AD FS Configuration

How to configure Keeper SSO Connect with Microsoft AD FS for seamless and secure SAML 2.0 authentication.

Microsoft AD FS

Obtain Federation Metadata XML

Inside the AD FS Management application, locate the Federation Metadata xml file via URL Path /FederationMetadata/2007-06/FederationMetadata.xml as seen below:

Import Federation Metadata

Import the FederationMetadata.xml file into Keeper SSO Connect’s configuration screen by dragging and dropping the file:

Select Save to save the configuration.

Export Keeper SSO Connect Metadata

Select the Export Metadata link on Keeper SSO Connect and copy the sso_connect.xml file to your IdP.

Finish AD FS Configuration

Create Relying Trust Party

Create Keeper SSO Connect as a Relying Trust Party:

Import Keeper Metadata

Import the Keeper Metadata that was exported previously from Keeper SSO Connect by completing the Relying Party Trust Wizard as seen in the steps below:

Claims-aware applications
Import data - Federation metadata file location
Enter display name
Choose an access control policy
SAML Logout Endpoints
Configure claims issuance policy
Relying Party Trusts

Create Claim Issuance Policy Rules

To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with Send LDAP Attributes as Claims and map the LDAP attributes to Keeper Connect attributes.

Edit Claim Issuance Policy
Add Rule...
Choose Rule Type
Claim Rule Name - Mapping

Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above.

Issuance Transform Rules

For Logout support we need to add two more Claim Issuance Policy rules:

Send Claims using a Custom Rule
Create Opaque Persistent ID

To copy the syntax to add in the claims rule, copy the following text and paste it into the custom rule:

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);

Transform an Incoming Claim
Create Persistent Name Identifier

Incoming claim type: http://mycompany/internal/sessionid Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier

Set Outgoing claim and name ID format

ADFS Troubleshooting

If after setting up Keeper SSO Connect customer gets SSO is not configured (undefined) a possible root cause is missing or incorrect CRL configuration. A simple fix/workaround is to disable all Certificate Revocation Check.

Possible Root Causes Time skew Ensure that Keeper Connect and the IdP have the same identical system time (within 1 second). Set ntp sync PS C:\Windows\system32>w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,0x8 /reliable:yes /update Certificate Validation Failure

  • Verify the settings. Run a PowerShell as Administrator and look at ADFSRelyingPartyTrust: PS C:\Windows\system32> Get-ADFSRelyingPartyTrust You should see something like this: AllowedAuthenticationClassReferences : {} EncryptionCertificateRevocationCheck : None PublishedThroughProxy : False SigningCertificateRevocationCheck : None WSFedEndpoint :

  • Run the following two commands: PS C:\Windows\system32> Set-ADFSRelyingPartyTrust -TargetIdentifier https://DOMAIN:8443/sso-connect -EncryptionCertificateRevocationCheck None PS C:\Windows\system32> Set-ADFSRelyingPartyTrust -TargetIdentifier https://DOMAIN:8443/sso-connect -SigningCertificateRevocationCheck None

Your Keeper SSO Connect setup is now complete!