User Guide

Welcome to Keeper Bridge

Keeper Bridge allows businesses running Microsoft Active Directory to integrate Keeper password management software within their current systems, automatically adding any number of Nodes (organizational units), Users, Roles and Teams to Keeper.

Keeper Bridge is designed to use the Lightweight Directory Access Protocol (LDAP and LDAPS) to communicate with LDAP based Directory Services for the purpose of onboarding and offboarding users to the Keeper platform.

Download Keeper Bridge


Overview

Keeper Bridge consists of a tray application and a windows service. The tray application allows the user to configure settings specific to the Directory Service and also functions as a service controller allowing the user to adjust LDAP Filter settings and publish to the service for updates.

The windows service is designed to Poll the Active Directory Tree for Nodes, Roles, Teams and Users, providing a familiar structure for Role, Team and User management within the Keeper Admin Console and inviting users to join Keeper. The Polling Interval can be configured from 5 to 1440 minutes. The Tray Application can be installed on multiple systems for use by multiple admins. The service must be installed only on one host system per Keeper Bridge instance. All tray applications access the single instance of the service.


Prerequisites

The Tray Application and Windows Service can be installed on the follow operating systems:

  1. 1. Windows Server 2008 R2
  2. 2. Windows Server 2012
  3. 3. Windows Server 2012 R2
  4. 4. Windows Server 2016

Note: The Domain functional level must be at Windows 2008 R2 or higher in order for the bridge to properly integrate.

The following data needs to be known in order to configure the Tray Application:

  1. 1. Domain or Forest name of the Active Directory.
  2. 2. An account used to bind the Keeper Bridge to Active Directory (e.g. keeperbind@yourcompany.com ). This is an Active Directory account which requires at least read only access to the Active Directory domain. No other special privileges are needed.
  3. 3. A Security Group called “Keeper Admins”. Only users that are member of the “Keeper Admins” Security group will be permitted to login to the Tray application and configure the service. This group name can be changed and the Admin Security Group setting in the Keeper Admin Security configuration modified accordingly later. For a multi-domain forest create this group as a universal group so that users in this group are cached in the Global Catalog.
  4. 4. Ensure the Email Property (typically “mail” or “userPrincipalName”) in Directory Service Options is set to the correct value to pick up the user's Email address.

AD Bridge on the Admin Console

  1. 1. Before installing the executable on the server, the Admin console will need to be prepared to register the Keeper Bridge. The bridge cannot be registered to the Root Node (top level) of the organization tree structure, therefore a sub node will need to be created in order to register the bridge. To enable the Node structure, select the "Configuration" tab. Turn the "Show Node Structure" to the on position.

  2. 2. Once the Node Structure is enabled, create a new node underneath the Root Node of the organization by selecting the + symbol to bring up the Add Node window.

  3. 3. Type in the name of the Active Directory node and select create.

  4. 4. Select the node created in Step 3 above.
  5. 5. Select the "Provisioning" tab and select the "+ Add Method" button.
  6. 6. Select the "Active Directory or LDAP Sync" radio button, then select the "Next" button.

  7. 7. You can specify the LAN or WAN IP of the server. Select the "Save" button.
  8. 8. The Keeper Bridge executable is now displayed and can be downloaded from the Provisioning tab and staged on the computer that the bridge will be installed on.

Note: Recommend the Bridge be installed on a member server located on the same network as a domain controller. A domain controller can be used in lieu of member server.


Keeper Bridge Server Installation

Download Keeper Bridge

  1. 1. On the server, double select the KeeperBridgeSetup.exe file.
  2. 2. Process the User Account Control window.
  3. 3. On the Select Setup Language screen choose your language and select next.
  4. 4. Choose “I accept the agreement” and select “Next” on the Setup - Keeper Bridge screen.
  5. 5. Either choose the default installation location or browse for a new one and then select “Next”. Installing in Program Files is recommended.
  6. 6. Select the Components that are going to be installed on the computer. The Keeper Bridge Client can be installed on multiple computers but the Keeper Bridge Service should only be installed on one computer.
  7. 7. If desired, check the create a desktop shortcut and Run application after install and select Next.
  8. 8. On the Ready Screen select “Install."
  9. 9. Select Finish to complete the installation.

