Custom Email Invitations

Prior to adding users to Keeper we recommend uploading your company logo to the vault and customizing the email invitation that will invite your employees to create their Keeper Vault. These configurations are highly recommended as they have shown to help with quick user adoption of Keeper's software.

To customize the email language, subject and logo, select Configurations then Edit next to "Email Invitations".

The email invitation template supports customization of the following four attributes:

• Subject

• Message Heading

• Message Body

• Download Button Text

Markdown Syntax

The body of the message supports plain text as well as basic markdown syntax. Example of markdown syntax:

Embedded Image from URL:
![Image](https://keeper-email-images.s3.amazonaws.com/common/acme.jpg)

**This is bold text**

*This is Italic*

# This is Heading 1
## This is Heading 2

Link Text:
Visit [Keeper](https://keepersecurity.com)!

For more information on the markdown language supported by Keeper, visit the following:

Custom Email Template on Admin Console:

The example above produces the following email invitation:

Note Regarding Domain Reservation

For security reasons, a custom email invitation can only be sent to a user if the domain has been reserved to the tenant. If the email domain of the recipient is not reserved, the user will receive Keeper's default email invite, which looks like the below:

To ensure that your domains are reserved, please see the Domain Reservation documentation page.

Custom Invites on a Per-Node Basis

When creating a custom email invitation, the template is applied to users at the root node and all child nodes.

If you would like to have a different email invitation on a sub-node, you can use Keeper Commander's enterprise-node command to set a custom template for each node.

enterprise-node --invite-email="C:\path\to\emailTokyo.txt" Tokyo

Documentation for this feature is linked here.

Additional info for creating and inviting users with Commander are documented here.

Custom Vault and One-Time Share Logo

Upload your unique company logo to the console so it will appear in the Keeper Vault header when users are logged into their Keeper Web Vault and Desktop App. It will also appear in your users' One-Time Share invites. To upload your logo, select Configurations and Edit next to "Company Logo".

Custom Vault Logo on a Per-Node Basis

If you would like to have a different vault logo and one-time share logo on a sub-node, you can use Keeper Commander's enterprise-node command to set a custom logo for each node.

enterprise-node --logo-file "/path/to/logo.jpg" Tokyo

Documentation for this feature is linked here.

For MSPs, a Managed Company can be associated with a node. Using this method, a custom logo file can be added for each node.

Keeper Enterprise can provision users through many different methods that are described here in detail.

Provisioning Methods Supported

• Manual Provisioning through the Keeper Admin Console

• Single Sign-On (SAML 2.0) Authentication and Provisioning with Keeper SSO Connect

• Active Directory / LDAP Provisioning with the AD Bridge

• Okta, Azure AD, Google Workspace, Ping, OneLogin Provisioning with SCIM

• API Provisioning with SCIM

• Email Auto-Provisioning

• CLI Provisioning with Commander SDK

Watch the video below to learn more about provisioning users.

Best Practices for User Provisioning

Small Businesses and Teams

If you are deploying Keeper to a small number of users, or if you are only deploying Keeper to a team within a large Enterprise, using Keeper's "manual provisioning" or "bulk upload" may be sufficient.

See: Simple Provisioning through the Admin Console

Organizations with On-Prem Active Directory

For organizations that are managing an on-prem AD environment, we recommend using the Keeper Active Directory Bridge application ("AD Bridge") for mapping node structure and adding Users, Teams and Roles.

See: AD Bridge

The AD Bridge software is used strictly for provisioning of users. To authenticate your users against AD, we recommend using AD FS with the Keeper SSO Connect service.

See: SSO Connect Cloud

Organizations with On-Prem Active Directory and AD FS

For organizations who are already utilizing federated services, Keeper SSO Connect provides real-time authentication and Just-In-Time (JIT) provisioning. If you would like to automatically assign users to Roles and Teams through AD security groups or other custom LDAP queries, the Keeper AD Bridge software can also be utilized.

See: AD Bridge with SSO Connect Cloud

Organizations using Entra ID / Azure AD, Okta, JumpCloud, Google Workplace or other cloud-based directories

Many Keeper Enterprise customers have either migrated to a cloud-based identity store or they are in the process of migration, either through AD->Azure syncing or other mirroring techniques.

If your organization utilizes a cloud-based directory, you have 3 choices for deployment:

SSO (SAML 2.0) Authentication

Keeper SSO Connect is a powerful feature of Keeper Enterprise which supports real-time authentication and provisioning of user accounts through any SAML 2.0 compatible identity provider. Azure AD, AD FS, Okta, JumpCloud, Google Workspace, Ping, OneLogin and all other identity providers are compatible with Keeper.

