Keeper SSO Connect

Keeper SSO Connect is part of the Keeper Enterprise Password Manager platform, enabling integration with corporate identity providers for SAML 2.0–based SSO. It allows users to access Keeper vaults using existing enterprise credentials from providers such as Azure AD, Okta, Ping, or Google Workspace, while retaining Keeper’s zero-knowledge encryption model.

Key Capabilities

• SAML 2.0 SSO integration: Compatible with any standards-compliant IdP, including Okta, Ping, Azure AD, Google Workspace, and others.

• Zero-knowledge encryption: Encryption and decryption occur client-side; Keeper never stores or accesses plaintext data.

• Deployment flexibility: Runs in customer-managed environments (Windows, Linux, Docker, or Kubernetes); supports HA and load balancing.

• Role and group mapping: Integrates with IdP group claims for automatic user provisioning and role assignment within Keeper.

Limitations

• Protocol scope: Keeper SSO Connect supports only SAML 2.0 for authentication. There is no public confirmation of native OpenID Connect (OIDC) or OAuth 2.0 support.

• Self-hosted operations: The solution requires on-premises deployment and customer-managed maintenance, which introduces additional operational overhead compared to SaaS-based identity providers.

• Keeper-specific integration: SSO Connect is designed exclusively for managing access to Keeper vaults and does not function as a general-purpose identity provider or SSO proxy.

• No native MFA policy engine: Multi-factor authentication policies are enforced by the upstream IdP, as Keeper delegates primary authentication through SAML.

• Encryption key management: Enterprises must manage Keeper’s key-sharing and encryption policies carefully to ensure continuous and secure access to user vaults.