Configure The Bridge Client

  1. 1. Run the Bridge Client.

  2. 2. Log into the Bridge application:
    • Domain\User Name : Input the domain and AD\LDAP username of the user that is a member of the “Keeper Admins” group created in the prerequisites.
    • Password : Input the password of the user.
    • Use Global Catalog: In multi-domain forest configurations you should uncheck “Use Global Catalog” option other wise keep it check to locate the username in the Global Catalog.
    • SSL : If using Secure Socket Layer (SSL port 636) for LDAP authentication ensure the SSL box is check. If not, ensure the check box is not checked to use standard LDAP authentication (port 389)
    • Settings : If the client is running on a different computer than the service, select Settings to specify the hostname and port of the Keeper Bridge Service.
  3. 3. Select Login. If you get a Login Failed message, it means either of the following:
    • The username/password is not correct
    • The user is not a member of the Keeper Admins Security Group
    • The server does not support SSL and SSL is checked
    • The username was not found in the Global Catalog. In multi-domain forest configurations if the Keeper Admins group is a Global Security Group the “Use Global Catalog” option should be unchecked or the Keeper Admins group can be made to be a Universal Security Group. In a multi-domain forest only users in Universal Groups are added to the Global Catalog.

Bridge Client Configuration

If login is successful, the bridge application will launch.

  1. 1. On the Connections tab fill in the following information:
    • Domain Name: The domain that the bind account is part of in Active Directory.
    • LDAP Port: Check SSL for port 636 or unchecked for port 389.
    • User Name: Input the username of the bind account (as recommended in the prereqs).
    • Password: the password of the bind user account.
  2. 2. Select "Test Connection" to validate the AD bind.



  3. 3. If test was successful, the next step is to retain the settings by selecting the "Save" button at the bottom of the "Connections" tab.
    • Under Connection Status, Directory Services, changes color to Green and displays "Online."

Register Bridge with Keeper

  1. 1. On the Keeper Bridge client, select Register on the Keeper Bridge section. This will prompt the user to log in with the Admin‘s email address and password.

  2. 2. After authentication, the Bridge Registration window will appear. Select the Bridge Node and select "Apply.”

  3. 3. Once the Keeper Bridge is registered the Keeper Cloud Status will be green and "Online.”


Configure Options

Before proceeding with LDAP/AD configuration, please select the "Options" tab of the AD Bridge to ensure that the "Email Property" is set correctly according to your organization's environment. This will ensure that the proper Keeper email maps to the organization email address.

To assist in the monitoring of events in AD Bridge during the testing and configuration phase, we recommend enabling the Logging feature:

To open the logging window, right-click the Tray Icon in the right hand corner of your screen, then select "Show Log."



The Bridge Log window will open. When activity in the AD Bridge is activated from selecting "Publish" you will start to see the logging information.


Configure LDAP/AD Domains

Once the connection status is Online for the Keeper Service and Directory Service, configure the domains which will be exported to the Keeper Admin Console. Select on the "LDAP/AD" tab and then select either the "Export Forest" option or select individual domains.

When making changes to this screen, you'll notice the "Publish Required" on the bottom right corner of the screen. We recommend that you do NOT publish the changes until you have completed all steps in this guide and that you also verify that the "Options" screen is fully Configured.


Export Forest

Using the "Export Forest" option includes all domains for which the user defined in "LDAP Connection" settings is a member. Selecting Export Forest will automatically select the root forest domain and enable that domain. All other domains will not be visible. When "Export Forest" is selected all domain object queries are done using Global Catalog. The "Top Level Node" is not editable when using this option.

Selecting Individual Domains for Export

Checking the box for any domain enables that domain for export, Top Level Node and Filters become editable for that domain. Selecting the row will display the top level node and filters for that domain.