SSO Connect Cloud supports Just-In-Time ("JIT") provisioning to make the user onboarding process simple and straightforward.

See: SSO Connect Cloud

SCIM provisioning

The SCIM provisioning protocol is supported by most modern identity providers including Azure, Okta, Google Workspace and many others. Google calls it "User Provisioning". Okta and Azure call it "Automated Provisioning". Keeper's SCIM implementation can provision a user account, de-provision an account, create a team, assign a user to a team, remove a user from a team.

See: Entra ID / Azure AD, Google Workspace, Okta, JumpCloud and generic SCIM provisioning docs

SCIM provisioning and SSL (SAML 2.0) authentication

SCIM and SSO can be combined to provide real-time authentication, provisioning of accounts AND the ability to create teams, assign users into teams, de-provision users, etc. Entra ID / Azure AD, Okta, Google Workspace, JumpCloud, Ping and many other modern identity providers support a combination of these two methods.

See: SSO Connect Cloud

Universities and Large Organizations with legacy or fragmented directories

Universities and large organizations who have fragmented user directories or do not wish to integrate Keeper with SSO or SAML protocols can use Keeper's Email Provisioning method for a mass deployment.

Email provisioning essentially reserves a domain name (e.g. iastate.edu) and will automatically provision a user based on their domain (with email verification) into a default role. No work needs to be done by the Keeper Admin once the initial configuration is set up.

See: Email Auto-provisioning

Integration with Portals or Custom Apps

If you have a special integration requirement such as automatically provisioning and creating user vaults through a developer API or other custom integration needs, Keeper provides several SDK options. Visit the Commander SDK platform for Python, .Net, PowerShell, Java and other toolkits available for customers.

See: Commander SDK

Overview of SSO - JIT Provisioning and Authentication

Keeper SSO Connect® Cloud leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision user vaults to the platform. Keeper supports all popular SSO IdP platforms such as Okta, Microsoft Entra ID / Azure AD, Google Workspace, Centrify, Duo, OneLogin, Ping Identity, JumpCloud and many more.

Keeper supports both IdP-initiated login flows and SP-initiated flows. Just-in-time provisioning allows admins to quickly and easily roll out Keeper to users using a few simple steps:

1. Configure the SAML 2.0 connection with "Enable Just-In-Time Provisioning" selected

2. Assign your users to the Keeper application in your identity provider

3. Direct your users to simply login to Keeper with their email address or SSO domain.

The user's vault will be immediately provisioned and the user will be walked through the onboarding process which can include importing passwords, installing the KeeperFill browser extension and setting up two-factor authentication.

The exact steps of the onboarding process depend on the user's assigned role enforcement policy. Onboarding can also be disabled completely.

After the onboarding is complete, users can begin using Keeper and managing their vault.

Addition of Users

To add users manually through the user interface, follow these steps.

1. Login to the Admin Console.

2. Select the Node that the user will belong to. By default, the top level root node is selected.

3. From the Users Tab, select the + Add Users button.

4. Enter the Name and Email of the user and then click Add.

5. The user will receive an email to create their vault with a Master Password or SSO, depending on what node they are located in.

Bulk User Import

You can also import many users at once via a comma-delimited text file (.csv).

Preparing a file for Bulk User Import

The file format for a CSV file upload is 3 columns: Email Address, Name, Role.

The Role field is optional. Keeper recommends you create a default, "General Employee" role and all users imported will be automatically applied to that role, for example:

Example File (using Excel)

Convert the file to .csv by selecting File > Save As... > (.csv)

A few important notes about preparing a CSV file for user importing:

• Ensure that the file does not contain a header row.

• Only roles without Admin Permissions can be imported. Any row containing a Role that has Administrative Permissions will be skipped.

• Don't populate a default role in the column. This is not necessary and will generate error messages. Simply leave the Role blank to inherit the default ole.

• If you include a Role name, make sure it matches the exact spelling in the Admin Console.

Performing Bulk User Import

1. From the Admin Console, select Admin > Users.

2. Select the + Add Users.

3. Drag and drop a prepared CSV file with 3 columns: Name, Email and Optional Role.

After dragging and dropping the file, you will be asked to review the changes. Note the default role will appear empty. Click Add to complete the import.

Overview

When formatting the body message of your custom email templates, Keeper supports plain text as well as basic markdown syntax. This document will go over the markdown syntax supported by Keeper

Heading

To create a heading, add the hash symbol (#) in front of a word or phrase. The number of hash symbols you use corresponds to the heading level.

