A Master Administrator can configure and enable SSO for him or herself and for other users. In the process of setting up SSO, we recommend that the Master Administrator create an SSO Admin – a dedicated user who has permission to access the SSO configuration. SSO is never enabled for the SSO Admin so he can always sign in to the account with his Keepit credentials. This will ensure that the Master Administrator and other users will not get locked out of their account in case SSO is configured incorrectly or an SSO certificate expires. For a step-by-step guide, see: Create an SSO Admin role
Keepit supports only Service Provider Initiated (SP-initiated) SSO, not Identity Provider Initiated (IdP-initiated) SSO. This means that it is possible to successfully sign in to Keepit with SSO only through our system (using https://dk-co.keepit.com/ or a link to one of our other environments). It is not possible to sign in to Keepit with SSO using a web application in the identity provider's SSO page (e.g., using https://myapps.microsoft.com/).
Before you configure SSO in Keepit, you must configure SSO with your identity provider.
If you are using Microsoft Azure AD as your identity provider, see: Set up SSO using Azure AD as identity provider
If you are using Okta as your identity provider, see: Set up SSO using Okta as identity provider
As part of your set up with your identity provider, make sure to assign the SSO app to all users you want to be able to sign in with SSO. Then make sure that users with the same email address (User Principal name in Microsoft 365) are in Keepit. For details, see Create, edit, or delete a Keepit user.
To configure SSO:
- Sign in to Keepit as a Master Administrator.
- In the left-hand menu, select SSO.
- In the lower-right corner select Add.
- In the Name field, enter a name.
- In the IDP URL field, enter the Identity Provider URL.
The IDP URL is the URL that performs the validation of credentials. You can find the IDP URL when configuring SSO with Azure AD Premium or other identity provider. In Azure it is called Login URL or SAML Single-Sign On Service URL.
- In the Certificate field, paste the text of the certificate (Base 64) code from Azure AD Premium or other identity provider.
The Certificate (Base 64) is obtained when configuring SSO with Azure AD Premium or other identity provider. Make sure you copy only the text between the begin and end markers.
- Select the Enabled check box to make SSO active for the Master Administrator and all other users assigned the SSO app in the identity provider.
- (Optional) Select the Optional check box if you want the Master Administrator and other users to have the option to sign in with either SSO or with Keepit credentials. We recommend to clear this check box so that the Master Administrator and other users will log in through Azure AD Premium or other identity provider.
- Select Save.
Now when these users try to sign in to their Keepit account, they should enter only their email address and NOT their password. When they click Sign In, the users will the be redirected to the identity provider page where they should sign in using their identity provider login credentials.
When successfully signed in, the users will be redirected to their Keepit account.
Note: Only one SSO configuration can be in effect at a time. If you have more than one SSO configuration enabled, the first configuration (at the top) will take priority.