The "Top Level Node" filters is the DN path that will filter all objects from that path downwards. For example, a top level node might be:

Note: It is recommended to use this Top Level Node for initial rollout to test your configuration and limit the scope of the deployment to a small number of users.


Domain Filters

A variety of filters are available to enable admins to map specific objects from Active Directory to Nodes, Roles, Teams and Users which can then be Managed by the Keeper Admin Console. It is important to understand what the individual filters do and how to apply them. Each domain can configure a Top Level Node which defines the root object where all filters will be applied. Each domain enabled can then set a Node filter, a Role filter, a Team filter and a User filter. These filters are used to define the objects which will be exported to the Keeper Admin Console.



Top Level Node

  • The Top Level Node can be set to a Distinguished Name path at any point in the Domain Tree. All applied filters will start from this path. As the name implies the DN Path defined becomes the Root of the organization in the Keeper Admin Console allowing the Admin to define which portion of the tree to export. If the whole domain tree is to be exported the Top Level Node should be left undefined.

Domain Filters - Node

  • Nodes define the Tree in the Keeper Admin Console. This provides a familiar organizational structure when managing Roles, Teams and Users. The default filter defined for all domains will map all Organizational Units with the exception of the Domain Controllers OU. Using standard LDAP filter syntax the OUs map can be reduced or additional objects such as containers could be mapped if necessary.

Domain Filters - Role

  • Roles provide the organization the ability to define enforcement policies for Users grouped in Roles. Having a large number of roles will require more maintenance than having only a few roles. The organization should plan how enforcements will be applied and how many Roles will be required to manage those enforcements. For this reason the default role filter is left blank.
  • By default all Users will be mapped to a default role when they create their account. This default role is visible in the Admin Console and is not part of AD.
  • See "Filter Examples" section for example Role filters if additional Roles are to be defined based on specific security groups. When defining a Role filter only the objects mapped which are present in the Nodes mapped by the Node Filter will be returned.

Domain Filters - Team

  • Teams provide the ability to share folders within the Keeper Vault to a collective group of individuals. By default the Team filter maps all security groups to Teams which are present in the Nodes mapped by the Node filter. When Teams are exported to the Admin Console they are not distributed to their home location in the Node tree as they are in Active Directory. All Teams are distributed to the Bridge node where the Bridge was created. This keeps all Teams within sharing scope of each other. Teams can then be manually distributed in the Admin Console so as to only allow sharing between certain teams.

Domain Filters - User

  • The primary function of the Keeper Bridge is to onboard users by sending them an invitation to join the Keeper account. The default filter returns all user objects which are present in the Nodes mapped by the Node filter. The AD Bridge exports users while also maintaining the Role and Team membership status. The AD Bridge will Lock a user's account when the User account has been disabled in AD. If an Active User is removed from the Role filter, the user account is locked, pending deletion by the Keeper Administrator.

Default Filters

  • Default filters are provided which are expected to work for most organizations. Only the Role filter should need modification in a basic implementation. The Node filter maps Organizational Units to Nodes which are used by the Keeper Admin Console to provide a familiar tree structure.

Default Node Filter

The default node filter maps objects with objectClass organizationalUnit. In Active Directory Domain Controllers is an organizationalUnit but there is no benefit to mapping this object.

Default Role Filter

The Default role filter is blank. In order to manage user enforcements users must be grouped into Roles. Each Role must be configured in the Keeper Admin Console to set enforcements for the specific User Role. It is suggested that some Security Groups in Active Directory are mapped as roles containing the users which will be joining the keeper organization. For maintenance reasons it is suggested that a select number of groups are used for this purpose. Mapping a large number of Role will require more configuration on the part of the keeper Admin. See custom filter for an example on how to add a role.

Default Team Filter

The default Team filter maps all security groups to Teams. This allows all members of the organization to share records between teams. The objectClass specifies group type object and (using an AND operator: &) any one of (using an OR operator: |) the group types Local, Global or Universal.