Paragraphs

Sentences are plain text and multiple sentences can be grouped together to form a paragraph.

Line Breaks

To create a line break or new line, press return or enter at the end of the line. Pressing return or enter multiple times will create multiple line breaks

Bold & Italic

To bold text, add 2 asterisks (**) To italicize text , add 1 asterisk (*)

Links

To create a link, enclose the link text in brackets (i.e. [Keeper]) and place the URL in parentheses (i.e. (https://keepersecurity.com)). You can also format (bold or italics) the link as needed.

Embed Images from URL

To embed images from URL, add an exclamation mark (!), followed by the word Image in brackets, and the path or URL to the image asset in parentheses:

Overview

Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams to receive shared folders.

Before setting this up, we recommend that you consider activating Keeper's powerful SSO Connect integration with Azure AD that provides realtime user authentication and Just-In-Time provisioning.

If you have already setup Keeper SSO Connect Cloud or you don't have the need for SSO, proceed to Step 1 in the Configuration Steps below.

Features

Keeper/Azure provisioning integration supports the following features:

• Creates users in Keeper

• Updates user attributes (display name in Keeper)

• Deletes users (locks users in Keeper)

• Creates teams in Keeper (from Azure groups)

• Adds or removes users to groups (to teams in Keeper)

When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.

Requirements

To setup Keeper user provisioning with Azure AD, you need to have access to the Keeper Admin Console and an Azure account.

Configuration Steps

Watch the video below to learn more about Azure AD provisioning with SCIM.

Step 1. Navigate to your Azure Admin account and select Azure Active Directory > Enterprise Applications and then New Application. Search for Keeper and select Keeper Password Manager & Digital Vault.

Step 2. After adding the application, click on the Provisioning section and select Automatic from the listed options.

In a separate window, you will retrieve the Tenant URL and Secret Token from the Keeper Admin Console.

Step 3. From the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method.

Step 4. Choose the SCIM option and click Next then select Create Provisioning Token.

Step 5. Copy the Tenant URL and Secret Token values and paste them into the Tenant URL and Secret Token fields in the Azure AD screen from step one. Select Save to finish the Keeper provisioning setup.

Step 6. Return to the Azure AD screen and click Test Connection. If successful, save the credentials. Turn the Provisioning Status "on" and click Save.

Step 7. Go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app.

Step 8. Start Provisioning

Ensure that provisioning is started by clicking on the "Start" button.

Wait for approximately five minutes (in some cases, Microsoft can take up to 40 minutes for the first time run), then click the Sync button in the Admin Console. Verify that users appear under the Users tab.

Instant Provisioning

In Azure, you can also instantly provision a user by clicking on Provisioning > Provision on demand.

SCIM + Team-to-Role Mapping

Typically, identity providers that use SCIM such as Azure, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role.

Keeper's Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

Team Provisioning and Team Assignments

When setting up User and Team SCIM provisioning with Azure, make sure of the following:

• Ensure that you have assigned the Azure groups in the SAML application

• When you invite a user from Azure or assign a user into a group that has been provisioned, Azure will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.

• If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)

• After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.

• To streamline this process, the Keeper Automator service as of version 3.2 performs instant approval of Teams and team assignments. More information about the Automator service is located here.

SAML 2.0 Authentication with Azure AD

This document described the provisioning process with Azure AD. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Cloud Guide.

The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an Active Directory service. To activate and install the Keeper Bridge, follow the steps below:

1. Login to the Admin Console.

2. Create a Node (under the root node) to sync with your Active Directory.

3. Visit the Provisioning tab and select Add Method and then Active Directory Sync.

4. Download the Keeper Bridge and proceed with setup.

Keeper Bridge supports single and multi-domain, multiple forest domains and other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment. The Keeper AD Bridge Guide documents the full setup process.

• The Keeper Bridge does not authenticate users into their vault with their Active Directory password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section which authenticates against Active Directory via AD FS.

• Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.

• Once the Active Directory Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through Active Directory. Role enforcement policy changes should still be made on the Admin Console

Overview

This guide covers JumpCloud Automated Provisioning with SCIM which will update and deactivate Keeper user accounts as changes are made in JumpCloud.

Requirements

To setup Keeper user provisioning with JumpCloud®, you need to have access to the and a JumpCloud® Admin account.

User Provisioning SSO+SCIM

User Provisioning (SCIM)

Configuration Steps

Step 1: Add SCIM Provisioning Method for JumpCloud®

Navigate to your Keeper Admin console and add the SCIM Provisioning Method to your desired "Node".

