In order to set up Azure with SSO Connect Cloud you must first complete the Admin Console Configuration setup. This process should only take a few minutes if you previously configured other service providers with your IdP.

First, visit the Keeper Admin Console and log in. Click on the Admin menu and create a new node. Visit the “Provisioning” tab and click “Add Method,” then select “Cloud SSO Connect” and click “Next.” Enter the Configuration Name and Enterprise Domain. The Configuration Name will not be seen by your end users and allows you to manage multiple configurations. The Enterprise Domain could be used for logging in, therefore we recommend selecting a name that is unique and easy to remember. Click Save to proceed to the next step. Keeper will automatically open the "Edit Configuration" screen next.

At this point you will need the metadata file from your identity provider. Go to your Azure Admin account at https://portal.azure.com and add the Keeper Enterprise Application. Click on “Azure Active Directory”, then “Enterprise Applications.” Select "New Application," then search for Keeper and select "Keeper Password Manager". Click "Create" to create the application. Click on "Set up single sign on" and choose "SAML."

Back on the Keeper Admin Console go to View and then Export Metadata. Upload the Metadata file into the Azure interface by selecting the "Upload metadata file" button.

Azure will open up the SAML configuration screen. The “Sign on URL” field will display an error. This is anticipated and can be fixed by copying the URL from the "IDP Initiated Login Endpoint" in the Admin Console SSO Cloud instance "view" screen, and pasting it into the "Sign on URL" field. Click “Save,” then close the window with the SAML configuration.

After saving, you'll be asked to test the configuration. Don't do this. Wait a few seconds then reload the Azure portal page on the web browser. Now there should be a certificate section that shows up in the "SAML Signing Certificate" area. Click on "Download" under the Federation Metadata XML section.

In the Keeper Admin Console, select Azure as the Identity Provider type and import the Federation Metadata file saved in the previous step the SAML Metadata section. While in the “Edit Configuration” screen you can also set up the 3 required attribute mappings which are called "First", "Last" and "Email" by default, but may be changed.

The metadata from Keeper that you imported into Azure included Entity ID and ACS URL but if you need these parameters again later when editing the Keeper app in Azure, they will be available on the "view configuration" screen in the Keeper admin console. You can get there by going back then clicking on "View".

Finally under the User Attributes section, Azure will automatically create claims for User ID, First, Last and Email. We recommend deleting the 4 claims in the "Additional Claims" section since they are not needed.