Default User Filter

The default user filter maps all user objects. In Active Directory some objects such as domain controllers also have an objectClass of User. To get only User objects an additional parameter is added, (with an AND operator: &) objectCategory of Person.

Custom Filters - Examples

Each filter is defaulted so that most organizations can easily export their domain structure and map objects to Nodes, Roles, Teams and Users. In many cases filters will need to be customized to meet the needs of some organizations. If an Organizational Unit is not mapped as a Node, all objects in that OU path will not be exported even if the Filter for the object type maps the object.

Custom Node Filters

Example to map all Organizational Units as Nodes and excludes the specific OUs “Office Users” and “Home Users”. In the example below the OUs “Office Users” and “Home Users” and all objects within them will not be mapped even if other filters (Role, Team, User) target the objects within these OUs.

Example to map only specific Organizational Units as Nodes. Only “Office Users” and “Home Users” are mapped as Nodes. When including specific nodes the grouping with the OR (|) operator is necessary. In the example below only the OUs “Home Users” and “Office Users” and objects within them if targeted by other filters (Role, Team, User) will be exported.

An important rule with Node Filtering is that if the OU is not exported, all objects targeted by other filters (Role, Team, User) within the OU will not be exported.


Custom Role Filters

Roles are required to apply enforcements on the Users in the Keeper organization. By default the filter is blank. Since the Active Directory names for groups are specific to the organization a default filter cannot be supplied. It will be necessary to decide which Security Groups in Active Directory will be used as roles.

If all Security Groups are to be mapped as roles then copying the default Team filter is an easy way to export all groups as Roles. This means the Admin will need to manage each group as a Role and each Group as a Team. Maintenance on many Roles can be unnecessary and a time consuming for the keeper Admin. In this case only one or a few roles may be necessary.

Example mapping all Security Groups as Roles and excluding the specific groups “Local Admins” and “Regional Admins”.

Example mapping only specific Security Groups as Roles. This example groups “Local Admins” and “Regional Admins” with an OR (|) operator when including only specific groups.

An important rule with Role filtering is that if a group the user is in is not exported the user will still be exported, just not assigned to the Role.

Custom Team Filters

Teams are required to share folders and records to other Users in the keeper organization. By default the Team filter maps all security groups to Teams. Roles and Team filters act on security groups. It is valid that some groups would be mapped as both a Role and a Team. For instance an Organization may have LA Admins and LA Users mapped as Roles and then also have all security groups mapped as teams. This would mean LA Admin and LA Users are also a team.

Since Roles also act as team please refer to roles for custom filtering examples.

Custom User Filters

The User filter maps User objects in Active Directory. If the user is a member of a security groups which is mapped as a role or team the Bridge will Invite the user and assign them to Roles and Teams of which they are a member based on the Active Directory group membership.

Example mapping all Users in Active Directory except specific users. User52 and User58 are excluded by Common Name.

Example mapping only specific Users in Active Directory. User52 and User58 are included exclusively by Common Name.

Example mapping all Users in Active Directory which are part of specific groups. Members of the “RDP Users” & “Office Admins” group are included.

Example mapping all Users in Active Directory except users which are part of a specific group. Members of the “RDP Users” and “Office Users” group are excluded.

Example mapping all Users in Active Directory except users which are part of a specific group or any group nested below the specific group. Members of groups “RDP Users” and “Office Users” are included as are members of all sub groups of these two groups due to use of the Active Directory OID (:1.2.840.113556.1.4.1941:).

To map only users which are part of a specific OU, or not map users who are in a specific OU please refer to Node filter.

Preview Filter Results

The Preview option under the filter edit box will display the effective result of the filters defined showing the Tree defined by the Node filter and the objects to be exported by the other filters within the tree structure. Teams always display regardless of the tree node selected. Roles and Users display based on their location in the tree. A total count of objects is also displayed below the tree structure.

Selecting a Node, Role, Team or User will display the associated Active Directory properties for the object selected. This information is helpful to determine properties and property values that can be used to filter for the object.

