{"id":14,"date":"2026-02-02T14:58:18","date_gmt":"2026-02-02T13:58:18","guid":{"rendered":"https:\/\/blog.gindox.com\/?p=14"},"modified":"2026-02-02T15:52:20","modified_gmt":"2026-02-02T14:52:20","slug":"authentik-keeper-sso","status":"publish","type":"post","link":"https:\/\/blog.gindox.com\/?p=14","title":{"rendered":"Authentik + Keeper SSO"},"content":{"rendered":"\n

For integration of \u2197 Keeper<\/a> with \u2197 Authentik<\/a>, we will be utilizing SAML Provider.<\/p>\n\n\n\n

First, you need to configure your Console and options as per the documentation \u2197 here<\/a>
Once configured, export the metadata XML file. Keep the reference to Assertion Consumer Service (ACS) Endpoint and Entity ID URLs also.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once that is done, login to authentik admin interface, navigate to Customization -> Property Mapping and add new SAML Provider Property Mapping<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Create a new Email mapping, with the Expression value set to: return request.user.email<\/code><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Additionally, you can also add First and Last mappings. Email mapping is required. Those two are optional.<\/p>\n\n\n\n

Depending on your authentik design, you can always fall back to those core user fields as they are built into the user object by default:<\/p>\n\n\n\n

    \n
  • Username:<\/strong> request.user.username<\/code><\/li>\n\n\n\n
  • Full Name:<\/strong> request.user.name<\/code> (Authentik often combines first\/last into this field)<\/li>\n\n\n\n
  • First Name:<\/strong> request.user.first_name<\/code><\/li>\n\n\n\n
  • Last Name:<\/strong> request.user.last_name<\/code><\/li>\n<\/ul>\n\n\n\n

    <\/p>\n\n\n\n

    Next we open Applications -> Providers and click Create, select SAML Provider from Metadata<\/strong> type, give appropriate name and upload the metadata XML file download from Keeper Admin console<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    With a new SAML provider set, now we create a new Application. Give it name, link to the existing Keeper provider and click Create.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    <\/p>\n\n\n\n

    We will need to Update Keeper SAML provider a bit.
    First Audience<\/strong> field should be set to Entity ID<\/strong>. <\/p>\n\n\n\n

    Authentik<\/td>Keeper<\/td><\/tr>
    ACS URL<\/td>Assertion Consumer Service (ACS) Endpoint<\/td><\/tr>
    Issuer<\/td>Entity ID<\/td><\/tr>
    Audience<\/td>Entity ID<\/td><\/tr>
    SLS URL<\/td>Single Logout Service (SLO) Endpoint<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n


    Sign assertions<\/strong> and Sign responses<\/strong> should be turned on<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    <\/p>\n\n\n\n

    And your custom User Property Mappings should be included<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    <\/p>\n\n\n\n

    When finished, download the metadata file and upload it to the Keeper Admin console <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    <\/p>\n","protected":false},"excerpt":{"rendered":"

    For integration of \u2197 Keeper with \u2197 Authentik, we will be utilizing SAML Provider. First, you need to configure your Console and options as per […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-14","post","type-post","status-publish","format-standard","hentry","category-azure","category-keeper"],"_links":{"self":[{"href":"https:\/\/blog.gindox.com\/index.php?rest_route=\/wp\/v2\/posts\/14","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.gindox.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gindox.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gindox.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gindox.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14"}],"version-history":[{"count":4,"href":"https:\/\/blog.gindox.com\/index.php?rest_route=\/wp\/v2\/posts\/14\/revisions"}],"predecessor-version":[{"id":49,"href":"https:\/\/blog.gindox.com\/index.php?rest_route=\/wp\/v2\/posts\/14\/revisions\/49"}],"wp:attachment":[{"href":"https:\/\/blog.gindox.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gindox.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gindox.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}