SSO Migration to Cloud
Keeper provides automated migration from your SSO Connect On-Prem instance to Cloud SSO.

Overview

Keeper now supports an automated process for migrating your users from SSO Connect On-Prem to Keeper SSO Connect Cloud.
When migrating to SSO Connect Cloud, there is a change in the user experience, specifically in regards to new device approvals. Please ensure that you read the SSO Connect Cloud documentation.
Note: This migration process does not include device approvals. Device approvals will need to be configured using one the standard Keeper methods as documented here. Users and admins can also manually process device approvals until an automated method is set up.
IMPORTANT We recommend scheduling and planning migration with a Keeper support engineer before you start the process.
IMPORTANT DO NOT DELETE your existing On-Prem SSO instance until after 100% of users have migrated. DO NOT DELETE the On-Prem Keeper application from your identity provider until after 100% of users have migrated. Both instances must remain active until all users have logged in at least one time, and until all migration is completed.

Prerequisites

  • Ensure that all of the on-premise IdP users are also provisioned in the Cloud IdP instance. For example, inside Azure ensure that users are assigned to the SSO Cloud enterprise application.
  • For devices to be automatically approved as part of this SSO migration process, we recommend installing Keeper Automator. Instructions for provisioning Keeper Automator can be found here: https://docs.keeper.io/sso-connect-cloud/device-approvals/automator

Setting up Migration to SSO Connect Cloud

Start in the Keeper Admin Console by accessing "Admin" from left-side menu. Select a node with the on-premise SSO Connect instance where users are migrating from.
Now add a new SSO Connect Cloud provisioning method inside that same node. A popup message will appear that explains if the user continues, Keeper will assume that user authentication is moving to the cloud. Select "Continue" to complete the migration setup.
Select Single Sign-On with SSO Connect Cloud
Configuration of the new SSO Connect Cloud environment can be done before or after SSO migration has started. In the event that the SSO Connect Cloud environment is setup after migration begins, the SSO Connect Cloud instance will show as "Pending" during migration.
SSO Connect Cloud Pending
Your SSO Connect Cloud environment can be setup using the process described here:
Keeper SSO Connect® Cloud
SSO Connect Cloud
Note that during setup of your new SSO Cloud instance, you are asked to specify an "Enterprise Domain". This is simply a unique identifier that is used to reference the identity provider configuration. It isn't actually a domain name, it's just an arbitrary identifier that you can set to anything. If you used your domain name for the on-prem instance (e.g. company.com), the new SSO Cloud Enterprise Domain could be set to something like new.company.com or whatever you like. Ideally it would be something users can remember.
Once setup of your SSO Connect Cloud instance is completed, make sure that you test the process with a new user. Ensure that new users are able to authenticate with the SSO Cloud instance and ensure that you're able to approve devices.
After assigning Keeper SSO Connect Cloud to a node with Keeper SSO Connect running, Keeper will begin the migration and the provisioning screen will show the status "Migration in Progress" along with the number of users migrated to SSO Connect Cloud.
SSO Migration in Progress
During the migration process, both on-prem and cloud instances must remain intact. This is a slow roll migration which is performed as end-users login.
When existing and new users log in, they will automatically be moved and authenticated using the SSO Connect Cloud. If the SSO Connect cloud environment has not been set up yet, the cloud instance will show a status of "Pending" instead of "Active".
When the cloud instance is in a "Pending" state, The users can still be migrated in Keeper indicating they have logged in and a key exchange has occurred which will allow them to be provisioned via SSO Connect Cloud when it is activated. The migrated users will still be authenticated using the on-premise SSO Connect until the SSO Connect Cloud environment is activated.
Keep in mind the On-Prem SSO and the Cloud SSO each have unique "Enterprise Domains" configured. To prevent the user from inadvertently logging back into the On-Prem instance when trying to migrate to the Cloud instance, click on the "Back" button to navigate away from the Enterprise Domain screen and start the authentication with the user's email address.
When all users have finally logged into Keeper and have been migrated to SSO Connect Cloud, the migration status will change to "Migration Complete". If the SSO Connect Cloud is also "Active", then the message under "Migration Complete" will include the instruction: "You can delete the SSO Connect On-Prem Method for this node."
Do not delete SSO Connect on-premise provisioning method for this node until 100% of the users have fully migrated and Keeper informs you that deletion is safe.
SSO Migration Complete
At any point during the SSO migration, the administrator can export a migration status report in CSV format. For each SSO user, the report shows: user UID, user name, user email address and the user's migration status.
If any users do not successfully migrate to SSO Connect Cloud using this automation process, these users can be moved using a manual process described in the following document:
Migration from On-Prem
SSO Connect Cloud