Your Keeper account and stored data will reside in the EU (Dublin) data center.
Keeper Bridge allows businesses running Microsoft Active Directory to integrate Keeper password management software within their current systems, automatically adding any number of Nodes (organizational units), Users, Roles and Teams to Keeper.
Keeper Bridge is designed to use the Lightweight Directory Access Protocol (LDAP and LDAPS) to communicate with LDAP based Directory Services for the purpose of onboarding and offboarding users to the Keeper platform.
Download Keeper Bridge
Keeper Bridge consists of a tray application and a windows service. The tray application allows the user to configure settings specific to the Directory Service and also functions as a service controller allowing the user to adjust LDAP Filter settings and publish to the service for updates.
The windows service is designed to Poll the Active Directory Tree for Nodes, Roles, Teams and Users, providing a familiar structure for Role, Team and User management within the Keeper Admin Console and inviting users to join Keeper. The Polling Interval can be configured from 5 to 1440 minutes. The Tray Application can be installed on multiple systems for use by multiple admins. The service must be installed only on one host system per Keeper Bridge instance. All tray applications access the single instance of the service.
The Tray Application and Windows Service can be installed on the follow operating systems:
Note: The Domain functional level must be at Windows 2008 R2 or higher in order for the bridge to properly integrate.
The following data needs to be known in order to configure the Tray Application:
Note: Recommend the Bridge be installed on a member server located on the same network as a domain controller. A domain controller can be used in lieu of member server.
If login is successful, the bridge application will launch.
Before proceeding with LDAP/AD configuration, please select the "Options" tab of the AD Bridge to ensure that the "Email Property" is set correctly according to your organization's environment.
This will ensure that the proper Keeper email maps to the organization email address.
To assist in the monitoring of events in AD Bridge during the testing and configuration phase, we recommend enabling the Logging feature:
To open the logging window, right-click the Tray Icon in the right hand corner of your screen, then select "Show Log."
The Bridge Log window will open. When activity in the AD Bridge is activated from selecting "Publish" you will start to see the logging information.
Once the connection status is Online for the Keeper Service and Directory Service, configure the domains which will be exported to the Keeper Admin Console. Select on the "LDAP/AD" tab and then select either the
"Export Forest" option or select individual domains.
When making changes to this screen, you'll notice the "Publish Required" on the bottom right corner of the screen. We recommend that you do NOT publish the changes until you have completed all steps in this guide and
that you also verify that the "Options" screen is fully Configured.
Using the "Export Forest" option includes all domains for which the user defined in "LDAP Connection" settings is a member. Selecting Export Forest will automatically select the root forest domain and enable that domain.
All other domains will not be visible. When "Export Forest" is selected all domain object queries are done using Global Catalog. The "Top Level Node" is not editable when using this option.
Checking the box for any domain enables that domain for export, Top Level Node and Filters become editable for that domain. Selecting the row will display the top level node and filters for that domain.
The "Top Level Node" filters is the DN path that will filter all objects from that path downwards. For example, a top level node might be:
Note: It is recommended to use this Top Level Node for initial rollout to test your configuration and limit the scope of the deployment to a small number of users.
A variety of filters are available to enable admins to map specific objects from Active Directory to Nodes, Roles, Teams and Users which can then be Managed by the Keeper Admin Console. It is important to understand
what the individual filters do and how to apply them. Each domain can configure a Top Level Node which defines the root object where all filters will be applied. Each domain enabled can then set a Node filter, a Role
filter, a Team filter and a User filter. These filters are used to define the objects which will be exported to the Keeper Admin Console.
Top Level Node
Domain Filters - Node
Domain Filters - Role
Domain Filters - Team
Domain Filters - User
The default node filter maps objects with objectClass organizationalUnit. In Active Directory Domain Controllers is an organizationalUnit but there is no benefit to mapping this object.
The Default role filter is blank. In order to manage user enforcements users must be grouped into Roles. Each Role must be configured in the Keeper Admin Console to set enforcements for the specific User Role.
