SSO Migration to Cloud
Keeper provides automated migration from your SSO Connect On-Prem instance to Cloud SSO.
Keeper now supports an automated process for migrating your users from SSO Connect On-Prem to Keeper SSO Connect Cloud.
Note: This migration process does not include device approvals. Device approvals will need to be configured using one the standard Keeper methods as documented here. Users and admins can also manually process device approvals until an automated method is set up.
- Ensure that all of the on-premise IdP users are also provisioned in the Cloud IdP instance. For example, inside Azure ensure that users are assigned to the SSO Cloud enterprise application.
- For devices to be automatically approved as part of this SSO migration process, we recommend installing Keeper Automator. Instructions for provisioning Keeper Automator can be found here: https://docs.keeper.io/sso-connect-cloud/device-approvals/automator
Start in the Keeper Admin Console by accessing "Admin" from left-side menu. Select a node with the on-premise SSO Connect instance where users are migrating from.
Now add a new SSO Connect Cloud provisioning method inside that same node. A popup message will appear that explains if the user continues, Keeper will assume that user authentication is moving to the cloud. Select "Continue" to complete the migration setup.
Select Single Sign-On with SSO Connect Cloud
Configuration of the new SSO Connect Cloud environment can be done before or after SSO migration has started. In the event that the SSO Connect Cloud environment is setup after migration begins, the SSO Connect Cloud instance will show as "Pending" during migration.
SSO Connect Cloud Pending
Your SSO Connect Cloud environment can be setup using the process described here:
Note that during setup of your new SSO Cloud instance, you are asked to specify an "Enterprise Domain". This is simply a unique identifier that is used to reference the identity provider configuration. It isn't actually a domain name, it's just an arbitrary identifier that you can set to anything. If you used your domain name for the on-prem instance (e.g. company.com), the new SSO Cloud Enterprise Domain could be set to something like new.company.com or whatever you like. Ideally it would be something users can remember.
Once setup of your SSO Connect Cloud instance is completed, make sure that you test the process with a new user. Ensure that new users are able to authenticate with the SSO Cloud instance and ensure that you're able to approve devices.
After assigning Keeper SSO Connect Cloud to a node with Keeper SSO Connect running, Keeper will begin the migration and the provisioning screen will show the status "Migration in Progress" along with the number of users migrated to SSO Connect Cloud.
SSO Migration in Progress
When existing and new users log in, they will automatically be moved and authenticated using the SSO Connect Cloud. If the SSO Connect cloud environment has not been set up yet, the cloud instance will show a status of "Pending" instead of "Active".
When the cloud instance is in a "Pending" state, The users can still be migrated in Keeper indicating they have logged in and a key exchange has occurred which will allow them to be provisioned via SSO Connect Cloud when it is activated. The migrated users will still be authenticated using the on-premise SSO Connect until the SSO Connect Cloud environment is activated.
When all users have finally logged into Keeper and have been migrated to SSO Connect Cloud, the migration status will change to "Migration Complete". If the SSO Connect Cloud is also "Active", then the message under "Migration Complete" will include the instruction: "You can delete the SSO Connect On-Prem Method for this node."
SSO Migration Complete
At any point during the SSO migration, the administrator can export a migration status report in CSV format. For each SSO user, the report shows: user UID, user name, user email address and the user's migration status.
If any users do not successfully migrate to SSO Connect Cloud using this automation process, these users can be moved using a manual process described in the following document: