Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Keeper supports SAML 2.0 Authentication and SCIM provisioning with Microsoft AD FS
Keeper integrates with Microsoft AD FS for real-time user authentication, provisioning and de-provisioning.
View the full SSO Connect setup guides:
SSO Connect Cloud with Microsoft AD FS: https://docs.keeper.io/sso-connect-cloud/identity-provider-setup/ad-fs-keeper
SSO Connect On-Prem: https://docs.keeper.io/sso-connect-guide/identity-provider-setup/ad-fs-configuration
Keeper AD Bridge supports automatic provisioning of nodes, roles, teams and users from any LDAP service.
The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an LDAP service. To activate and install the Keeper Bridge, follow the below steps:
Login to the Admin Console.
Create a Node (under the root node) to sync with your Active Directory.
Visit the Provisioning tab and select Add Method and then select LDAP Sync.
Download the Keeper Bridge and proceed with setup.
The Keeper Bridge does not authenticate users into their vault with their LDAP password. For seamless user authentication, consider our add-on as described in the next section which authenticates against Active Directory via AD FS.
Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.
Once the Keeper Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through the LDAP Directory. Role enforcement policy changes should still be made on the Admin Console
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Google Workspace platform.
Keeper Enterprise is available for Google Workspace with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like Google Workspace) and service providers (like Keeper).
Keeper supports just-in-time automatic provisioning and seamless authentication with any identity provider
Keeper SSO Connect® Cloud leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision user vaults to the platform. Keeper supports all popular SSO IdP platforms such as Okta, Microsoft Entra ID / Azure AD, Google Workspace, Centrify, Duo, OneLogin, Ping Identity, JumpCloud and many more.
Keeper supports both IdP-initiated login flows and SP-initiated flows. Just-in-time provisioning allows admins to quickly and easily roll out Keeper to users using a few simple steps:
Companies utilizing Google Workspace for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision users. Keeper has developed a tight integration with Google Workspace and Google Cloud to automatically provision users and teams from Google to Keeper. In the integration, admins can select which groups and users are provisioned to Keeper.
In addition to provisioning and de-provisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with Google for seamless and frictionless access.
Integration of Keeper Enterprise into Google Workspace enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:
Protects and generates strong passwords for any non-SAML application or website
Implements zero-knowledge security architecture with full end-to-end encryption
Stores SSH keys, digital certificates and any other confidential information
Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system.
Manages shared passwords for financial, business, social media or any other critical service
Keeper is available for all Google Workspace Education, Business and Enterprise customers.
Google Workspace supports the following integrations with Keeper:
SSO authentication with SAML 2.0
Automatic User Provisioning with SCIM
User and Team provisioning with Google Cloud Functions and Cloud Scheduler
Select the Node that the user will belong to. By default, the top level root node is selected.
From the Users Tab, select the + Add Users button.
Enter the Name and Email of the user and then click Add.
The user will receive an email to create their vault with a Master Password or SSO, depending on what node they are located in.
You can also import many users at once via a comma-delimited text file (.csv).
The file format for a CSV file upload is 3 columns: Email Address, Name, Role.
The Role field is optional. Keeper recommends you create a default, "General Employee" role and all users imported will be automatically applied to that role, for example:
Example File (using Excel)
Convert the file to .csv by selecting File > Save As... > (.csv)
A few important notes about preparing a CSV file for user importing:
Ensure that the file does not contain a header row.
Only roles without Admin Permissions can be imported. Any row containing a Role that has Administrative Permissions will be skipped.
Don't populate a default role in the column. This is not necessary and will generate error messages. Simply leave the Role blank to inherit the default role.
If you include a Role name, make sure it matches the exact spelling in the Admin Console.
From the Admin Console, select Admin > Users.
Select the + Add Users.
Drag and drop a prepared CSV file with 3 columns: Name, Email and Optional Role.
After dragging and dropping the file, you will be asked to review the changes. Note the default role will appear empty. Click Add to complete the import.
