How to configure Keeper SSO Connect Cloud with Ping Identity for seamless and secure SAML 2.0 authentication.
Login to the Ping Identity portal.
From the Ping Identity menu select Applications.
Then select Add Application and select New SAML Application.
On the Application Details page, add the following data:
- Application Name: Keeper Password Manager Application Detail: Password Manager and Digital Vault Category: Compliance (or other) Graphic: Upload the Keeper Graphic [here] https://s3.amazonaws.com/keeper-email-images/common/keeper256x256.png
Then select Continue to Next Step.
The next step is to download the SAML Metadata from Ping Identity. Select the Download link next to SAML Metadata.
The saml2-metadata-idp.xml file will download to the local computer. On the Edit screen of the Keeper SSO Connect Cloud™ provisioning select Generic as the IDP Type and upload the saml2-metadata-idp xml file into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the Setup screen: Setup screen:
Next download the Keeper metadata file and upload it to the Ping Application configuration. Navigate to the view screen of the Keeper SSO Connect Cloud™ provisioning.
Enter View Screen
Click the "Export Metadata" button to download the config.xml file.
Export Keeper Metadata
Back on the Ping Identity application configuration, select the Select File button and choose the config.xml file downloaded in the above step.
Upload Keeper Metadata
Select Continue to Next Step.
The next step is the map the attributes. Select the Add new attribute button.
- In attribute 1, type “First” in the Application Attribute column, select First Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.
- In attribute 2, type "Last" in the Application Attribute column, select Last Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.
- In attribute 3, type "Email" in the Application Attribute column, select Email in the Identity Bridge Attribute or Literal Value column, and check the Required button. Application Attributes: First, Last, Email must begin with a capital letter.
Select the group(s) that should have access to the Keeper Application. When complete click "Continue to Next Step". Review the setup and and then select the Finish button.
Important Note: In the Application Configuration section of your Ping Identity setup, ensure that the "Signing" section has "Sign Response" selected with "RSA_SHA256" as the Signing Algorithm.
The Keeper Application should be added and enabled.
Keeper Application on Ping Identity
Your Keeper SSO Connect setup is now complete!
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.