Generic SAML 2.0

How to configure Keeper SSO Connect™ Cloud with your SSO Application for seamless and secure SAML 2.0 authentication.

Be sure to have already performed the steps in the Admin Console Configuration section.

Step 1: Configure your SSO Application

You'll need to provide some information about Keeper SSO Connect™ Cloud to your SSO application, like Entity ID, IDP Initiated Login, Assertion Consumer Service (ACS) Endpoint, Single Logout Service (SLO) Endpoint, metadata file or a certificate file. To obtain this information, locate your SSO Connect™ Cloud Provisioning method, within the Keeper Admin Console, and select View. From there you have access to download the metadata file, certificate file as well as the direct URLs and configuration information if your your SSO application does not support uploading of the metadata file.

View Keeper SSO Connect Cloud Provisioning Method
Keeper SSO Connect Cloud Configuration Information

Refer to your SSO application configuration guide for instructions on how to upload metadata and or manually inputting the required SAML response configuration fields.

Step 2: Obtain your SSO Application Metadata

To import your SSO Application's Metadata into keeper, you will need to have a properly formatted metadata file. If your SSO Application has the ability to export its metadata file, this would be the most expedient and preferred method to import your metadata into your Keeper SSO Connect™ Cloud Provisioning method. If you do not have the ability to export / download your metadata file from your SSO Application, please create a properly formatted metadata file. Refer to your SSO application's configuration guide for instructions.

Below is a perfect example / template of what a simple metadata.xml file, against Keeper SSO Connect™ Cloud, should look like. If you need to use this example / template to get you started, please Copy, Paste, Modify and add any other fields, in accordance to your SSO Applications information, in your preferred .xml or .txt editor.

Please DO NOT remove any fields as this example contains the minimum required fields to connect your SSO application to Keeper.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="MySSOApp" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAW2r5jDoMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi0zODk2MDgxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTkxMDA4MTUwMzEyWhcNMjkxMDA4MTUwNDEyWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiqGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtMzg5NjA4MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
hr4wSYmTB2MNFuXmbJkUy4wH3vs8b8MyDwPF0vCcjGLl57etUBA16oNnDUyHpsY+qrS7ekI5aVtv
a9BbUTeGv/G+AHyDdg2kNjZ8ThDjVQcqnJ/aQAI+TB1t8bTMfROj7sEbLRM6SRsB0XkV72Ijp3/s
laMDlY1TIruOK7+kHz3Zs+luIlbxYHcwooLrM8abN+utEYSY5fz/CXIVqYKAb5ZK9TuDWie8YNnt
7SxjDSL9/CPcj+5/kNWSeG7is8sxiJjXiU+vWhVdBhzkWo83M9n1/NRNTEeuMIAjuSHi5hsKag5t
TswbBrjIqV6H3eT0Sgtfi5qtP6zpMI6rxWna0QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBr4tMc
hJIFN2wn21oTiGiJfaxaSZq1/KLu2j4Utla9zLwXK5SR4049LMKOv9vibEtSo3dAZFAgd2+UgD3L
C4+oud/ljpsM66ZQtILUlKWmRJSTJ7lN61Fjghu9Hp+atVofhcGwQ/Tbr//rWkC35V3aoQRS6ed/
QKmy5Dnx8lc++cL+goLjFVr85PbDEt5bznfhnIqgoPpdGO1gpABs4p9PXgCHhvkZSJWo5LobYGMV
TMJ6/sHPkjZ+T4ex0njzwqqZphiD9jlVcMR39HPGZF+Y4TMbH1wsTxkAKOAvXt/Kp77jdj+slgGF
gRfaY7OsPTLYCyZpEOoVtAyd5i6x4z0c</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleSignOnService Location="https://sso.mycompany.com/saml2/keepersecurity"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

Name

Description

EntityDescriptor

This is the Entity ID, sometimes referred to as "Issuer", and the unique name for your SSO application.

X509Certificate

This is the X509 Certificate, used by Keeper, to validate the signature on the SAML response sent by your SSO application.

NameIDFormat

This Defines the name identifier format used when logging into Keeper. Keeper supports the following types of identifiers.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

or

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

SingleSignOnService "POST"

This is your SSO application's "POST" binding used as a response to a request from Keeper.

SingleSignOnService "Redirect"

This is your SSO application's "Redirect" binding used as a response to a request from Keeper.

Step 3: Map User Attributes

Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect™ Cloud User Attributes are Email, First and Last, as outlined in the table below. Ensure your SSO Application User Attributes are lined up with Keepers. Refer to your SSO application's configuration guide for instructions.

Your SSO Application User Attributes

Keeper SSO Connect™ Cloud User Attributes

<Email Address>

Email

<First Name>

First

<Last Name>

Last

Step 4: Upload Metadata to Keeper

Once you have completed creating your metadata file, head back to the Keeper Admin console, locate your SSO Connect™ Cloud Provisioning method and select Edit.

Edit SSO Provisioning Method

Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select the Metadata file you created.

Upload your Metadata File

Still within the Keeper Admin Console, exit Edit View and select View on your SSO Connect™ Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint.

Your SSO Application's Metadata

Success! Your Keeper Security EPM - Single Sign-On setup is now complete! You may now try logging into Keeper with SSO.

If you find that your Keeper Security EPM - Single Sign-On application is not functional, please review your Keeper Security EPM - Single Sign-On application settings and review your metadata file and user attributes for any errors. Once complete, repeat Step 4.

If you need assistance implementing the Keeper Security EPM - Single Sign-On application within your environment, please email [email protected]