Configure the SAML 2.0 connection with "Enable Just-In-Time Provisioning" selected
Assign your users to the Keeper application in your identity provider
Direct your users to simply login to Keeper with their email address or SSO domain.
If your domain is reserved to your Keeper tenant, users will be automatically routed through your identity provider as seen in the below screenshots.
Any user who is provisioned through JIT will be assigned to the default role enforcement policies for the node which they are provisioned in.
The user's vault will be immediately provisioned and the user will be walked through the onboarding process which can include importing passwords, installing the KeeperFill browser extension and setting up two-factor authentication.
The exact steps of the onboarding process depend on the user's assigned role enforcement policy. Onboarding can also be disabled completely.
After the onboarding is complete, users can begin using Keeper and managing their vault.
For a full step by step guide on setting up your SSO Connect Cloud environment, see the SSO Connect Cloud guide.
Single Sign-On (SAML 2.0) Authentication and Provisioning with Keeper SSO Connect
Active Directory / LDAP Provisioning with the AD Bridge
Okta, Azure AD, Google Workspace, Ping, OneLogin Provisioning with SCIM
API Provisioning with SCIM
Email Auto-Provisioning
CLI Provisioning with Commander SDK
Watch the video below to learn more about provisioning users.
If you are deploying Keeper to a small number of users, or if you are only deploying Keeper to a team within a large Enterprise, using Keeper's "manual provisioning" or "bulk upload" may be sufficient.
For organizations that are managing an on-prem AD environment, we recommend using the Keeper Active Directory Bridge application ("AD Bridge") for mapping node structure and adding Users, Teams and Roles.
See: AD Bridge
The AD Bridge software is used strictly for provisioning of users. To authenticate your users against AD, we recommend using AD FS with the Keeper SSO Connect service.
See: SSO Connect Cloud
For organizations who are already utilizing federated services, Keeper SSO Connect provides real-time authentication and Just-In-Time (JIT) provisioning. If you would like to automatically assign users to Roles and Teams through AD security groups or other custom LDAP queries, the Keeper AD Bridge software can also be utilized.
See: AD Bridge with SSO Connect Cloud
Many Keeper Enterprise customers have either migrated to a cloud-based identity store or they are in the process of migration, either through AD->Azure syncing or other mirroring techniques.
If your organization utilizes a cloud-based directory, you have 3 choices for deployment:
Keeper SSO Connect is a powerful feature of Keeper Enterprise which supports real-time authentication and provisioning of user accounts through any SAML 2.0 compatible identity provider. Azure AD, AD FS, Okta, JumpCloud, Google Workspace, Ping, OneLogin and all other identity providers are compatible with Keeper.
SSO Connect Cloud supports Just-In-Time ("JIT") provisioning to make the user onboarding process simple and straightforward.
See: SSO Connect Cloud
The SCIM provisioning protocol is supported by most modern identity providers including Azure, Okta, Google Workspace and many others. Google calls it "User Provisioning". Okta and Azure call it "Automated Provisioning". Keeper's SCIM implementation can provision a user account, de-provision an account, create a team, assign a user to a team, remove a user from a team.
See: Entra ID / Azure AD, Google Workspace, Okta, JumpCloud and generic SCIM provisioning docs
SCIM and SSO can be combined to provide real-time authentication, provisioning of accounts AND the ability to create teams, assign users into teams, de-provision users, etc. Entra ID / Azure AD, Okta, Google Workspace, JumpCloud, Ping and many other modern identity providers support a combination of these two methods.
See: SSO Connect Cloud
Universities and large organizations who have fragmented user directories or do not wish to integrate Keeper with SSO or SAML protocols can use Keeper's Email Provisioning method for a mass deployment.
Email provisioning essentially reserves a domain name (e.g. iastate.edu) and will automatically provision a user based on their domain (with email verification) into a default role. No work needs to be done by the Keeper Admin once the initial configuration is set up.
