Identity Provider Setup

Keeper SSO Connect can be integrated with any SAML 2.0 compliant IdP. Listed below are several of the more popular IdP’s along with specific setup instructions.

Microsoft AD FS

Obtain Federation Metadata XML

Inside the AD FS Management application, locate the Federation Metadata xml file via URL Path /FederationMetadata/2007-06/FederationMetadata.xml as seen below:

Import Federation Metadata

Import the FederationMetadata.xml file into Keeper SSO Connect’s configuration screen by dragging and dropping the file:

Select Save to save the configuration.

Export Keeper SSO Connect Metadata

Select the Export Metadata link on Keeper SSO Connect and copy the sso_connect.xml file to your IdP.

Finish AD FS Configuration

Create Relying Trust Party

Create Keeper SSO Connect as a Relying Trust Party:

Import Keeper Metadata

Import the Keeper Metadata that was exported previously from Keeper SSO Connect by completing the Relying Party Trust Wizard as seen in the steps below:

Claims-aware applications
Import data - Federation metadata file location
Enter display name
Choose an access control policy
SAML Logout Endpoints
Configure claims issuance policy
Relying Party Trusts

Create Claim Issuance Policy Rules

To map attributes between AD FS and Keeper, you need to create a Claim Issuance Policy with Send LDAP Attributes as Claims and map the LDAP attributes to Keeper Connect attributes.

Edit Claim Issuance Policy
Add Rule...
Choose Rule Type
Claim Rule Name - Mapping

Important: Ensure that 3 attributes ("First", "Last" and "Email") are configured with the exact spelling as seen above.

Issuance Transform Rules

For Logout support we need to add two more Claim Issuance Policy rules:

Send Claims using a Custom Rule
Create Opaque Persistent ID

To copy the syntax to add in the claims rule select the link to the plain text file and paste the contents into the custom rule:

https://keepersecurity.com/sso_connect/Create_Opaque_Persistent_ID

Transform an Incoming Claim
Create Persistent Name Identifier

Incoming claim type: http://mycompany/internal/sessionid Outgoing claim type: Name ID Outgoing name ID format: Transient Identifier

Set Outgoing claim and name ID format

ADFS Troubleshooting

If after setting up Keeper SSO Connect customer gets SSO is not configured (undefined) a possible root cause is missing or incorrect CRL configuration. A simple fix/workaround is to disable all Certificate Revocation Check.

Possible Root Causes Time skew Ensure that Keeper Connect and the IdP have the same identical system time (within 1 second). Set ntp sync PS C:\Windows\system32>w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,0x8 /reliable:yes /update Certificate Validation Failure

  • Verify the settings. Run a PowerShell as Administrator and look at ADFSRelyingPartyTrust: PS C:\Windows\system32> Get-ADFSRelyingPartyTrust You should see something like this: AllowedAuthenticationClassReferences : {} EncryptionCertificateRevocationCheck : None PublishedThroughProxy : False SigningCertificateRevocationCheck : None WSFedEndpoint :

  • Run the following two commands: PS C:\Windows\system32> Set-ADFSRelyingPartyTrust -TargetIdentifier https://DOMAIN:8443/sso-connect -EncryptionCertificateRevocationCheck None PS C:\Windows\system32> Set-ADFSRelyingPartyTrust -TargetIdentifier https://DOMAIN:8443/sso-connect -SigningCertificateRevocationCheck None

Your Keeper SSO Connect setup is now complete!

Azure

Create Enterprise Application

From the Azure Cloud portal (https://portal.azure.com), select Enterprise Applications on the left menu section. (If Enterprise Applications is not shown, admin can be added to Favorites list).

Next, select + New application icon.

Type keeper in the search, select the application.

The app will open in the right window pane. Scroll down and select Add.

Configure the Application

Next, select the Configure single sign-on screen.

Select SAML-based Sign-on:

Under the Domain and URLs section, type in the Sign on URL, Identifier, and Reply URL. These are the specific URL’s to the SSO Connect server.

  • Example: Sign on URL = https://keeper.domain.com:8443/sso-connect/saml/login Identifier = https://keeper.domain.com:8443/sso-connect Reply URL = https://keeper.domain.com:8443/sso-connect/saml/sso

Under the User Attributes section, select the View and edit all other user attributes to add needed attributes. First, delete the predefined SAML Tokens Attributes: givenname, surname, and emailaddress. (Name Identifier can not be deleted).

