How to configure Keeper SSO Connect Cloud with PingOne for seamless and secure SAML 2.0 authentication.
Please complete the steps in the Admin Console Configuration section first. Legacy Ping Identity users who are not on PingOne should view our Ping Identity documentation.


Login to the PingOne portal at
Login to PingOne
From the PingOne console menu, select Connections > Application Catalog
Search "Keeper" and click + to add the Keeper Password Manager application.
Add Keeper Password Manager to PingOne
From the Keeper Admin Console, view the PingOne SSO Connect Cloud entry and note the Keeper Security Domain and Keeper Security Identifier as indicated in the screenshot below.
Identify Keeper Security Domain and Identifier
Enter the Keeper Security Domain and Keeper Security Identifier from the previous step and click Next
Accept the default mappings and click Next
Set Mappings
You may choose to add PingOne user groups to your application. Click + next to the group or groups you would like to add and click Save to complete the application setup wizard.
PingOne users will have access to Keeper Password Manager by default. Assigning groups to Keeper Password Manager restricts access to only those groups.
Optionally add PingOne User Groups
Click Download Metadata
Download Metadata from PingOne
On the Edit screen of the Keeper SSO Connect Cloud™ provisioning select Generic as the IDP Type.
Upload the SAML Metadata file downloaded in the previous step into the Keeper SSO Connect interface by browsing to or dragging and dropping the file into the SAML Metadata section.
Upload PingOne Metadata to Keeper
The PingOne Keeper SSO Connect Cloud™ entry will now show as Active.
View Active Keeper SSO Connect Entry
Your PingOne Keeper SSO Connect Cloud™ setup is complete!

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.