Step 2: Select SCIM Provisioning Method

Select "SCIM (System for Cross-Domain Identity Management)" and select "Next".

Step 3: Generate SCIM Token

At the next screen select "Generate" to generate your Token to connect your SCIM provisioning method.

Step 4: Save SCIM Provisioning Method

At the next screen, you will be presented with your URL and Token. You will need this information, for future use, to configure the SCIM section of the Keeper SSO Application within JumpCloud®. Select "Save".

You will now see your SCIM Provisioning Method in a Pending State.

Step 5: Add Keeper Application to JumpCloud®

Navigate to your JumpCloud® Admin Console -> SSO and select the Plus Sign to add Keeper Password Manager to the list of your SSO applications.

Step 6: Configure Keeper Application

On the "Configure New SSO Application" page, search for Keeper Security in the search bar. Select Configure on the right hand side of Keeper Application.

Step 7: Activate Keeper Application

Under "General Info", provide your Keeper application a Display Label such as "Keeper EPM" in the provided field and then select "activate".

You will now see your Keeper application in an active status.

Step 8: Configure SCIM within Keeper Application

Click on the active Keeper application and within the Keeper App Configuration, scroll down to the bottom and select "Configure" under the "Identity Management Section".

Step 9: Activate SCIM

This is where you will supply the previously generated URL and Token within the SCIM Provisioning Method in your Keeper Admin Console.

To enable Team Provisioning, click on "Enable management of User Groups..."

Step 10: Save Keeper Application

Select "save".

User and Team provisioning with JumpCloud is complete. Moving forward, new users who have been configured to use Keeper, in JumpCloud and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and will be under the control of JumpCloud.

Overview

This guide covers CloudGate Automated Provisioning with SCIM which will update and deactivate Keeper user accounts as changes are made in CloudGate.

Requirements

To setup Keeper user provisioning with CloudGate, you need to have access to the and a CloudGate Admin account.

User Provisioning SSO+SCIM

User Provisioning (SCIM)

Configuration Steps

Step 1: Add SCIM Provisioning Method for CloudGate

Navigate to your Keeper Admin console and add the SCIM Provisioning Method to your desired "Node".

Step 2: Select SCIM Provisioning Method

Select "SCIM (System for Cross-Domain Identity Management)" and select "Next".

Step 3: Generate SCIM Token

At the next screen select "Generate" to generate your Token to connect your SCIM provisioning method.

Step 4: Save SCIM Provisioning Method

At the next screen, you will be presented with your URL and Token. You will need this information for the step 8 to configure the SCIM section of the Keeper SSO Application within CloudGate. Select "Save".

You will now see your SCIM Provisioning Method in a Pending State.

Step 5: Add Keeper Application to CloudGate

Navigate to your CloudGate Admin Console -> Service Provider and select the Add service provider to add Keeper Password Manager to the list of your SSO applications.

Step 6: Configure Keeper Application

On the "ADD SERVICE PROVIDER" page, search for Keeper Security in the search bar. Select Add on the Keeper SSO Cloud Connect icon.

Step 7: Configure SCIM within Keeper Application

Click "edit" on the Keeper SSO Cloud Connect icon you created at SERVICE PROVIDERS page and go to the provisioning settings tab.

Step 8: Activate SCIM

This is where you will supply the previously generated URL and Token within the SCIM Provisioning Method in your Keeper Admin Console at the step 4. Now you can click "Test" to check if the SCIM provisioning is OK.

Step 9: Save Keeper Application

Select "save".

User provisioning with CloudGate is complete. Moving forward, new users who have been configured to use Keeper, in CloudGate and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and will be under the control of CloudGate.

The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an LDAP service. To activate and install the Keeper Bridge, follow the below steps:

1. Login to the Admin Console.

2. Create a Node (under the root node) to sync with your Active Directory.

3. Visit the Provisioning tab and select Add Method and then select LDAP Sync.

4. Download the Keeper Bridge and proceed with setup.

• The Keeper Bridge does not authenticate users into their vault with their LDAP password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section which authenticates against Active Directory via AD FS.

• Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.

• Once the Keeper Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through the LDAP Directory. Role enforcement policy changes should still be made on the Admin Console

What is SCIM?

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems [wikipedia].

Identity providers such as Okta, Azure AD / Entra ID, Google G Suite, JumpCloud and other popular IdP platforms support the use of SCIM for provisioning Teams and Users to Keeper Enterprise. The terminology differs between platforms. For example, Okta and Azure call it "Automated Provisioning".