Next, select the add button to add the following required attributes: First, Last and Email.

  • It is important that the spelling and capitalization of the attribute is exactly as it appears (First, Last, Email) because these fields are case sensitive.

  • Ensure the Namespace is left blank

  • Ensure the Namespace is left blank

  • Ensure the Namespace is left blank

  • If the UPN is not the same as the users actual email address select user.mail as the value for the Email attribute.

Generate SAML Signing Certificate

Select Create new certificate. Enter the expiration date and save.

After creating the certificate select Make new certificate active.

Obtain Metadata XML

To complete the integration between Microsoft Azure and Keeper SSO Connect, you must retrieve the Metadata XML file and import this file into the Keeper SSO Connect screen. Select on the Metadata XML link:

This will download a file Keeper Password Manager & Digital Vault.xml to your computer. This file will need to be transferred to the server running Keeper SSO Connect for the next step.

Import the Azure Metadata

Import the file saved in the previous step into Keeper SSO Connect’s configuration screen by dragging and dropping the file into the SAML Metadata section.

  • Don’t forget to select Azure as the IDP Type.

User Provisioning

If only specific users or groups will be assigned to Keeper Password Manager the following setting will need to be changed. In your Azure console, navigate to Azure Active Directory>Enterprise Applications>Keeper Password Manager & Digital Vault and select Properties.

Next, change the User assignment required to yes and then save. This will ensure only the user and groups assigned to the application will be able to use it.

Lastly, on the Users and groups section select the users and/or groups that are to be provisioned to the Keeper application.

Your Keeper SSO Connect setup is now complete!

Okta

Login to the Admin section of the Okta portal.

Select Admin

Select the Applications tab and select Applications.

Next, select the Add Application button.

In the application search field, type Keeper Password, and then select the Add button for the Keeper Password Manager and Digital Vault Application.

On the General Settings page, Enter the Entity ID from your Keeper SSO Connect server: (i.e. https://DOMAIN:8443/sso-connect where DOMAIN is the server name or IP address of your Keeper SSO Connect application ). Then select the Done button.

Add users or groups on the Assignments page. (This step can be skipped and returned to after setup is complete.)

Next, select the Sign On tab.

Select the Edit button.

Next, check the Enable Single Logout setting and choose a certificate to upload.

After selecting upload the name of the .crt file.

After the file is successfully uploaded, select save at the bottom of the Sign On page.

The setting will be saved.

Scroll down to the SAML 2.0 configuration section, download the Identity Provider metadata file. Rename the file to metadata.xml. This will be used in Step 8.

  • The Okta View Setup Instructions link provides additional setup instructions many of which are also found within this document.

Upload metadata.xml file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:

Select Save and Your Keeper SSO Connect setup is now complete!

G Suite

To access G Suite Admin Console, login to https://gsuite.google.com.

Then select Sign in.

Select on the Apps section. Select on SAML apps.

Select the + button. Then select custom app:

On the Google IdP Information screen, download the IDP metadata and save it to your computer for later.

Select NEXT.

On the Basic information screen, type in the Application Name, Description and upload the Keeper logo file keeper256x256.png. Then select NEXT.

On the Service Provider Details screen, you need to enter the ACS URL and Entity ID. These values come from the Keeper SSO Connect configuration screen. Copy and Paste the information from SSO Connect to the Service Provider screen on G Suite:

Input the ACS URL and Entity ID from Keeper SSO Connect to G Suite screen:

  • Example: Entity ID = https://keeper.domain.com:8443/sso-connect ACS URL = https://keeper.domain.com:8443/sso-connect/saml/sso

Select NEXT then proceed to the Attribute Mapping screen. You need to select on ADD NEW MAPPING and create 3 fields: First, Last and Email. Map those fields exactly as it appears below. The spelling needs to be exact:

Select on FINISH and your G Suite setup is complete. You will be informed that you still need to import the IDP data on Keeper SSO Connect.

To enable Keeper SSO Connect, for your users, select the more button and enable:

Import G Suite Metadata

  • On the Keeper SSO Connect application configuration screen, drag-and-drop the metadata file into the SAML Metadata section of Keeper SSO Connect:

  • Select on Save and verify that all of the parameters match your G Suite SAML connection screens.

Your Keeper SSO Connect setup is now complete!

