As described in the System Requirements page, make sure to install a compatible version of the Java runtime.
We recommend installing OpenJDK 11.0 which can be downloaded from the link below: https://github.com/ojdkbuild/ojdkbuild/releases/download/java-11-openjdk-188.8.131.52-2/java-11-openjdk-jre-184.108.40.206-2.windows.ojdkbuild.x86_64.msi
We also support Oracle Java SE 11.0 which can be downloaded from here: https://www.oracle.com/technetwork/java/javase/downloads/jdk11-downloads-5066655.html
Note: If you had a different version of Java installed, we recommend completely uninstalling all Java versions prior to installing the OpenJDK 11.0 or Oracle Java SE 11.0.
If Java isn't recognized on the command line, follow the steps below.
In Search, search for: Advanced System Settings.
Click the 'View Advanced system settings' link.
Click Environment Variables. In the section System variables, find the
PATH environment variable and select it. Click Edit. If the
PATH environment variable does not exist, click
In the Edit System Variable (or New System Variable) window, specify the value of the
PATH environment variable. Click OK. Close all remaining windows by clicking OK.
Download the Keeper SSO Connect application from the Admin Console > Provisioning Screen and store the executable on the target server.
The latest SSO Connect installers can be found here: Windows: https://keepersecurity.com/sso_connect/KeeperSso.zip Linux: https://keepersecurity.com/sso_connect/KeeperSso_java.zip
Copy the downloaded file to each SSO Connect server.
Installation of SSO Connect requires the creation of an SSL certificate file that is utilized for the endpoint. Generate the SSL certificate and download the SSL certificate file (
.jks) and your IDP's SAML XML metadata file to the server.
Extract the Keeper SSO Connect installer file.
Run KeeperSSOConnect as Administrator.
Upon successful completion of the new installation the app will launch a web browser. (We recommend using Google Chrome to perform the initial setup). If the configuration web page doesn’t launch you can launch it with the new SSO Connect Icon on the desktop.
If you receive an error connecting to the Keeper SSO Connect service, you need to reboot the server. Also, you need to ensure that your web browser is able to connect to keepersecurity.com over port 443. Keeper SSO Connect does not support the use of proxy servers or firewalls that perform SSL packet inspection.
Login to the SSO Connect Web UI, with a Keeper Administrator Master Password account, by navigating to http://127.0.0.1:8080/config or by utilizing the Keeper SSO Connect Desktop Icon.
Enter a Two Factor Authentication code if prompted.
Select the SSO Connection (Enterprise Domain).
Once you successfully authenticate Keeper SSO Connect to your Admin Console you will see the status tab:
Select on the Configuration link to begin the setup.
Enter the Advertised Hostname or IP Address. This address is what the Keeper client applications navigate to in order to initiate the SSO authentication process. If installing Keeper SSO Connect in an HA (High Availability) configuration, this is the address the that points to the load balancer. This address can be either an IP or a hostname.
Bound IP Address. This is the physical IP address of the NIC on the server. If a hostname is not used and if there is only one address associated with the server this entry will be the same as the Hostname or IP Address field.
In the example above, "sso-1.test-keeper.com" is the Advertised Hostname that gets routed to the local address 10.1.0.4. The Keeper SSO Connect service binds to the Private IP address.
The Keeper SSO Connect service requires an SSL Certificate. It is recommend to use a proper SSL Certificate signed by a Certificate Authority (CA). The SSL cert can be one generated specifically for the SSO Connect server (hostname or IP address) or a wild card certificate that matches your domain (*.yourcompany.com).
The certificate file type must be
.p12 for a PKCS 12 certificate or
.jks for a Java Key Store certificate. Most Certificate Authorities have instructions on their sites on how to convert to these file type if they did not initially issue these specific formats.
For assistance in generating a SSL certificate, please refer to the section on Creating a Certificate.
Select your specific IDP. If your IDP is not in the pull-down menu, select Default.
Select your IdP Provider. If your provider is not listed select Default.
The next step is to upload the IdP SAML metadata file. This file can be downloaded from your IdP.
Attribute Mappings do not require any changes. Select Save.
Reasons the Status might be listed as Stopped:
Your SSL Certificate is missing or incorrect.
The hostname in the SSL certificate doesn’t match the hostname in SSO Connect. A wildcard SSL certificate can be used or you can use a certificate created for the specific hostname. (i.e. if your hostname is Keeper.DOMAIN.com your cert should be set up for *.DOMAIN.com).
By default the Use Certificate to Decrypt and Sign SAML Response/Request should be selected.
See the Appendix on creating a self-signed SSL cert if you need to create one for testing or troubleshooting your SSL certificate.
The Keeper SSO Connect runs as a service on Windows. Closing out the web interface does not stop the service. The service can be stopped and started from the Service MMC in windows.