High Availability (HA) Configuration

Keeper SSO Connect is designed to operate in a multi-instance HA environment. Once the first instance is configured (per instructions above) and the service is enabled to start on boot, the instance can be cloned and additional instances can be launched behind a load balancer.

To set up additional instances or to replace an instance, please follow these steps:

  1. Install Keeper SSO Connect on the new instance per instructions above and start the service.

  2. Initialize the instance by one of the following methods:

    • Using the web browser, login to the SSO Connect instance configuration screen and select the SSO Connection from the drop-down menu after login.

    • Use the command-line interface to initialize the instance using the following procedure:

Run the command line config option:

$ java -jar SSOConnect.jar -config

Enter the following when prompted:

  • Keeper Administrator email address

  • Keeper Administrator Master Password

  • Two-Factor code (if enabled on the account)

  • SSO Domain Name (this attribute is defined on the SSO Connect provisioning screen on the Keeper Admin Console)

When the configuration steps are finished, the current settings will be synched from the server including the SSL Cert and IDP XML file, so you don’t have to supply information for those settings. But if you are using a private IP you will have to set that up in the Configuration dialog. When asked “Do you wish to configure…”, enter Y. Hit enter to retain existing values until it prompts for the Private IP and Private Port. Enter the appropriate values.

Continue pressing Enter to accept the current settings until all prompts are answered.

Restart the service.


  • Use the Windows Services screen to restart Keeper SSOConnect.


$ systemctl restart ssoconnect

Upon startup the SSO Connect service is synchronized to this instance and will begin to process user transactions.


The data folder contains the SSO Connect configuration files. At a minimum it should be backed up after initial configuration and each time the configuration is modified. In addition to the configuration files, there are data files in data that are modified at runtime but they will automatically be refreshed if they get out of synch with the Keeper server. Regular periodic backups can be used but are not necessary. The data folder on each SSO Connect instance needs to be backed up independently because not all of the configuration settings are shared among instances.

On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.

On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.


If the SSO Connect server dies you will need to reinstall SSO Connect on the replacement machine using the normal installation instructions.

If you have backed up the data folder as described above, restore it before starting SSO Connect. If a data folder already exists (because you started SSO Connect), stop SSO Connect, remove all files in the data folder, copy the files from the backed-up data folder, and restart SSO Connect.

If you did not backup the data folder or if the backup is out-of-date you will need to configure the replacement instance as if it were a new installation. Please follow the steps in the Configuration section.