If you have a special integration requirement such as automatically provisioning and creating user vaults through a developer API or other custom integration needs, Keeper provides several SDK options. Visit the Commander SDK platform for Python, .Net, PowerShell, Java and other toolkits available for customers.
See: Commander SDK
Configure a custom invite email and logo before inviting users
Prior to adding users to Keeper we recommend uploading your company logo to the vault and customizing the email invitation that will invite your employees to create their Keeper Vault. These configurations are highly recommended as they have shown to help with quick user adoption of Keeper's software.
To customize the email language, subject and logo, select Configurations then Edit next to "Email Invitations".
The email invitation template supports customization of the following four attributes:
Subject
Message Heading
Message Body
Download Button Text
Markdown Syntax
The body of the message supports plain text as well as basic markdown syntax. Example of markdown syntax:
For more information on the markdown language supported by Keeper, visit the following:
Custom Email Template on Admin Console:
The example above produces the following email invitation:
For security reasons, a custom email invitation can only be sent to a user if the domain has been reserved to the tenant. If the email domain of the recipient is not reserved, the user will receive Keeper's default email invite, which looks like the below:
To ensure that your domains are reserved, please see the documentation page.
When creating a custom email invitation, the template is applied to users at the root node and all child nodes.
If you would like to have a different email invitation on a sub-node, you can use Keeper Commander's enterprise-node command to set a custom template for each node.
Documentation for this feature is .
Additional info for creating and inviting users with Commander are .
Upload your unique company logo to the console so it will appear in the Keeper Vault header when users are logged into their Keeper Web Vault and Desktop App. It will also appear in your users' One-Time Share invites. To upload your logo, select Configurations and Edit next to "Company Logo".
If you would like to have a different vault logo and one-time share logo on a sub-node, you can use Keeper Commander's enterprise-node command to set a custom logo for each node.
Documentation for this feature is .
For MSPs, a Managed Company can be associated with a node. Using this method, a custom logo file can be added for each node.
Manual and Automated approval of SCIM or Bridge-provisioned Users & Teams
The "Approval Queue" is where SCIM- and Bridge-provisioned Teams and Users live until an Admin or other team member performs the necessary approval. Approvals are required in the Keeper environment in order to share the necessary encryption keys (by encrypting the private keys with the public key of the Team or User).
Additionally, the Approval Queue is used for Keeper SSO Connect Cloud device approvals when the end-user clicks on "Request Admin Approval".
Keeper provides several methods of approvals, manual and automated.
New users added by identity providers using the SCIM protocol are created in the “invited” state and will receive an invite to join Keeper.
New teams created by the SCIM sync are created in the “pending” state and require final approval by a Keeper Administrator, another team member or automated methods.
Actions must be taken by either the Admin or using methods outlined below, because encryption keys must be generated and/or shared.
Team creation and team member assignments are completed automatically when any Administrator logs into the Keeper Admin Console. Approval is performed by encrypting the Team Key with the user's public key.
Team members approvals are completed automatically when any member of the team (including the Admin) log into the Keeper Web Vault or Desktop App. Approval is performed by encrypting the Team Key with the user's public key.
Keeper Automator is a container application that can be deployed as a standalone service to any cloud or on-prem environment.
Keeper Automator performs instant device approvals, team approvals and team-user assignments without the need for any manual actions by users.
See the setup instructions here:
Approvals can be automated or run manually via the Keeper command-line interface or SDK platform, Keeper Commander.
team-approve approves queued teams and users that have been provisioned by SCIM or Active Directory Bridge.
Keeper Commander Parameters
--team approve teams only
--user approve team users only
--restrict-edit {on,off} disable record edits
device-approve approves SSO Cloud user devices.
--approve approve all devices
--trusted-ip approve devices that come from recognized IPs
--reload retrieve the latest devices pending approval
See the setup instructions here:
Keeper AD Bridge supports automatic provisioning of nodes, roles, teams and users across any size Active Directory environment.
