Comment on page
How to configure Keeper SSO Connect Cloud with Shibboleth for seamless and secure SAML 2.0 authentication.
To obtain your Keeper Metadata file, locate your SSO Connect Cloud Provisioning method within the Keeper Admin Console, and select View. From there you have access to download and save the Keeper metadata file.
Export Keeper Metadata File
The Shibboleth IdP must know some basic information about the Keeper relying party, which is defined in SAML metadata. The easiest way to do is to add your Keeper Metadata file to
Instruct Shibboleth how to behave when talking to Keeper by defining a new RelyingParty element in
IDP_HOME/conf/relying-party.xml. The following snippet should be added just after the
DefaultRelyingPartyelement. Be sure to replace the provider attribute to include your "Entity ID" (use whatever provider is configured in the DefaultRelyingParty).
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
Still in the
IDP_HOME/conf/relying-party.xmlfile, configure Shibboleth to use the keeper metadata file you added in Step 2. Add the following
MetadataProviderelement next to the existing configured provider (it should have an id value of “FSMD”), making sure to replace IDP_HOME with your actual installation path.
<!-- Keeper Metadata -->
<MetadataProvider id="KeeperMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="IDP_HOME/metadata/keeper-metadata.xml" maintainExpiredMetadata="true" />
Keeper requires that you map specific User Attributes to be sent during authentication. Default Keeper SSO Connect Cloud User Attributes are Email, First and Last, as outlined in the table below. Shibboleth’s attribute resolver must be configured to make this data available by modifying
When Configuring Shibboleth Identity Provider SAML Attributes, Keeper Expects "NameIDFormat" coming in the form of "emailAddress". You can use / the suggested "NameIDFormat" or input correct value for your environment so long as it provides Keeper the users Email Address for the username login identifier.
Finally, configure the Shibboleth attribute filtering engine to release the
principalattribute (encoded as a NameID) to Google. Add the following XML snippet to
IDP_HOME/conf/attribute-filter.xmlalongside the existing policy elements.
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="keepersecurity.com" />
<PermitValueRule xsi:type="basic:ANY" />
- 1.Locate Shibboleth metadata found at "
http://shibboleth.example.com/idp/shibboleth"or in the Shibboleth identity provider filesystem in
- 2.Modify Shibboleth metadata manually and ensure all user endpoints are uncommented (e.g.,
- 3.Save the XML file.
Once you have your Shibboleth metadata file ready, head back to the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Edit SSO Provisioning Method
Scroll down to the Identity Provider section, set IDP Type to GENERIC, select Browse Files and select your Shibboleth Metadata file.
Upload your Metadata File
Still within the Keeper Admin Console, exit the Edit View and select View on your SSO Connect Cloud Provisioning method. Within the Identity Provider section you will find the metadata values for the Entity ID, Single Sign On Service and Single Logout Service Endpoint that are now populated.
Your SSO Application's Metadata
Success! Your Keeper Security SSO Cloud setup is now complete! You may now try logging into Keeper with SSO.
If you find that SSO is not functional, please review your Shibboleth settings, review your metadata file and user attributes for any errors.
Once complete, repeat Step 4.
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.