Other identity management products such as SailPoint also support the use of SCIM 2.0 for provisioning users automatically.

Keeper supports SCIM 2.0, a REST-based API using JSON message structure. The Keeper SCIM endpoint supports Users and Groups resources, and the following message types:

User/Team Provisioning

• Retrieve user/team information

• Add a user/team

• Update a user/team profile

• Delete a user/team

A user can have multiple nodes synchronizing with different identity providers (Azure AD, Okta directory, etc.) from the same vendor or different vendors. One node per identity provider, parent-child relationship is not supported (e.g if SCIM is setup on a node, the sub-nodes of this node are not controlled by the integration, but they can be controlled by their own provider).

The authentication is the Header Authentication, with the token generated by Keeper when setting up the node.

Keeper SCIM endpoint supports Users and Groups resources, according to the following table:

Excluded Attributes

Per specification: https://tools.ietf.org/html/rfc7644#section-3.4.2.5

Keeper supports the “excludedAttributes” for “members” attribute. To improve performance of working with groups that contain a large number of members, you can add a parameter such as:

?excludedAttributes=members

...on SCIM queries for multiple groups and a single group, and on PATCH query for a group.

Pagination

Per specification: https://tools.ietf.org/html/rfc7644#section-3.4.2.4

By default, Keeper SCIM API will only return the first 1000 entries for queries that yield large result sets. To query the entire data set, use SCIM pagination parameters according to the specification.

Notes Regarding Integration

The SCIM identity provider maps to a single node, and the username of the provider maps to the Keeper user name (email address), which needs to be unique globally. Therefore, if an identity provider contains a user defined by the email which is already a member of the same or different Keeper Enterprise account, any attempt to provision this user will fail. The only exception is if the user is already a member of the same node, then the provisioning will be successful, establishing the link between the identity provider and Keeper. To avoid problems, if you already have manually created users in Keeper that match ones that you plan to use in the identity provider, move them manually under the SCIM node prior to setting up the integration in the provider.

When a user is provisioned, Keeper requires either their username or email to contain a valid email address. If not, the provisioning can be rejected (e.g. in Okta you can set username to be some arbitrary string and an email is not required). If the email is fake, it will be accepted, but the provisioned user will not be able to receive the invitation email and as such will not be able to join the enterprise.

Team and User Approval Process

New users added by the SCIM sync are created in the “invited” state and will receive an invite to join Keeper. New teams created by the SCIM sync are created in the “pending” state and require final approval from either the Keeper Administrator or another team member.

Users added to teams via SCIM are added in a "pending" state and require approval. Team and user approval occurs automatically when the Admin logs in to the Keeper Admin Console. Approvals can also be automated using the Keeper Automator service or using Keeper Commander. The reason that teams and users are approved using this method is because encryption keys must be generated and/or shared. In Keeper's Zero-Knowledge environment, this action must be performed by a Keeper Administrator, by another team member, or by the automation service. Keeper's support team can assist customers in installing the automation service.

Unique Group Names

By default, Keeper will accept group creation even if the Group Name is identical to a previously used name.

If you encounter an issue with duplicate group names, please contact Keeper and we will set a flag on your SCIM connection which enforces unique names.

SCIM Push Command

Keeper has integrated SCIM into the Keeper Commander SDK. Users and groups can be pushed from any directory source (e.g. Google Workspace, Active Directory or any other source) directly into the Keeper SCIM endpoint.

Learn More about the SCIM Push command.

Troubleshooting and Tips

• If you click the "Test" button before saving the SCIM provisioning method in the Admin Console, the test will fail. Copy the token first, then click Save.

• Keeper users are identified by their email, therefore when assigning so make sure the User Name contains a valid email address.

Team Provisioning and Team Assignments

When setting up User and Team SCIM provisioning, make sure of the following:

• When you invite a user from SCIM, if the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)

• After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen or.... (b) A user from the relevant team logs into the Web Vault or Desktop App or.... (c) Admin runs team-approve from Keeper Commander or... (d) The Keeper Automator service approves the transaction. The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.

• To streamline this process, the Keeper Automator service as of version 3.2 performs instant approval of Teams and team assignments. More information about the Automator service is located here.

Keeper Enterprise is available for Google Workspace with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like Google Workspace) and service providers (like Keeper).

SCIM Overview

Companies utilizing Google Workspace for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision users. Keeper has developed a tight integration with Google Workspace and Google Cloud to automatically provision users and teams from Google to Keeper. In the integration, admins can select which groups and users are provisioned to Keeper.

In addition to provisioning and de-provisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with Google for seamless and frictionless access.

