Keeper Security’s dedication to protecting user data permeates everything we do. Keeper® holds the longest standing SOC 2 and ISO 27001 certifications in the industry. Keeper
Single Sign On (SSO) helps organizations improve their security posture while streamlining the employee login experience. Implementing an SSO platform across your organization is almost always a good idea. However, SSO leaves significant security and functionality gaps that organizations need to be aware of and address.
SSO doesn’t cover everything. Many websites, applications, and systems are not included in SSO deployments, and each of those presents a cybersecurity risk. Additionally, SSO provides a single point of failure. When a user is locked out of SSO, they are unable to access the majority of websites or systems necessary to do their job.
By integrating a secure password vault with SSO, organizations can eliminate these gaps and improve security. That is why Keeper Security prioritizes integrations with all leading SSO providers.
In 2016 Keeper was issued two US utility patents (11,363,009 and 10,356,079) for its novel approach to zero-knowledge SSO integration. Keeper’s patents cover both SAML and OIDC identity protocols. However, SAML offers several benefits from a security and usability perspective. That is why Keeper SSO Connect leverages SAML for its zero-knowledge SSO integration.
What’s the Difference Between OIDC and SAML?
While SAML and OIDC are both identity protocols that authenticate users, they have significant differences in their levels of security.
- SAML-based SSO is the industry standard for enterprise applications, as it is far more mature and has a proven track record of security.
- OIDC is generally reserved for solutions that have fewer security requirements, or there’s a need to rush out an integration.
How SAML Provides Superior Security
Keeper’s fully-managed solution enables organizations to take advantage of SAML superior security and usability features.
Enterprise features
SAML is a robust standard that supports a wide variety of enterprise features that are not available or not as well-developed in OIDC. For example, SAML supports Single Logout (SLO) functionality that can terminate sessions across multiple applications. OIDC lacks session control of the password manager and is typically more suited towards consumer-facing applications where social logins are required.
No client-side secret
While OIDC doesn’t require a client-side secret, the PKCE flow introduces a new concept of a “code verifier” and “code challenge”. These are similar to secrets but are dynamically generated for each authentication request.
In SAML, there is no equivalent to the client secret, avoiding this workflow. Instead, trust between parties is established by exchanging certificates, with private keys kept secure on each server, creating a more secure transaction.
Superior control over user sessions
SAML SSO operates by passing information through the user’s browser and allows the application to manage its own session, providing precise control over user sessions. OIDC, on the other hand, can lead to situations where the user has the false impression that they have logged out of the password manager, but in reality the identity provider still has a valid session active. This could leave a vault exposed to a local machine attack with a single click.
SSO With Keeper vs Competitors
Keeper SSO Connect is a SAML 2.0 service that integrates with your SSO platform to provide zero-knowledge password management and encryption. Included with Keeper Enterprise, you have access to a completely passwordless experience that works with all identity providers. With Keeper, SSO Connect Cloud offers the best frictionless experience among all of the competition.
1Password announced an update to their SSO integration. The 1Password integration is built upon OIDC, and as such, is lacking in several key areas.
Bitwarden supports SAML 2.0, however for all cloud deployments, Bitwarden users must login and remember a master password every time they login. For on-prem deployments, eliminating the master password step requires the use of an on-prem “Key Connector” service which maintains and hosts all end-user encryption keys. This Key Connector service becomes critical infrastructure that requires trained staff and must be maintained by the customer.
Security
By default, users are logged out of Keeper when they close their browser, restart their computer or choose to logout from their extension drop down, requiring them to log in again with their SSO provider, Multi-Factor Authentication (MFA) or master password to access the vault again.
With password managers built on OIDC, when the vault locks, you are potentially still logged into the identity provider. Therefore only one click is required to access the vault again, without any additional verification, meaning you’re not truly logged out.
Recovery
Getting a new device should be exciting. With Keeper, you enjoy seamless, automated methods using push notifications to make your setup experience frictionless, letting you access the vault on your new device immediately.
Other password managers need you to maintain your old device, or have an administrator initiate recovery to allow you to sign in and access your records, avoiding the lengthy process of trying logins and sending emails back and forth to the administrator.
Multi-factor authentication
When enabled, Keeper requires device approval and MFA before you enter your master password to access your vault, increasing security and ensuring your credentials are only accessible by you. When deploying with SSO, Keeper additionally supports prompting for MFA prior to the decryption of the local vault. Keeper supports FIDO2 security keys, DUO, TOTP and SMS methods. Keeper is the only solution that supports both SSO verification with conditional access policies, in addition to local MFA.
Competitors that allow you to enter your credentials in advance of MFA put your credentials at risk of being brute-force attacked. Some competitors have implemented CAPTCHA but this can be easily circumvented through Captcha Farms.
Break glass and alternate auth methods
If your SSO identity provider has an outage, Keeper still has you covered. When biometrics are being used on a device (such as Touch ID, Face ID or Windows Hello), the user can securely and quickly authenticate into their vault without the need to route through the identity provider on every request. In addition to standard SAML SSO authentication and biometrics, Keeper even supports a secondary Master Password method which can be activated for users when allowed by the administrator. All of these workflows and authentication methods are supported through Keeper’s role-based enforcement policies.
SCIM support
Keeper is a fully-managed cloud-based platform, giving you a quick and easy way to provision users. SCIM is a standard protocol for exchanging user identities between IT systems. With Keeper’s full support for SCIM 2.0, any identity source can be easily integrated into Keeper’s workflow. There is no complicated on-premise infrastructure needed, because all communication occurs between the identity provider and the Keeper cloud.
On the other hand, 1Password requires customers to deploy a server within the company’s infrastructure to provision users with SSO.
Intellectual property
Keeper built the playbook for zero-knowledge encryption with SSO cloud providers, and in 2016 was granted two patents for it. Keeper’s zero-knowledge SSO integration has been in production for 8 years, far longer than any competitors.
1Password has no patents for their SSO integration. The 1Password integration was launched on March 16, 2023 and users have reported it is much more difficult to set up.
The Choice is Clear
Keeper builds everything with one primary focus, how can this be as secure as possible for users while also ensuring a simple and positive user experience?
SAML provides the foundation for Keeper’s platform integration with SSO and is the most secure connection available. Keeper’s implementation of SSO integration with the vault is the most seamless and secure solution available in the market. Keeper will continue to innovate and ensure it remains the best platform to protect your most valuable data.