Other SAML 2.0 Providers
How to configure Keeper SSO Connect™ Cloud with your SSO Application for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first.
Keeper is compatible with any SAML 2.0 identity provider. If your identity provider is not in our list, you can follow the steps in this guide to complete the configuration.

Step 1: Configure your SSO Application

You'll need to provide some information about Keeper SSO Connect™ Cloud to your SSO application, like Entity ID, IDP Initiated Login, Assertion Consumer Service (ACS) Endpoint, Single Logout Service (SLO) Endpoint, metadata file or a certificate file. To obtain this information, locate your SSO Connect™ Cloud Provisioning method, within the Keeper Admin Console, and select View. From there you have access to download the metadata file, certificate file as well as the direct URLs and configuration information if your SSO application does not support uploading of the metadata file.
View Keeper SSO Connect Cloud Provisioning Method
Keeper SSO Connect Cloud Configuration Information
Refer to your SSO application configuration guide for instructions on how to upload metadata and or manually inputting the required SAML response configuration fields.

Step 2: Obtain your SSO Application Metadata

To import your SSO Application's Metadata into keeper, you will need to have a properly formatted metadata file. If your SSO Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect™ Cloud Provisioning method.
If you do not have the ability to export / download your metadata file from your SSO Application, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.
Below is an example / template of what a simple metadata.xml file, against Keeper SSO Connect™ Cloud should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your SSO Applications information, in your preferred .xml or .txt editor.
Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.
1
<?xml version="1.0" encoding="UTF-8"?>
2
<md:EntityDescriptor entityID="MySSOApp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
3
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
4
<md:KeyDescriptor use="signing">
5
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
6
<ds:X509Data>
7
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAW2r5jDoMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
8
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
9
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0zODk2MDgxHDAaBgkqhkiG9w0BCQEW
10
DWluZm9Ab2t0YS5jb20wHhcNMTkxMDA4MTUwMzEyWhcNMjkxMDA4MTUwNDEyWjCBkjELMAkGA1UE
11
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiqGcmFuY2lzY28xDTALBgNV
12
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMzg5NjA4MRwwGgYJ
13
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
14
hr4wSYmTB2MNFuXmbJkUy4wH3vs8b8MyDwPF0vCcjGLl57etUBA16oNnDUyHpsY+qrS7ekI5aVtv
15
a9BbUTeGv/G+AHyDdg2kNjZ8ThDjVQcqnJ/aQAI+TB1t8bTMfROj7sEbLRM6SRsB0XkV72Ijp3/s
16
laMDlY1TIruOK7+kHz3Zs+luIlbxYHcwooLrM8abN+utEYSY5fz/CXIVqYKAb5ZK9TuDWie8YNnt
17
7SxjDSL9/CPcj+5/kNWSeG7is8sxiJjXiU+vWhVdBhzkWo83M9n1/NRNTEeuMIAjuSHi5hsKag5t
18
TswbBrjIqV6H3eT0Sgtfi5qtP6zpMI6rxWna0QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBr4tMc
19
hJIFN2wn21oTiGiJfaxaSZq1/KLu2j4Utla9zLwXK5SR4049LMKOv9vibEtSo3dAZFAgd2+UgD3L
20
C4+oud/ljpsM66ZQtILUlKWmRJSTJ7lN61Fjghu9Hp+atVofhcGwQ/Tbr//rWkC35V3aoQRS6ed/
21
QKmy5Dnx8lc++cL+goLjFVr85PbDEt5bznfhnIqgoPpdGO1gpABs4p9PXgCHhvkZSJWo5LobYGMV
22
TMJ6/sHPkjZ+T4ex0njzwqqZphiD9jlVcMR39HPGZF+Y4TMbH1wsTxkAKOAvXt/Kp77jdj+slgGF
23
gRfaY7OsPTLYCyZpEOoVtAyd5i6x4z0c</ds:X509Certificate>
24
</ds:X509Data>
25
</ds:KeyInfo>
26
</md:KeyDescriptor>
27
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
28
<md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
29
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
30
<md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
31
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
32
</md:IDPSSODescriptor>
33
</md:EntityDescriptor>
Copied!
Name
Description
EntityDescriptor
This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your SSO application.
X509Certificate
This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your SSO application.
NameIDFormat
This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
or
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
SingleSignOnService "POST"
This is your SSO application's "POST" binding used as a response to a request from Keeper.
SingleSignOnService "Redirect"
This is your SSO application's "Redirect" binding used as a response to a request from Keeper.

Step 3: Map User Attributes

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect™ Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your SSO Application User Attributes are lined up with Keepers. Refer to your SSO application's configuration guide for instructions.
Your SSO Application User Attributes
Keeper SSO Connect™ Cloud User Attributes
<Email Address>
Email
<First Name>
First
<Last Name>
Last

Step 4: Upload Metadata to Keeper

Once you have completed creating your metadata file, head back to the Keeper Admin console, locate your SSO Connect™ Cloud Provisioning method and select Edit.
Edit SSO Provisioning Method
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.
Upload your Metadata File
Still within the Keeper Admin Console, exit Edit View and select View on your SSO Connect™ Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint.
Your SSO Application's Metadata
Success! Your Keeper Security EPM - Single Sign-On setup is now complete! You may now try logging into Keeper with SSO.
If you find that your Keeper Security EPM - Single Sign-On application is not functional, please review your Keeper Security EPM - Single Sign-On application settings and review your metadata file and user attributes for any errors. Once complete, repeat Step 4.
If you need assistance, please email [email protected]
Last modified 16d ago