As a Master Admin, you can configure and enable Single Sign-On (SSO) for yourself and for other sub-users. In the process of setting up SSO, we recommend creating an SSO Admin. This dedicated user has permission to access the SSO configuration but does not have SSO enabled, allowing them to sign in with Keepit credentials. This will ensure that the Master Admin and other users will not get locked out of their account in case SSO is configured incorrectly or an SSO certificate expires. For a step-by-step guide, see the article How to create an SSO Admin role.
Types of SSO supported by Keepit
Keepit supports both Service Provider Initiated (SP-initiated) SSO and Identity Provider Initiated (IdP-initiated) SSO. This means you can sign in to Keepit with SSO either through our system (using https://dk-co.keepit.com/desktop/#/signin or a link to one of our other environments) or by using a web application in the Identity Provider's SSO page (e.g., using https://myapps.microsoft.com/).
Before you configure SSO in the Keepit platform, you must set up SSO with your identity provider.
If you are using Microsoft Azure AD as your identity provider, go to: Set up SSO using Azure AD as identity provider
If you are using Okta as your identity provider, go to: Set up SSO using Okta as identity provider
As part of your set up with your identity provider, make sure to assign the SSO app to all users you want to be able to sign in with SSO. Then make sure that users with the same email address (User Principal name in Microsoft 365) are in Keepit. For details, go to Create, edit, or delete a Keepit user.
- In the lower-left corner, select your account profile > Account info.
- Open the Security tab and select SSO.
- Click + Add configuration.
- The Enable configuration toggle will be turned on. Leave it enabled if you want SSO to be activated on the next login for all account users.
- In the Name field, enter a name.
- In the IDP URL field, enter the Identity Provider URL.
The IDP URL is the URL that performs the validation of credentials. You can find the IDP URL when configuring SSO with Azure AD Premium or other identity provider. In Azure it is called Login URL or SAML Single-Sign On Service URL.
- In the Certificate field, paste the text of the certificate (Base 64) code from Azure AD Premium or other identity provider.
The Certificate (Base 64) is obtained when configuring SSO with Azure AD Premium or other identity provider. Make sure you copy only the text between the begin and end markers.
- (Optional) Turn on the Make SSO mandatory toggle to require users to sign in with SSO by disabling the option to use Keepit credentials.
- (Optional) Turn on the Allow IdP-initiated SSO toggle to allow users to sign in to Keepit directly through an IdP provider.
If you enable this option, you will see the Keepit app in your identity provider. Clicking it will redirect you to Keepit and automatically sign you in.
Note: The IdP-initiated flows carry a security risk and are therefore not recommended.
- Click Save.
Note: Only one SSO configuration can be enabled at a time.
To sign in with SSO, users must use the URL that corresponds to their region:
Denmark (Copenhagen): https://dk-co.keepit.com/desktop/#/signin
United States (Washington, DC): https://us-dc.keepit.com/desktop/#/signin
Australia (Sydney): https://au-sy.keepit.com/desktop/#/signin
United Kingdom (London): https://uk-ld.keepit.com/desktop/#/signin
Germany (Frankfurt): https://de-fr.keepit.com/desktop/#/signin
Canada (Toronto): https://ca-tr.keepit.com/desktop/#/signin
When users try to sign in to their account, they should enter only their email address and NOT their password. When they click Sign In, the users will be redirected to the identity provider page where they should sign in using their identity provider login credentials.