OneLogin

Login to the OneLogin portal.

From the onelogin menu select Apps then Add Apps.

In the Search field, do a search for Keeper and select it from the search result.

On the Add Keeper Password Manager select Save.

The next step is to download the SAML Metadata from OneLogin. Select the down arrow on the MORE ACTIONS button and select SAML Metadata.

The onelogin_metadata_######.xml file will download to the browser. Copy this file to the Keeper SSO Connect server.

Next, select the Configuration tab.

On the OneLogin Configuration tab, fill in Domain Address and port of the Keeper SSO Connect server in the Application Details Domain field.

Select Save in the upper right hand corner to finish the setup.

Upload the Identity Provider SAML Metadata file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:

Select Save and Your Keeper SSO Connect setup is now complete!

Ping Identity

Login to the Ping Identity portal.

From the Ping Identity menu select Applications.

Then select Add Application and select New SAML Application.

On the Application Details page, add the following data:

  • Application Name: Keeper Password Manager Application Detail: Password Manager and Digital Vault Category: Compliance (or other) Graphic: Upload the Keeper Graphic http://s3.amazonaws.com/keeper-email-images/common/keeper256x256.png

Then select Continue to Next Step.

The next step is to download the SAML Metadata from Ping Identity. Select the Download link next to SAML Metadata.

The saml2-metadata-idp.xml file will download to the browser. Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen: Select Save.

The remaining step on the Keeper SSO Connect Server is to download the KeeperSsoMetadata.xml file and upload it to the Ping Application configuration Select Export Metadata on the Keeper SSO Connect.

Back on the Ping Identity application configuration, select the Select File button and choose the file KeeperSsoMetadata.xml.

Select Continue to Next Step.

The next step is the map the attributes. Select the Add new attribute button.

  • In attribute 1, type “First”** in the Application Attribute column, select First Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.

  • In attribute 2, type Last** in the Application Attribute column, select Last Name in the Identity Bridge Attribute or Literal Value column, and check the Required button. Select the Add new attribute button.

  • In attribute 3, type Email** in the Application Attribute column, select Email in the Identity Bridge Attribute or Literal Value column, and check the Required button.

  • ** Application Attributes, First, Last, Email must begin with a capital letter.

Select the Save & Publish button. Review the setup and and then select the Finish button.

The Keeper Application should be added and enabled.

Your Keeper SSO Connect setup is now complete!

Centrify

Login to the Centrify Admin portal via the cloud login.

Switch to the Admin Portal from the pull down menu.

Close the Quick Start Wizard if it pops up. Select Apps from the menu then Add Web Apps.

On the Add Web Apps window, select the Custom tab and then scroll down and choose Add for SAML.

Select Yes to “Do you want to add this application?”.

Close the Add Web Apps Window.

The next step is to upload Keeper’s SSO Metadata to Centrify. In Keeper SSO connect, export the Keeper SSO Connect metadata using the Export Metadata link and save this file for the next step.

In the SAML Application Settings section in Centrify, select Upload SP Metadata.

Select Upload SP Metadata from a file and browse for the KeeperSSOMetadata.xml file. Select Ok.

Download the Identity Provider SAML Metadata. This will be uploaded to Keeper SSO Connect.

On the Description section enter Keeper SSO Connect in the Application Name field and select Security in the Category field.

Download the Keeper logo. Select Select Logo and upload the Keeper logo (keeper60x60.png).

On the User Access section select the roles that can access the Keeper App:

Under the Account Mapping section, select Use the following...and input mail.

On the Advanced section, append the script to include the following lines of code:

  • setAttribute("Email", LoginUser.Get("mail")); setAttribute("First", LoginUser.FirstName); setAttribute("Last", LoginUser.LastName);

  • The above script reads the display name from the User Account section. The FirstName attribute is parsed from the first string of DisplayName and the LastName attribute is parsed from the second string of DisplayName.

Select Save to finish the setup.

Upload the Identity Provider SAML Metadata file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:

Select Save and Your Keeper SSO Connect setup is now complete!

F5

On the F5 BIG-IP APM, configure a new SAML IdP service for your Keeper platform: Go to Access Policy -> SAML -> BIG-IP as IdP -> Local IdP services

Navigate to: Access Policy > SAML : BIG-IP as IdP - Local IdP Services. Select your applicable IdP connection point and "Export Metadata".

