Installation - Windows

Install and configuration of Keeper SSO Connect on Windows and Linux environments.

Ensure you are using the latest version of Keeper SSO Connect


  1. Download the Keeper SSO Connect application from the Admin Console and stage the executable on the server.

  1. Install Java as defined on the System Requirements page.

NOTE: Java 1.7, 9, and 10 are not supported.

Ensure the correct Path is set on the System variables for your Java installation.

  1. In Search, search for: Advanced System Settings.

  2. Click the 'View Advanced system settings' link.

  3. Click Environment Variables. In the section System variables, find thePATH environment variable and select it. Click Edit. If the PATH environment variable does not exist, click New.

  4. In the Edit System Variable (or New System Variable) window, specify the value of the PATH environment variable. Click OK. Close all remaining windows by clicking OK.

** Your version of windows may be slightly different. These steps are provided as a basic guidance.

2. Download the SSL certificate file (.pfx, .p12, or .jks) and your IDP's SAML XML metadata file.

3. Reboot the server [IMPORTANT]

On Windows servers, the Keeper SSO Connect services may not start up until you reboot the server. After the reboot, test the java installation: 1. Open an Administrator Command Prompt. 2. Type java -version. 3. Verify the java version installed is found.

Installation - Windows

  1. Extract the Keeper SSO Connect app.

  1. Run KeeperSSOConnect as administrator.

Upon successful completion of the new installation the app will launch a web browser. (We recommend using Google Chrome to perform the initial setup). If the configuration web page doesn’t launch you can launch it with the new SSO Connect Icon on the desktop.

If you receive an error connecting to the Keeper SSO Connect service, you need to reboot the server. Also, you need to ensure that your web browser is able to connect to over port 443. Keeper SSO Connect does not support the use of proxy servers or firewalls that perform SSL packet inspection.

Protection of Data Files

In the SSO Connect installation folder is a data/ directory. Inside the data directory there are several files. Two of the files contain secret keys generated on the server that must be protected and are utilized to encrypt and decrypt the end-user's auto-generated master passwords. There is also a .sql file which contains a local cache of encrypted data. It is critical that access to this data folder is restricted.

You can add an extra layer of security by utilizing an HSM (Hardware Security Module) as described later in this document. When an HSM is available, an encryption key is generated for each SSO Connect instance and stored securely in the HSM. The encryption key is used to encrypt the critical property files in the data/ folder.

Windows GUI Configuration

into the SSO Connect Web UI with a Keeper Administrator account.

  • The Administrator account should not be configured for Single Sign-On.

Enter a Two Factor Authentication code if prompted.

Select the SSO Connection (Enterprise Domain).

Once you successfully authenticate Keeper SSO Connect to your Admin Console you will see the status tab:

Select on the Configuration link to begin the setup.

Enter the Advertised Hostname or IP Address. This address is what the Keeper client applications navigate to in order to initiate the SSO authentication process. If installing Keeper SSO Connect in an HA (High Availability) configuration, this is the address the that points to the load balancer. This address can be either an IP or a hostname.

Bound IP Address. This is the physical IP address of the NIC on the server. If a hostname is not used and if there is only one address associated with the server this entry will be the same as the Hostname or IP Address field.

In the is the Advertised Hostname that gets routed to the local address The Keeper SSO Connect service binds to the Private IP address.

  • The IP/Hostname must be accessible by users who will be accessing Keeper. You may need to update your firewall to allow access over the IP and port.

SSO Connect SSL Key and Certificate

The Keeper SSO Connect service requires an SSL Certificate. A self-signed certificate can be used but before deploying to production we recommend that a proper SSL Certificate from your certificate authority be generated and uploaded to this section. Self-signed certificates will generate security errors for your users on many browsers.

The certificate file type must be .pfx or .p12 for a PKCS 12 certificate or .jks for a Java Key Store certificate. Most Certificate Authorities have instructions on their sites on how to convert to these file type if they did not initially issue these specific formats.

Note: SSL Certificates may expire annually. Please set a reminder to renew your certificate prior to the expiration date to prevent unexpected outages.

PKCS 12 Passphrase

For SSO Connect version prior to 14.1.0 please enter the password in both fields

Select your specific IDP. If your IDP is not in the pull-down menu, select Default.

IdP Metadata

Select your IdP Provider. If your provider is not listed select Default.

The next step is to upload the IdP SAML metadata file. This file can be downloaded from your IdP.

Identity Provider Attribute Mappings

Attribute Mappings do not require any changes. Select Save.

SSO Connect Status

Reasons the Status might be listed as Stopped:

  1. Your SSL Certificate is missing or incorrect.

  • The hostname in the SSL certificate doesn’t match the hostname in SSO Connect. A wildcard SSL certificate can be used or you can use a certificate created for the specific hostname. (i.e. if your hostname is your cert should be set up for *

  • By default the Use Certificate to Decrypt and Sign SAML Response/Request should be selected.

See the Appendix on creating a self-signed SSL cert if you need to create one for testing or troubleshooting your SSL certificate.

Restarting the Keeper SSO Connect Service on Windows

The Keeper SSO Connect runs as a service on Windows. Closing out the web interface does not stop the service. The service can be stopped and started from the Service MMC in windows.