System Requirements

The Keeper SSO Connect is a lightweight service that can be installed on a private on-premise or cloud-based server.

Supported Server Platforms

The following server platforms are currently supported. SSO Connect requires a Java JRE or JDK, version 1.8 or 11.

Operating System


HSM Support

Windows Server 2019 Windows Server 2016 Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2*

x64 (64-bit)

HSM is not supported

Red Hat Enterprise Linux 6.8 or above

x64 (64-bit)

HSM Supported

CentOS 7 Linux or above

x64 (64-bit)

HSM Supported

Ubuntu Linux 16.04 or above

x64 (64-bit)

HSM Supported

openSUSE 15.0 r above

x64 (64-bit)

HSM Supported

*Java 11 not supported

Server Hardware Requirements

The following table outlines the minimum hardware requirements per each server.

Max # of users per server

Processor speed (GHz)

Number of processors / Cores

Memory (GB)

Disk (GB)



1 / 4



1,000 - 50,000


1 / 4



50,000 - 100,000


1 / 8



Scalability and High Availability

Both scalability and high availability can be achieved by placing a load balancer in front of a cluster of Keeper SSO Connect servers. The Keeper Cloud backend will take care of configuration synchronization. Changes applied to one server are automatically distributed to all servers in the same SSO node cluster. This includes the user database.

Further scalability, for example to scale to 100,000 users or more, can be achieved by splitting groups of users up into multiple SSO Connect domains. This will require creating separate SSO-enabled node(s) in the Keeper Admin Console and a separate SSO server or server cluster for each node.

HSM Requirements

SSO Connect can be fully integrated with Gemalto on-prem or Cloud HSM solutions for key management. The following HSM modules are currently supported:






Luna 7


Currently only Linux-based SSO Connect instances supported.

Network Deployment Requirements

The following network requirements apply to Keeper SSO Connect deployments.

  • Keeper SSO Connect network connections to Keeper Cloud servers is TCP/443 (TLS 1.2) outbound stateful.

  • Keeper clients connect to SSO Connect via the externally advertised public FQDN/IP and TCP port.

  • Local server bind port and the external advertised connection port are configurable separately. In that scenario the ports need to be translated via a load balancer, firewall or locally (eg. iptables).

  • The external advertised TCP port (default TCP/8443) needs to be allowed inbound into the network subnet where the SSO Connect servers are located. For example if the service is running on Windows, use Windows Firewall to open the port to SSO Connect.

HSM Architecture and Deployment

The following is a general HSM architecture diagram for Luna HSM deployments.

Keeper SSO Connect will communicate with the Luna HSM via a library ( which handles all Keeper/Luna communication. This communication is typically conducted via TCP port 1792 stateful from Keeper SSO Connect outbound to Luna HSM inbound.