A Master Administrator can configure and enable SSO for him or herself and for other sub-users. In the process of setting up SSO, we recommend that the Master Administrator create an SSO Admin – a dedicated user who has permission to access the SSO configuration. SSO is never enabled for the SSO Admin so he can always sign in to the account with his Keepit credentials. This will ensure that the Master Administrator and other users will not get locked out of their account in case SSO is configured incorrectly or an SSO certificate expires. For a step-by-step guide, see the article How to create an SSO Admin role.
Before you configure SSO in Keepit, you must configure SSO with your identity provider. If you are using Azure Active Directory as your identity provider, see: How to create an Azure application for SSO
To configure SSO:
- Sign in to Keepit as a Master Administrator.
- Click the burger icon in the upper-right corner and select the SSO icon.
- Click Add in the lower-right corner of the Configurations box to open the SSO Configuration Strings window.
- In the Name field, enter a name and select Apply.
- In the IDP URL field, enter the Identity Provider URL and select Apply.
The IDP URL is the URL that performs the validation of credentials. You can find the IDP URL when configuring SSO with Azure AD Premium or other identity provider. In Azure it is called Login URL or SAML Single-Sign On Service URL.
- In the Certificate field, paste the text of the certificate (Base 64) code from Azure AD Premium or other identity provider.
The Certificate (Base 64) is obtained when configuring SSO with Azure AD Premium or other identity provider. Make sure you copy only the text between the begin and end markers.
- Select the Enabled check box to make SSO active for the Master Administrator and all other sub-users created by the Master Administrator.
- Select the Optional check box if you want the Master Administrator and sub-users to have the option to sign in with either SSO or with Keepit credentials. We recommend to clear this check box so that the Master Administrator and sub-users will log in through Azure AD Premium or other identity provider.
- Click Save.
Note: If you have not done so already, you need to assign users you want to be able to use SSO in your identity provider and then make sure that users with the same email address (User Principal name) are in Keepit. If you are using Azure ADFS as your identity provider, see these step-by-step instructions: How to assign users to an SSO application in Azure