Publish Changes

Once your configuration is complete, select "Save" to to retain your current settings. Once all settings are complete use “Publish” to push the changes live and activate the integration.

Always preview after editing filters before publishing your changes to ensure the filter is implemented as intended.


Approval Queue

As described in the previous section, the AD Bridge will provision new Users, Roles and Teams to the Keeper Admin Console based on the configuration and filters applied.

The creation of NEW teams and the action of adding users to a team require an encryption key generation and key exchange that can occur within the Keeper Admin Console, Keeper Bridge or when a team member logs into Web Vault. In addition to the encryption aspect of this process, a level of security is in place to prevent the AD Bridge administrator from adding himself to a team which is privileged.

The Bridge will Notify the Admin of Pending Team Approvals through the Bridge Notification feature.

The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval.



For this reason, the Keeper Admin Console contains an "Approval Queue" which prompts the Administrator to quickly approve the creation of new teams and addition of users to teams.

If there are pending approvals, you will see a red indicator at the upper right side of the Admin Console interface:



Select on the indicator to open the Approval Queue. There are two approval queues - "Teams and Users".

Team Approval Queue

Teams that are dynamically created by the AD Bridge must be approved by the administrator in the Admin Console. Select the red alert indicator and select the "Teams" option to display all pending team names.

Approvals can be processed in one batch by selecting the "Approve" column header checkbox, or by selecting individual checkboxes. In the "Disable" columns, this represents the Team Restrictions of Record Re-shares, Record Editing and Password Viewing (this maps to the team restrictions "Disable record re-shares", "Disable record edits" and "Disable viewing passwords" described in the Team screen.)

User Approval Queue

Users that are invited to Keeper within teams must be approved by the administrator in the Admin Console. Select the red alert indicator and select the "Users" option to display all pending user accounts. Note: Users will only appear in the Approval Queue after they have accepted the invitation to the Keeper account and set up their profile.

Approvals can be processed in one batch by selecting the "Approve" column header checkbox, or by selecting individual checkboxes. Upon approval, the user will immediately have access to any Shared Folders which have been shared to the team.

Automating Team Approval

The Keeper Bridge can automate Team approval. This feature requires that the admin be logged into the bridge client locally with their keeper credential. The admin is added to every team in Keeper which they approve. This allows the bridge to use the admin credential to automate User Team assignment. The Admin credential is only retained in memory and is not stored for as this account will have all team keys. If the admin is not logged in during a Publish cycle the Team or Team User Assignment will be queued. A Notification will appear alerting the Admin to log in the Bridge client. Teams and Team users can be approved from the console ad-hoc if needed. It is best to use the same Admin account as is set up for bridge registration. An Admin can only approve teams for which they are members. It a team is approved by a different admin than is used for Bridge Registration and the Bridge admin is not specifically added to that team, the bridge will not be able to approve member to that team.

To enable automated team approval selection the Option on the Options tab.



Team keys are also automatically distributed when a team member logs into the Web Vault or desktop application.

Team Notification

The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval. The notification can be cleared manually, but will also clear itself when no Teams or Team Users require approval after the most recent Publish event has run. If Automated Team Approval is enabled this notification will only appear when the Admin login is not available or a Team User cannot be approved because the Registered Admin is not part of the Team.


Admin Login

Once selected Save the change. The use the Admin Login button on the Connections tab to provide the Admin password. Only the Admin which registered the Bridge can be used.



The Admin Login does not allow the user name to be changed. It is important that the Same admin be used across all team approvals. This ensured the admin is part of an approved team so that they have permission to assign users to the Team.



Two Factor Authentication will be prompted when enabled for the Admin account. The Admin login will be retained by the bridge service in volatile memory and used to assign users to their teams as required.

The Admin remains logged in until the Keeper Bridge Service or the system to which it is installed is restarted. A new login is then required.

FAQ

Support

Keeper Security provides end-user support through email, phone and live chat. To contact your business support team, please email business.support@keepersecurity.com.