User and Team Provisioning
User provisioning is flexible and powerful with Keeper Enterprise
Keeper Enterprise can provision users through many different methods that are described here in detail.
Provisioning Methods Supported
Manual Provisioning through the Keeper Admin Console
Single Sign-On (SAML 2.0) Authentication and Provisioning with Keeper SSO Connect
Active Directory / LDAP Provisioning with the AD Bridge
Okta, Azure AD, Google Workspace, Ping, OneLogin Provisioning with SCIM
API Provisioning with SCIM
Email Auto-Provisioning
CLI Provisioning with Commander SDK
Watch the video below to learn more about provisioning users.
Best Practices for User Provisioning
Small Businesses and Teams
If you are deploying Keeper to a small number of users, or if you are only deploying Keeper to a team within a large Enterprise, using Keeper's "manual provisioning" or "bulk upload" may be sufficient.
See: Simple Provisioning through the Admin Console
Organizations with On-Prem Active Directory
For organizations that are managing an on-prem AD environment, we recommend using the Keeper Active Directory Bridge application ("AD Bridge") for mapping node structure and adding Users, Teams and Roles.
See: AD Bridge
The AD Bridge software is used strictly for provisioning of users. To authenticate your users against AD, we recommend using AD FS with the Keeper SSO Connect service.
See: SSO Connect Cloud
Organizations with On-Prem Active Directory and AD FS
For organizations who are already utilizing federated services, Keeper SSO Connect provides real-time authentication and Just-In-Time (JIT) provisioning. If you would like to automatically assign users to Roles and Teams through AD security groups or other custom LDAP queries, the Keeper AD Bridge software can also be utilized.
See: AD Bridge with SSO Connect Cloud
Organizations using Entra ID / Azure AD, Okta, JumpCloud, Google Workplace or other cloud-based directories
Many Keeper Enterprise customers have either migrated to a cloud-based identity store or they are in the process of migration, either through AD->Azure syncing or other mirroring techniques.
If your organization utilizes a cloud-based directory, you have 3 choices for deployment:
SSO (SAML 2.0) Authentication
Keeper SSO Connect is a powerful feature of Keeper Enterprise which supports real-time authentication and provisioning of user accounts through any SAML 2.0 compatible identity provider. Azure AD, AD FS, Okta, JumpCloud, Google Workspace, Ping, OneLogin and all other identity providers are compatible with Keeper.
SSO Connect Cloud supports Just-In-Time ("JIT") provisioning to make the user onboarding process simple and straightforward.
See: SSO Connect Cloud
SCIM provisioning
The SCIM provisioning protocol is supported by most modern identity providers including Azure, Okta, Google Workspace and many others. Google calls it "User Provisioning". Okta and Azure call it "Automated Provisioning". Keeper's SCIM implementation can provision a user account, de-provision an account, create a team, assign a user to a team, remove a user from a team.
See: Entra ID / Azure AD, Google Workspace, Okta, JumpCloud and generic SCIM provisioning docs
SCIM provisioning and SSL (SAML 2.0) authentication
SCIM and SSO can be combined to provide real-time authentication, provisioning of accounts AND the ability to create teams, assign users into teams, de-provision users, etc. Entra ID / Azure AD, Okta, Google Workspace, JumpCloud, Ping and many other modern identity providers support a combination of these two methods.
See: SSO Connect Cloud
Universities and Large Organizations with legacy or fragmented directories
Universities and large organizations who have fragmented user directories or do not wish to integrate Keeper with SSO or SAML protocols can use Keeper's Email Provisioning method for a mass deployment.
Email provisioning essentially reserves a domain name (e.g. iastate.edu) and will automatically provision a user based on their domain (with email verification) into a default role. No work needs to be done by the Keeper Admin once the initial configuration is set up.
Integration with Portals or Custom Apps
If you have a special integration requirement such as automatically provisioning and creating user vaults through a developer API or other custom integration needs, Keeper provides several SDK options. Visit the Commander SDK platform for Python, .Net, PowerShell, Java and other toolkits available for customers.
See: Commander SDK
Last updated