Integration of Keeper Enterprise into Google Workspace enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:

• Protects and generates strong passwords for any non-SAML application or website

• Implements zero-knowledge security architecture with full end-to-end encryption

• Stores SSH keys, digital certificates and any other confidential information

• Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system.

• Manages shared passwords for financial, business, social media or any other critical service

Keeper is available for all Google Workspace Education, Business and Enterprise customers.

SSO and SCIM Setup and Configuration

Google Workspace supports the following integrations with Keeper:

• SSO authentication with SAML 2.0

• Automatic User Provisioning with SCIM

• User and Team provisioning with Google Cloud Functions and Cloud Scheduler

Keeper integrates with Microsoft AD FS for real-time user authentication, provisioning and de-provisioning.

View the full SSO Connect setup guides:

SSO Connect Cloud with Microsoft AD FS: https://docs.keeper.io/sso-connect-cloud/identity-provider-setup/ad-fs-keeper

SSO Connect On-Prem: https://docs.keeper.io/sso-connect-guide/identity-provider-setup/ad-fs-configuration

Overview

This guide covers Okta Automated Provisioning with SCIM. Before you begin the setup, we recommend that you first activate Keeper's powerful SSO Connect integration with Okta that provides realtime user authentication and Just-In-Time provisioning.

Provisioning Features

Keeper/Okta automated provisioning supports the following features:

• Create users in Keeper

• Update user attributes

• Activate or deactivate users (locks or unlocks them in Keeper)

• Creates teams in Keeper (from Okta groups)

• Seamless authentication

When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.

Requirements

To setup Keeper user provisioning with Okta, you need to have access to the Keeper Admin Console and an Okta Admin account.

Configuration Steps

If you haven't added Keeper to your Okta Admin, Select the Applications tab and then select Browse App Catalog and search for "Keeper".

Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account. If you are using SAML 2.0 authentication, add the SCIM connector to the same node. Select Add Method > SCIM (System for Cross-Domain Identity Management) and click Next.

Copy the URL.

Navigate back to your Okta Admin account and paste the URL from Keeper into the Base URL of the Okta API Integration screen.

Switch back to the Keeper Admin Console click Generate.

Immediately copy the generated token to your clipboard then click Save (important to Save now)

Note: If you click "Test" on the Okta side before saving the token in Keeper, the test will fail.

Paste the token into the Okta console.

Select Save on Okta to finish the Keeper provisioning setup.

Provisioning Users

In the Okta Provisioning tab, click Edit under Provisioning to App. Enable "Create Users", "Update User Attributes", "Deactivate Users" capabilities, then click Save.

Assign the app to a user from Okta, and after a short period, select the Full Sync button in the Keeper Admin Console.

Please ensure that the username and email for users remains the same during user assignment.

In the Keeper Admin Console, users will show in either an "Invite" state or a "Pending transfer acceptance" state (if Vault Transfer policy is active for the default role).

The user will receive an email invitation (unless email invites are disabled at the Role Policy level). Clicking the invite link will allow the user to login with Okta and complete the provisioning process.

Alternatively, the user can simply login to Keeper with their email address or Enterprise Domain and complete the sign-in process.

After the user has created their Keeper vault, the status on the Admin Console will change to "Active".

Team Provisioning

Keeper supports Team provisioning through Okta "Push Groups".

• Push Groups are added as Keeper Teams within the Admin Console

• Users who are assigned to Push Groups are assigned to the Keeper Team

• Keeper Teams can then be provisioned to Shared Folders

• Keeper Teams can be mapped to Role Policies through Team-to-Role Mapping

Team and User Approvals

Processing of Team and Team-User assignments must be completed locally on the Admin Console or through one of Keeper's automated tools.

After pushing Users or Teams to the Keeper Admin Console, simply login or click "Full Sync" to process and approve the transactions.

A notification will appear along the bottom of the screen when team approvals have been processed.

SCIM + Team-to-Role Mapping

Okta Automated provisioning maps Push Groups to Keeper Teams. To automatically assign different teams to different Keeper Roles, you can use our "Team to Role mapping" feature.

From the Roles screen, simply add the Team to the role.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team. Note that Team-Role mapping cannot be used with Administrative roles.

Known Issues/Troubleshooting and Tips

• If you click the "Test" button before saving the SCIM provisioning method in the Admin Console, the test will fail. Copy the token then click Save.

• Keeper users are identified by their email, therefore when assigning the Okta user to the Keeper app, make sure the User Name contains a valid email address.