It is suggested that some Security Groups in Active Directory are mapped as roles containing the users which will be joining the keeper organization. For maintenance reasons it is suggested that a select number
of groups are used for this purpose. Mapping a large number of Role will require more configuration on the part of the keeper Admin. See custom filter for an example on how to add a role.
The default Team filter maps all security groups to Teams. This allows all members of the organization to share records between teams. The objectClass specifies group type object and (using an AND operator: &)
any one of (using an OR operator: |) the group types Local, Global or Universal.
The default user filter maps all user objects. In Active Directory some objects such as domain controllers also have an objectClass of User. To get only User objects an additional parameter is added, (with an AND
operator: &) objectCategory of Person.
Each filter is defaulted so that most organizations can easily export their domain structure and map objects to Nodes, Roles, Teams and Users. In many cases filters will need to be customized to meet the needs of some
organizations. If an Organizational Unit is not mapped as a Node, all objects in that OU path will not be exported even if the Filter for the object type maps the object.
Example to map all Organizational Units as Nodes and excludes the specific OUs “Office Users” and “Home Users”. In the example below the OUs “Office Users” and “Home Users” and all objects within them will not be mapped
even if other filters (Role, Team, User) target the objects within these OUs.
Example to map only specific Organizational Units as Nodes. Only “Office Users” and “Home Users” are mapped as Nodes. When including specific nodes the grouping with the OR (|) operator is necessary. In the example below
only the OUs “Home Users” and “Office Users” and objects within them if targeted by other filters (Role, Team, User) will be exported.
An important rule with Node Filtering is that if the OU is not exported, all objects targeted by other filters (Role, Team, User) within the OU will not be exported.
Roles are required to apply enforcements on the Users in the Keeper organization. By default the filter is blank. Since the Active Directory names for groups are specific to the organization a default filter cannot
be supplied. It will be necessary to decide which Security Groups in Active Directory will be used as roles.
If all Security Groups are to be mapped as roles then copying the default Team filter is an easy way to export all groups as Roles. This means the Admin will need to manage each group as a Role and each Group as a
Team. Maintenance on many Roles can be unnecessary and a time consuming for the keeper Admin. In this case only one or a few roles may be necessary.
Example mapping all Security Groups as Roles and excluding the specific groups “Local Admins” and “Regional Admins”.
Example mapping only specific Security Groups as Roles. This example groups “Local Admins” and “Regional Admins” with an OR (|) operator when including only specific groups.
An important rule with Role filtering is that if a group the user is in is not exported the user will still be exported, just not assigned to the Role.
Teams are required to share folders and records to other Users in the keeper organization. By default the Team filter maps all security groups to Teams. Roles and Team filters act on security groups. It is valid that
some groups would be mapped as both a Role and a Team. For instance an Organization may have LA Admins and LA Users mapped as Roles and then also have all security groups mapped as teams. This would mean LA Admin and
LA Users are also a team.
Since Roles also act as team please refer to roles for custom filtering examples.
The User filter maps User objects in Active Directory. If the user is a member of a security groups which is mapped as a role or team the Bridge will Invite the user and assign them to Roles and Teams of which they
are a member based on the Active Directory group membership.
Example mapping all Users in Active Directory except specific users. User52 and User58 are excluded by Common Name.
Example mapping only specific Users in Active Directory. User52 and User58 are included exclusively by Common Name.
Example mapping all Users in Active Directory which are part of specific groups. Members of the “RDP Users” & “Office Admins” group are included.
Example mapping all Users in Active Directory except users which are part of a specific group. Members of the “RDP Users” and “Office Users” group are excluded.
Example mapping all Users in Active Directory except users which are part of a specific group or any group nested below the specific group. Members of groups “RDP Users” and “Office Users” are included as are
members of all sub groups of these two groups due to use of the Active Directory OID (:1.2.840.1135184.108.40.2061:).
To map only users which are part of a specific OU, or not map users who are in a specific OU please refer to Node filter.
The Preview option under the filter edit box will display the effective result of the filters defined showing the Tree defined by the Node filter and the objects to be exported by the other filters within the
tree structure. Teams always display regardless of the tree node selected. Roles and Users display based on their location in the tree. A total count of objects is also displayed below the tree structure.
