HomeEnterprise GuideUser Guides
Search…
Keeper SSO Connect On-Prem
Overview
System Requirements
Installation and Setup
Identity Provider Setup
High Availability (HA) Configuration
Integration with AWS CloudHSM
Integration with Gemalto HSM
Upgrading SSO Connect
Update Instructions
Updating On-Prem Config
Migrating to a new SSO Connect Server
End-User Login Flow
Service Management
Troubleshooting & FAQs
Creating SSL Certificates
SSO Migration to Cloud
Technical Support
Links and Resources
Docs Home
Powered By GitBook
System Requirements
System Requirements for Keeper SSO Connect service
The Keeper SSO Connect is a lightweight service that can be installed on a private on-premise or cloud-based server. The application is hosted by the customer in order to preserve zero knowledge and provide compatibility with any SAML 2.0 compatible identity provider.

Supported Server Platforms

The following server platforms are currently supported.
Supported Windows Server versions Windows Server 2012 R2 Standard Windows Server 2012 R2 Datacenter Windows Server 2016 Datacenter Windows Server 2016 Standard Windows Server 2019 Standard Windows Server 2019 Datacenter
Supported Linux versions: Ubuntu 18+ CentOS 7+ Debian 9.8+ openSUSE Tumbleweed openSUSE Leap 15.1+ Red Hat Enterprise Linux 6.8+
Supported Java versions Java 11.0.5 (LTS) Java SE 11.0

Java Dependencies

Keeper SSO Connect requires Java 11. We recommend customers use Java 11.0 (LTS). If you have a different version of Java installed we recommend uninstalling that version and install Java 11.0 first before you proceed. Otherwise you may experience service hanging during installation.
To ensure all Java installation dependencies are met we require that you install Java using the appropriate .exe or .msi installer which will setup the environment as needed to operate correctly.
SSO Connect now requires Java 11. You can obtain Java 11.0.12 for Windows using the link below:
​https://github.com/ojdkbuild/ojdkbuild/releases/download/java-11-openjdk-11.0.12.7-1/java-11-openjdk-11.0.12.7-1.windows.ojdkbuild.x86_64.msi OpenJDK project: https://github.com/ojdkbuild/ojdkbuild Reboot is required after Java installation
Installation will hang during service start if an unsupported Java version is installed

Server Hardware Requirements

The following table outlines the minimum hardware requirements per each server.
Max # of users per server
Processor speed (GHz)
Number of processors / Cores
Memory (GB)
Disk (GB)
1-1,000
3
1 / 4
2
40
1,000 - 50,000
3
2 / 4
8
40
50,000 - 100,000
4
2 / 8
16
40

Scalability and High Availability

The Keeper Connect service on a single instance can handle thousands of simultaneous users.
However, both scalability and high availability can be achieved by placing a load balancer in front of a cluster of Keeper SSO Connect servers. The Keeper Cloud backend will take care of configuration synchronization. Changes applied to one server are automatically distributed to all servers in the same SSO node cluster. This includes the user database.
Further scalability, for example to scale to 100,000 users or more, can be achieved by splitting groups of users up into multiple SSO Connect domains. This will require creating separate SSO-enabled node(s) in the Keeper Admin Console and a separate SSO server or server cluster for each node.

HSM Integration (Optional)

SSO Connect can optionally be integrated with Amazon CloudHSM or Gemalto HSM solutions to protect the private encryption keys. The following HSM modules are currently supported:
Vendor
Model
Version
Notes
Amazon
CloudHsm
v2
Linux or Windows servers are supported.
Gemalto
Luna 7
6.2+
Currently only Linux-based SSO Connect instances supported.

Network Deployment Requirements

The following network requirements apply to Keeper SSO Connect deployments.
  • Keeper SSO Connect network connections to Keeper Cloud servers at keepersecurity.com (US) or keepersecurity.eu (EU customers) is TCP/443 (TLS 1.2) outbound stateful.
  • End-user devices must connect to SSO Connect via the advertised public FQDN/IP and TCP port. For example, keepersso.mycompany.com.
  • Local server bind port and the external advertised connection port are configurable separately. In that scenario the ports need to be translated via a load balancer, firewall or locally (eg. iptables).
  • The external advertised TCP port that is configured in SSO Connect (default TCP/8443) needs to be allowed inbound into the network subnet where the SSO Connect servers are located. For example if the service is running on Windows, use Windows Firewall to open the port to SSO Connect. 8443 is just the default, you can use any port.
​
​
Previous
Overview
Next
Installation and Setup
Last modified 9mo ago
Export as PDF
Copy link
On this page
Supported Server Platforms
Java Dependencies
Server Hardware Requirements
Scalability and High Availability
HSM Integration (Optional)
Network Deployment Requirements