigation bar on the left.
Protect an Application

Step 2: Protect Generic Application

Locate the entry for Generic Service Provider with a protection type of "2FA with SSO hosted by Duo (Single Sign-On)" in the applications list. Click Protect to the far-right to start configuring Generic Service Provider
Protect Generic Application

Step 3: Metadata

The Download section is where you can download the SAML metadata file to upload into your SSO provisioning method.
Download DUO Metadata file
Back on the Keeper Admin console, locate your DUO SSO Connect Cloud Provisioning method and select Edit.
Edit DUO SSO Provisioning Method
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the DUO Metadata file previously downloaded.
Still within the Keeper Admin Console, exit Edit View and select View on your DUO SSO Connect Cloud Provisioning method. Within the Service Provider section you will find the metadata values for the Entity ID, IDP Initiated Login Endpoint and Assertion Consumer Service (ACS) Endpoint.
Single Logout Service (SLO) Endpoint is optional.
View DUO SSO Provisioning Method
Return to the application page in your Duo Admin Panel, copy and Paste the Entity ID, Login Endpoint and ACS Endpoint into the Service Provider section.
Keeper Metadata Info

Step 4: Map User Attributes

Within the SAML Response section, scroll down to Map attributes and map the following attributes.
Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen below.
User Attributes

Step 5: Policy

Within the Policy section, defines when and how users will authenticate when accessing this application. Your global policy always applies, but you can override its rules with custom policies.
User or Group Policy

Step 6: Global Policy

Within the Global Policy section, Review / Edit / Verify any Global Policy as seen by your DUO and or Keeper administrator.

Step 7: Settings

Within the Settings section, Name the application Keeper Security EPM - Single Sign-On. All other settings are set as seen by your DUO and or Keeper administrator.
Keeper Security EPM - Single Sign-On
At the very bottom of the page, click on Save to save the protected application settings.
Save Settings
Success! Your Keeper Security EPM - Single Sign-On setup is now complete!
If you find that your Keeper Security EPM - Single Sign-On application is not functional, please review your Keeper Security EPM - Single Sign-On application settings and repeat Steps 3 - 7.
If you need assistance implementing the Keeper Security EPM - Single Sign-On application within your DUO environment, please email [email protected]

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires a another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain.
Last modified 2d ago