Keeper cloud application

You must be signed in as a super administrator for this task.

Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.

Set up SSO via SAML for Keeper

Here's how to set up single sign-on (SSO) via SAML for the Keeper® application.

Step 1: Set up Keeper as a SAML 2.0 service provider (SP)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security, and then the SSO settings:

    You must be signed in as a super administrator for this task.

    Click Set up single sign-on (SSO) for SAML applications.

    Or, if you don’t have that option:

    Click Set up single sign-on (SSO).

  3. Click Download to download the Google IdP metadata.
  4. Go to https://keepersecurity.com/console/#login and sign in.
  5. Click Advanced Configuration then Show Node Structure.
  6. Toggle Show Node Structure on.
  7. Click the + button to create the SSO node.
  8. Select your newly created node
  9. Add an SSO connection:
    Click the Bridge/SSO tab of the node.
    Click the  + SSO Connection link under the Manage SSO Connect for SSO - G Suite section.
  10. There are 2 parameters to configure here: The Enterprise Domain and the New User Provisioning option.
  11. Enter saml-sso in the Enterprise Domain field.
  12. Select Dynamically provision users upon successful login to SSO in the New User Provisioning section. 
  13. Click Save to save these items.
  14. Install Keeper SSO Connect.
  15. Download Keeper SSO Connect based on your OS. 
    Note: You'll need to update the firewall to allow access over the 8443 port. 
    At the command prompt run sudo ufw allow 8443 for Linux.
  16. Install Keeper by following instructions mentioned in the README.txt file.
  17. Sign in to Keeper SSO Connect.
    The first time logging in, you will be prompted to select the SSO Connect enterprise domain name from the admin console. Select the G Suite connection and then click Connect.
  18. Upload the X.509 Certificate required for SSO setup you downloaded in Step 3.
  19. Click Save to save these items.
  20. Proceed to the next section to set up Google as a SAML IdP.
Step 2: Set up Google as a SAML IdP
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click Add Add at the bottom right.
  4. Locate and click Keeper in the application list. The values on the Google IDP Information page automatically populate.
  5. Contact Keeper support to setup Google as a SAML IdP. Once the certificates have been sent by Keeper support upload them into the appropriate service provider Setup fields, and then come back to the admin console and click Next.

    The Basic information window shows the Application name and Description seen by users.

  6. Click Next.
Step 3: Enter service provider details in Google Admin console
  1. In the Service Provider Details section, enter the following URLs into the Entity ID, ACS URL, and Start URL fields:
            ACS URL: https://hostname:port/sso-connect/saml/sso
            Entity ID: https://hostname:port/sso-connect
            Start URL: empty
  2. Leave Signed Response unchecked.
    When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
  3. The default Name ID is the primary email. Multi-value input is not supported. Keeper requires the primary email for authentication. Contact Keeper support if you require a different Name ID mapping. Custom attributes of the user schema can also be used after creating them via Google Admin SDK APIs. The custom attributes for the user schema need to be created prior to setting up the Keeper SAML application. 
  4. In the NameID Format: field, enter Email.
  5. Click Next.
  6. Under Attribute mapping, first select the Category as Basic Information from the drop down list and then choose a User attribute to map the attribute from the Google profile. You must provide the "Primary Email" [Email], "First Name" [First], and "Last Name" [Last] attributes.
  7. Click Finish.
Step 4: Enable the Keeper app
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Select Keeper.
  4. At the top right of the gray box, click Edit Service Compose.

  5. To turn on or off a service for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  6. To turn on or off a service only for users in an organizational unit:

    1. At the left, select the organizational unit.
    2. Select On or Off.
    3. To keep the service turned on or off even when the service is turned on or off for the parent organizational unit, click Override.
    4. If the organization's status is already Overridden, choose an option:
      • Inherit—Reverts to the same setting as its parent.
      • Save—Saves your new setting (even if the parent setting changes).

    Learn more about organizational structure.

  7. Ensure that your Keeper user account email IDs match those in your Google domain.
Step 5: Verify that the SSO is working
  1. Close all browser windows.
  2. Open https://hostname:port/sso-connect/saml/login and attempt to sign in. You should be automatically redirected to the Google sign in page.
  3. Enter your username and password.

After your sign in credentials are authenticated, you are automatically redirected back to Keeper.

Was this helpful?
How can we improve it?