Azure Configuration

How to configure Keeper SSO Connect with Microsoft Azure for seamless and secure SAML 2.0 authentication.

Azure

Go to your Azure Admin account at https://portal.azure.com and click on Azure Active Directory > Enterprise Applications.

If you already have a Keeper application set up for SCIM Provisioning, you can edit the existing application and should not create a new one.

If you have not set up Keeper in Azure yet, click on "New Application" then search for Keeper and select "Keeper Password Manager & Digital Vault". On the right side click "Add" to add the application.

Select Keeper Password Manager

After adding the application, click on the "Single Sign On" section and select the "SAML" option:

Single sign-on Configuration

Edit Basic SAML Configuration

Click the pencil icon to edit the "Basic SAML Configuration".

Edit Basic SAML Configuration

Type in the Identifier, Reply URL and Sign on URL that apply to the URLs in your Keeper SSO Connect installation. Ignore the "Patterns" text.

SAML Configuration URLs

Example Settings: Identifier = https://keeper.domain.com:8443/sso-connect Reply URL = https://keeper.domain.com:8443/sso-connect/saml/sso Sign on URL = https://keeper.domain.com:8443/sso-connect/saml/login

(replace the domain and port according to your SSO Connect configuration)

Save the settings.

Edit User Attributes & Claims

User Attributes & Claims

Under the User Attributes section, select the View and edit all other user attributes to add needed attributes. Important: Delete the predefined SAML Tokens Attributes: givenname, surname, and emailaddress. (Name Identifier can not be deleted).

Delete the givenname, surname and emailaddress attributes

Click "Add new claim" three times to create the following claims: First, Last and Email.

It is important that the spelling and capitalization of the attribute is exactly as it appears (First, Last, Email) because these fields are case sensitive.

First
Last
Email
  • Ensure the Namespace is left blank

  • If the UPN is not the same as the users actual email address select user.mail as the value for the Email attribute.

Edit SAML Signing Certificate SAML

Under the SAML Signing Certificate section click Edit.

Select Create new certificate. Enter the expiration date and save.

Create New SAML Signing Certificate

After creating the certificate select Make new certificate active.

Make Certificate Active

Obtain Metadata XML

To complete the integration between Microsoft Azure and Keeper SSO Connect, you must retrieve the Metadata XML file and import this file into the Keeper SSO Connect screen. Select on the Federation Metadata XML link:

Download Metadata XML

This will download a file Keeper Password Manager & Digital Vault.xml to your computer. This file will need to be transferred to the server running Keeper SSO Connect for the next step.

Import the Azure Metadata

Import the file saved in the previous step into Keeper SSO Connect’s configuration screen by dragging and dropping the file into the SAML Metadata section.

Import XML Metadata to SSO Connect

Don’t forget to select Azure as the Identity Provider Type.

User Provisioning

If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory > Enterprise Applications > Keeper Password Manager & Digital Vault and select Properties.

Properties

Change the User assignment required to Yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.

User Assignment Settings

On the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.

Assign Users and Groups

Your Keeper SSO Connect setup is now complete!