How to Configure SAML 2.0 for Keeper Password Manager and Digital Vault


Supported Features

The Okta/Keeper Password Manager and Digital Vault SAML integration currently supports the following features:

Configuration Steps

  1. Generate two certificates (Personal Exchange Format (PFX) and Certificate file (CRT)):

    1. Open your terminal and type the following commands:

      • Generate private key:

        openssl genrsa -out privatekey.pem 2048
      • Generate request:

        openssl req -new -sha256 -key privatekey.pem -out certificaterequest.csr
      • Generate certificate:

        openssl req -x509 -sha256 -days 365 -key privatekey.pem -in certificaterequest.csr -out certificate.crt
      • Generate PKCS#12 file:

        openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in certificate.crt -inkey privatekey.pem -out requiredkey.pfx -name “displayed-name”
    2. Note: The certificates will be in your user directory. (for example, if your username is johnsmith, you will see the files under johnsmith in your system directory.

    3. In Okta, select the Sign On tab for the Keeper Password Manager and Digital Vault app, then click Edit.

    4. Check Enable Single Logout.

    5. Signature Certificate: Click Browse to locate, then Upload to upload the .crt you generated when you created your self-signed .pfx file (in step 1).

    6. Click Save:


  2. Refresh these instructions in your browser or close them and click View Setup Instructions again. This will generate a correct metadata.

  3. Save the following metadata file as metadata.xml:

    Sign in to Okta Admin app to have this variable generated for you.
  4. Login to the Admin Console at https://keepersecurity.com/console and login as the Keeper Administrator.

  5. SSO integration is applied to specific nodes (organizational units) within your Admin Console. To display the node structure, select Advanced Configuration, then Show Node Structure:


  6. Select the Admin tab.

  7. Click the + (plus) icon to create a new node that will host the Keeper SSO Connect integration:


  8. Enter a node name, then click Create. (In the below example, we named the node Support Department and added it beneath the root node.)


  9. Select your new node.

  10. Select the Bridge/SSO tab, then select + SSO Connection:


  11. Enter your Enterprise Domain alias. This alias should be named something that is easy for your users to remember because they may need to type the name into their mobile and apps (iOS, Android, Mac, Windows) upon first logging into a new device.

  12. OPTIONAL: Select Dynamically provision users upon successful login to SSO if you want to enable Just In Time (JIT) provisioning.

  13. Click Save:


  14. Download and install the Keeper SSO Connect application:


  15. Login to the Keeper SSO Connect application with your Keeper Administrator email address and master password.

  16. The first time you log in, you will be prompted to select the SSO Connection from the admin console.

  17. Do the following:

    • Select the Configuration menu.

    • Enter your Hostname or IP Address.

    • Enter your Private IP Address.

    • Check Use Certificate to Decrypt and Sign SAML Response/Request.

    • SSO Key Store: Upload your .pfx file (step 1).

    • Type: Select PKCS (.p12, .pfx).

    • Enter your Key Store Password.

    • Enter your Password for Private Key (if you have one).

    • IDP Type: Select Okta.

    • Identity Provider Attribute Mappings: Leave the following default values:

      • First Name: First

      • Last Name: Last

      • Email or Username: Email

    • Click Save.


  18. Select Status from the left menu.

  19. Save the Entity ID value from the Service Provider section.


  20. In Okta, select the General tab for the Keeper Password Manager and Digital Vault app, then click Edit.

    • Enter the Entity ID value you saved earlier (step 19) into the Server Base URL field.

    • Click Save.


  21. Done!


The following SAML attributes are supported:

SP-initiated SSO

  1. Open the Login URL: https://keepersecurity.com/vault/#.

  2. Select Enterprise SSO Login:

  3. vault11.png

  4. Enter your Enterprise Domain.

  5. Click Connect:

  6. vault12.png