Selecting a Node, Role, Team or User will display the associated Active Directory properties for the object selected. This information is helpful to determine properties and property values that can be used to
filter for the object.
Once your configuration is complete, select "Save" to to retain your current settings. Once all settings are complete use “Publish” to push the changes live and activate the integration.
Always preview after editing filters before publishing your changes to ensure the filter is implemented as intended.
As described in the previous section, the AD Bridge will provision new Users, Roles and Teams to the Keeper Admin Console based on the configuration and filters applied.
The creation of NEW teams and the action of adding users to a team require an encryption key generation and key exchange that can occur within the Keeper Admin Console, Keeper
Bridge or when a team member logs into Web Vault. In addition to the encryption aspect of this process, a level of security is in place to prevent the AD Bridge administrator
from adding himself to a team which is privileged.
The Bridge will Notify the Admin of Pending Team Approvals through the Bridge Notification feature.
The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval.
For this reason, the Keeper Admin Console contains an "Approval Queue" which prompts the Administrator to quickly approve the creation of new teams and addition of users to teams.
If there are pending approvals, you will see a red indicator at the upper right side of the Admin Console interface:
Select on the indicator to open the Approval Queue. There are two approval queues - "Teams and Users".
Teams that are dynamically created by the AD Bridge must be approved by the administrator in the Admin Console. Select the red alert indicator and select the "Teams" option to display all pending team names.
Approvals can be processed in one batch by selecting the "Approve" column header checkbox, or by selecting individual checkboxes. In the "Disable" columns, this represents the Team Restrictions of Record Re-shares,
Record Editing and Password Viewing (this maps to the team restrictions "Disable record re-shares", "Disable record edits" and "Disable viewing passwords" described in the Team screen.)
Users that are invited to Keeper within teams must be approved by the administrator in the Admin Console. Select the red alert indicator and select the "Users" option to display all pending user accounts. Note: Users
will only appear in the Approval Queue after they have accepted the invitation to the Keeper account and set up their profile.
Approvals can be processed in one batch by selecting the "Approve" column header checkbox, or by selecting individual checkboxes. Upon approval, the user will immediately have access to any Shared Folders which have
been shared to the team.
The Keeper Bridge can automate Team approval. This feature requires that the admin be logged into the bridge client locally with their keeper credential. The admin is added to every team in Keeper which they approve.
This allows the bridge to use the admin credential to automate User Team assignment. The Admin credential is only retained in memory and is not stored for as this account will have all team keys. If the admin is not
logged in during a Publish cycle the Team or Team User Assignment will be queued. A Notification will appear alerting the Admin to log in the Bridge client. Teams and Team users can be approved from the console ad-hoc
if needed. It is best to use the same Admin account as is set up for bridge registration. An Admin can only approve teams for which they are members. It a team is approved by a different admin than is used for Bridge
Registration and the Bridge admin is not specifically added to that team, the bridge will not be able to approve member to that team.
To enable automated team approval selection the Option on the Options tab.
Team keys are also automatically distributed when a team member logs into the Web Vault or desktop application.
The Team notification will always sort to the top. This notification summarizes the Teams and Team User Assignments which are pending approval. The notification can be cleared manually, but will also clear itself when
no Teams or Team Users require approval after the most recent Publish event has run. If Automated Team Approval is enabled this notification will only appear when the Admin login is not available or a Team User cannot
be approved because the Registered Admin is not part of the Team.
Once selected Save the change. The use the Admin Login button on the Connections tab to provide the Admin password. Only the Admin which registered the Bridge can be used.
The Admin Login does not allow the user name to be changed. It is important that the Same admin be used across all team approvals. This ensured the admin is part of an approved team so that they have permission to
assign users to the Team.
Two Factor Authentication will be prompted when enabled for the Admin account. The Admin login will be retained by the bridge service in volatile memory and used to assign users to their teams as required.
The Admin remains logged in until the Keeper Bridge Service or the system to which it is installed is restarted. A new login is then required.
Keeper Security provides end-user support through email, phone and live chat. To contact your business support team, please email firstname.lastname@example.org.
You must enable cookies to use Live Chat.