• Groups assigned to the Keeper Okta application are not created as teams in Keeper by default; only group members are pushed to Keeper. To sync groups and group memberships to Keeper you need to add the groups to "Push Groups" in the Keeper Okta application.

• When synchronizing group memberships from Okta, Keeper creates team memberships which are not immediately visible. For the provisioned users to become actual team members, the user must register with Keeper, accept the invitation and be receive approval for group entry by a Keeper Administrator or auto-approved by an existing Keeper team member logged into their Web Vault.

• When creating a new Push Group, the Okta admin will need to manually push the groups to complete group synchronization at least one time.

Team Provisioning and Team Assignments

When setting up User and Team SCIM provisioning with Okta, make sure of the following:

• Ensure that you have assigned the Okta groups as Push Groups in the SAML application

• When you invite a user from Okta or assign a user into a group that has been provisioned as a Push Group, Okta will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.

• If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)

• After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.

Okta Error Handling

If you receive the error "Unable to update Group Push mapping target App group xxx: Error while updating user group membership... Not Found"

• This error can occur if the Keeper Enterprise User ID is different between the Keeper backend and the Okta admin. This can occur if you delete and re-create a user's account from the Keeper side, instead of properly creating the user from a SCIM invitation. In this case, Okta does not have knowledge of the user's new Enterpriser User ID.

• To resolve this issue, you need to simply remove the application assignment to Keeper, and re-assign the user to the Keeper application.

User Authentication with SAML 2.0

Please visit the Okta + Keeper SSO Connect guide for sign-on authentication.

Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Keeper Commander SDK is open source Python code that is available for download from Keeper's Github Repository. The Commander SDK can assist in the following use cases:

• Command line access to your Keeper vault

• Running reports

• Importing passwords, folders and shared folder

• Provisioning users and teams

• Pushing records to users and teams

• Sharing records and folders with users and teams

• Performing targeted password rotation

• Managing Secrets Manager and Keeper PAM

Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.

Command-line Usage

Commander's command-line interface and interactive shell is a powerful and convenient way to access and control your Keeper vault and perform many administrative operations. To see all available commands, just type:

$ keeper

usage: keeper [--server SERVER] [--user USER] [--password PASSWORD]
              [--version] [--config CONFIG] [--debug]
              [command] [options [options ...]]

positional arguments:
  command               Command
  options               Options

optional arguments:
  --server SERVER, -ks SERVER
                        Keeper Host address.
  --user USER, -ku USER
                        Email address for the account.
  --password PASSWORD, -kp PASSWORD
                        Master password for the account.
  --version             Display version
  --config CONFIG       Config file to use
  --debug               Turn on debug mode

Interactive Shell

To run a series of commands and stay logged in, you will enjoy using Commander's interactive shell.

$ keeper shell

  _  __
 | |/ /___ ___ _ __  ___ _ _
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
              |_|

 password manager & digital vault

Logging in...
Syncing...
Decrypted [400] Records

My Vault>

Type h to display all commands and help information.

Keeper Command Reference

Commander has hundreds of features. Specifically with regards to User and Team provisioning, the following commands are relevant:

• create-user

• enterprise-info

• enterprise-node

• enterprise-user

• enterprise-role

• enterprise-team

• enterprise-push

• team-approve

There are two methods for creating user accounts with Commander:

• Invite users to an enterprise with the enterprise-user --add command

• Create new user accounts and vaults with the create-user command

For the full list of commands offered by Commander, visit:

• Keeper Command Reference

• Provisioning Commands

The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).

Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".

Keeper provides several methods of approvals, manual and automated.

Team and User Approval Process

New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.

New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods.

Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared.

Approval Method 1: Admin Console Login

Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 2: Vault Login

Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.

Approval Method 3: Keeper Automator

Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment.

Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users.

Approval Method 4: Keeper Commander

Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.

team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.

Keeper Commander Parameters

• --team approve teams only

• --user approve team users only

• --restrict-edit {on,off} disable record edits

• --restrict-share {on,off} disable record re-shares

• --restrict-view {on,off} disable view/copy passwords

device-approve approves SSO Cloud user devices.

• --approve approve all devices

• --trusted-ip approve devices that come from recognized IPs

• --reload retrieve the latest devices pending approval

• --deny deny a device

See the setup instructions here:

Overview

To facilitate the onboarding of Keeper to users based on their email address domain and a Master Password, use the Email Provisioning method. This can be used for organizations that are deploying Keeper to a large number of users (such as a university) where the admin is not explicitly inviting the user to sign up.

