Admin Console Configuration
Setting up your Keeper Admin Console for SSO integration
SSO integration is applied to specific nodes (e.g. organizational units) within your Admin Console outside of the root node. Since the SSO provisioning can not be added to the root node a new node will need to be added in order to support SSO authentication.
Click on the 'Admin' menu tab. By default the node structure is displayed to the right of the menu.
On the root node (the top level node with the organization name displayed) click on the three dots and select the '+ Add Node' button to create a new node which will host the Keeper SSO Connect integration to the IdP. The node can be anywhere in your tree structure.
Add Node for SSO
Create New Node
Organizations with multiple IdP's can have each one associated with a different node. For example if one subset of users authenticates to Azure and another group of users authenticate with Okta each IdP can be enabled on different nodes. Users will only be able to be associated with one IdP.
Select the Provisioning tab of the node.
Next, select + Add Method link to create a new connection.
There are 2 parameters to configure. The Enterprise Domain and the New User Provisioning option.
Every SSO Connection must be uniquely identified through the use of an arbitrary Enterprise Domain name. This name should be something that is easy for your users to remember (e.g. my_company) because they may need to type the name into their mobile device and apps (iOS, Android, Mac, Windows) upon first logging into a new device.
Users can be dynamically provisioned to your Keeper Business account upon first successful authentication on SSO (Just-In-Time provisioning). For the best user experience, we recommend selecting this option. You can also manually invite users through the Admin Console Users tab, or invite users via the Keeper Bridge.
After configuring the Enterprise Domain and New User Provisioning select Save.
At this point, you can now configure the Keeper SSO Connect application.
If you are planning to use the Keeper Bridge for provisioning users instead of Just-In-Time SSO provisioning, please leave this option disabled.
Users who authenticate to Keeper via SSO Connect will need the ability to communicate with SSO Connect instance(s) over the configured FQDN and port. We recommend the following security controls:
- Utilize Keeper's IP Allowlisting features of the role enforcement settings to restrict vault access to approved networks. This can be found in Role > Enforcement Policies > Allow IP List.
- Apply firewall and access policies to SSO Connect instance(s) to trusted networks.