Upload this file to the server where Keeper SSO Connect is installed. We'll need it in the next step. Import the Metadata file extracted from F5 BIG-IP APM into SSO Connect.

Select Save to save the configuration and verify all settings look correct. Export the Keeper SSO Connect Metadata file for configuration of F5 BIG-IP APM from the Export Metadata link.

Your Keeper SSO Connect setup is now complete!

JumpCloud

JumpCloud also provides instructions for setting up Single Sign On (SSO) with Keeper Security. As listed in the JumpCloud SSO Prerequisites a public certificate and a private key pair are required. Instructions can be found here. Log into the JumpCloud Administrator console.

Select the Applications tab on the side menu.

Next, select the + icon in the upper left corner.

Search for Keeper in the Application list search bar. Select Configure on the Keeper Application.

Next, on Keeper Application connector page, enter the IDP ENTITY ID:

The IDP ENTITY ID is a unique, case-sensitive identifier used by JumpCloud for this Service Provider (SP). This value should match the value specified in the Entity ID field of the Keeper SSO Connect. Your domain name, SSO Connect server name or IP address are possible examples. Next, Upload the IdP Private Key (private.pem file) and IDP Certificate (cert.pem file).

In the SP Entity ID field, enter the value found in the Entity ID field of the Service Provider Section from Keeper SSO Connect.

In the ACS URL field, enter the value found in the ACS URL field of the Service Provider Section from Keeper SSO Connect.

In the field terminating the IdP URL, either leave the default value or enter a plaintext string unique to this connector. (i.e. keepersecurity)

In the Display Label field, enter a label that will appear under the Service Provider logo within the JumpCloud User console. (i.e. Keeper Security)

To complete the configuration, select the activate button.

Last step is to export the metadata from this connector to import it into the Keeper SSO Connect in Step 8.

Upload this file into the Keeper SSO Connect interface by dragging and dropping the file into the Setup screen:

Select Save and Your Keeper SSO Connect setup is now complete!

AWS SSO

Log into AWS and select on AWS Single Sign-On.

On the SSO Dashboard, select Configure SSO access to your cloud applications.

On the Applications menu, select Add a new application.

Next select Keeper Security and select Add.**

**Keeper is working with AWS to develop an Application Connector.

Fill in the Display name and Description (optional) in the application details section.

In the AWS SSO metadata section, select the download button to export the AWS SSO SAML metadata file. This file gets imported in the SSO Connect IdP Metadata section on the configuration screen.

Copy this file to the Keeper SSO Connect server and upload it into the Keeper SSO Connect interface by dragging and dropping the file into the Configuration screen: Select Save.

The remaining step on the Keeper SSO Connect Server is to download the Keeper sso_connect.xml metadata file and upload it to the AWS application. Select Export Metadata on the Keeper SSO Connect.

Import the sso_connect.xml file to the Application metadata section on the application configuration screen.

After saving changes the Configuration for Keeper Password Manager has been saved success message will be displayed.

Note: The Keeper SSL certificate cannot be larger than 2048K or the below error will be received.

  • Either, generate a smaller SSL certificate, re-export and import the metadata file or manually set the ACS URL and Audience URL in the AWS SSO application configuration.

Next, Ensure the Keeper application attributes that are to be mapped to AWS SSO are correct (These should be set by default. Select the Attribute mappings tab. The AWS string value to ${user:subject} and format is blank or unspecified. The Keeper Attributes are set as follows:

Keeper Attribute

AWS SSO String Value **

Format

Email

${user:email}

unspecified

First

${user:givenName}

unspecified

Last

${user:familyName}

unspecified

Note: If your AWS email is mapped to the AD UPN (which may not be the actual email address of your users) it can be re-mapped to the email address associated in the users AD profile.

To make this change navigate to the Connect Directory on the AWS SSO page.

Select on the Edit attribute mappings button.

Change the AWS SSO email attribute from ${dir:windowsUpn} to ${dir:email} .

Select on the the Assigned users tab and then the Assign users button to select users or groups to assign the application.

On the Assign Users window:

  • Select either Groups or Users

  • Type the name of a group or user

  • Select on the Search connect directory to initiate the search.

The results of the directory search will display under the search window.

Select the users/groups that are desired to have access to the application and then select the Assign users button.

Your Keeper SSO Connect setup is now complete!