For example, anyone with the email address containing the domain acme.edu, can be automatically provisioned to a particular node and role within the Acme EDU Keeper Enterprise account upon creating their vault.

Configuration

(1) Login to the Keeper Admin Console

(2) If you don't already have a Node created for this provisioning method, please create one by clicking "Add Node". Provisioning is not permitted in the root node.

(3) In the new node, click on Provisioning > Add Method

(4) Select Email Auto-Provisioning then Next

(5) Choose a method of domain name ownership. You can use DNS lookup or HTML file upload.

(6) Once verification is complete, the status will show the email domain.

Inviting Users

When using the email provisioning method, the easiest way to invite users to sign up is to provide them a link to the vault:

US Data Center: https://keepersecurity.com/vault

EU Data Center: https://keepersecurity.eu/vault AU Data Center: https://keepersecurity.com.au/vault

CA Data Center: https://keepersecurity.com.ca/vault

JP Data Center: https://keepersecurity.jp/vault

Users simply click "Set up now" and use your company email to create your vault.

The user types in their email and clicks "Next".

User will set a Master Password.

After the user confirms their email with a verification code, the user will be provisioned to the specified Node and Default Role in the Admin Console.

Overview

Keeper Enterprise supports integration with OneLogin with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like OneLogin) and service providers (like Keeper).

Companies utilizing OneLogin for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision. When auto-provisioning for Keeper Enterprise is enabled in OneLogin, any users created, modified or deleted in OneLogin are automatically added, edited or deleted in Keeper.

In addition to provisioning and deprovisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with OneLogin for seamless and frictionless access.

Integration of Keeper Enterprise into OneLogin enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:

• Protects and generates strong passwords for any non-SAML application or website

• Implements zero-knowledge security architecture with full end-to-end encryption

• Stores SSH keys, digital certificates and any other confidential information

• Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system

• Manages shared passwords for financial, business, social media or any other critical service

User encryption keys are generated dynamically by Keeper SSO Connect, encrypted and stored locally on the installed server, providing the customer with full control over the encryption keys that are used to encrypt and decrypt their digital vaults.

SSO + SCIM Configuration - Application Connector

OneLogin has a built-in Keeper application in their catalog that supports both SSO + SCIM integration.

After the API Connect status is Enabled, navigate to the Provisioning section and check the box for "Enable provisioning".

Add Users to the application.

Users can be added to the Keeper Password Manger connector in Onelogin in a couple different ways. The application can be added to the user's account or the user can be added to a Role, and the role gets added to the application via the Access section of the application in OneLogin. After the user has been added, in order for SCIM to send the request to Keeper, the OneLogin Admin will need to approve the change by navigating to the Users section in the Keeper Password Manager application connector and clicking on the "pending" status to Approve the user. The approval link can also be reached by going to the Applications section of the Users OneLogin profile and clicking the "pending" status. Click the Approve button to allow the user to be provisioned from OneLogin to Keeper.

Observe the user status changes from "Pending" to "Provisioned".

Enable OneLogin Roles to Keeper Teams mapping

On the Parameters section, click on Groups in the Optional Parameters section. On the Edit Fields Group pop-out select 'Include in User Provisioning'.

Click save and observe the Groups status changes to Enabled. Next, navigate to the Rules section of the application connector and select the "Add Rule" button.

Give the rule a name like "Create Team from Role. Under the Actions section, select "Set Groups in Keeper Password Manager" from the pull down. Next, select (or search) 'role' from the pull down and add the value .* (dot star) for the matching text.

SCIM Only Configuration

For SCIM-only configuration, users are directed to the following OneLogin instructions, https://developers.onelogin.com/scim.

On the Configuration page of your app, use the following SCIM JSON template (Keeper username must be a valid email address):

{
    "schemas": [
        "urn:scim:schemas:core:1.0"
    ],
    "userName": "{$user.email}",
    "displayName": "{$user.display_name}"
}

Obtain the SCIM Base URL and SCIM Bearer Token from the Admin Console

Add the following line to the Custom Headers section

Content-Type: application/scim+json

After you have enabled provisioning, your configuration would look similar to the screen capture below:

SCIM + Team-to-Role Mapping

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

Typically, identity providers that use SCIM such as OneLogin, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

Unique Group Names

OneLogin appears to have a timing issue with their SCIM system which can possibly send multiple simultaneous requests to create the same Group. Keeper normally will accept the new group creation even if the Group Name is identical.

If you encounter an issue with duplicate group names, please contact Keeper and we will set a flag on your SCIM connection which enforces unique names.

Contact Keeper Support to enforce unique group names on your SCIM instance.