The Keeper Bridge is an enterprise-class service application that supports the ability to automatically sync Nodes, Users, Roles and Teams to your Keeper Enterprise account from an Active Directory service. To activate and install the Keeper Bridge, follow the steps below:
Login to the .
Create a Node (under the root node) to sync with your Active Directory.
--restrict-share {on,off} disable record re-shares
--restrict-view {on,off} disable view/copy passwords
--deny deny a device
Embedded Image from URL:
**This is bold text**
*This is Italic*
# This is Heading 1
## This is Heading 2
Link Text:
Visit [Keeper](https://keepersecurity.com)!enterprise-node --invite-email="C:\path\to\emailTokyo.txt" Tokyoenterprise-node --logo-file "/path/to/logo.jpg" TokyoMy Vault> team-approveMy Vault> device-approveDownload the Keeper Bridge and proceed with setup.
Keeper Bridge supports single and multi-domain, multiple forest domains and other complex environments. The Bridge also supports high-availability mode and a variety of custom configuration options based on your AD/LDAP environment. The Keeper AD Bridge Guide documents the full setup process.
The Keeper Bridge does not authenticate users into their vault with their Active Directory password. For seamless user authentication, consider our Keeper SSO Connect add-on as described in the next section which authenticates against Active Directory via AD FS.
Automated Team provisioning requires the Keeper Administrator to authenticate on the Keeper Bridge. The Bridge will poll for users who have created their Keeper account after invitation, then the Bridge will encrypt the Team Key with the user's public key, and distribute the Team Key to the user. Once any member of the team logs into the Vault, all members of that team are approved.
Once the Active Directory Bridge is syncing, we recommend not making manual user or team changes directly on the Admin Console. Delegate all user and team provisioning to the bridge through Active Directory. Role enforcement policy changes should still be made on the Admin Console
#) in front of a word or phrase. The number of hash symbols you use corresponds to the heading level. # heading 1
Heading of font size 32
## heading 2
Heading of font size 24
### heading 3
Heading of font size 19
#### heading 4
Heading of font size 16
##### heading 5
Heading of font size 13
Sentences are plain text and multiple sentences can be grouped together to form a paragraph.
Do not indent paragraphs with spaces or tabs as it can cause formatting issues
This is a one line paragraph
This is a one line paragraph
This is a multiline paragraph. I like formatting
This is a multiline paragraph. I like formatting
To create a line break or new line, press return or enter at the end of the line. Pressing return or enter multiple times will create multiple line breaks
This is an example. Of a linebreak.
This is an example.
Of a linebreak.
This is an example. Of Multiple linebreaks.
This is an example.
Of Multiple linebreaks.
To bold text, add 2 asterisks (**)
To italicize text , add 1 asterisk (*)
This is **bold**
This is bold
This is *italics*
This is italics
This is **bold** and *italics*
This is bold and italics
To create a link, enclose the link text in brackets (i.e. [Keeper]) and place the URL in parentheses (i.e. (https://keepersecurity.com)). You can also format (bold or italics) the link as needed.
Visit [Keeper](https://keepersecurity.com)!
Visit !
To embed images from URL, add an exclamation mark (!), followed by the word Image in brackets, and the path or URL to the image asset in parentheses:
Basic provisioning of users based on email address
To facilitate the onboarding of Keeper to users based on their email address domain and a Master Password, use the Email Provisioning method. This can be used for organizations that are deploying Keeper to a large number of users (such as a university) where the admin is not explicitly inviting the user to sign up.
For example, anyone with the email address containing the domain acme.edu, can be automatically provisioned to a particular node and role within the Acme EDU Keeper Enterprise account upon creating their vault.
(1) Login to he Keeper Admin Console
(2) If you don't already have a Node created for this provisioning method, please create one by clicking "Add Node". Provisioning is not permitted in the root node.
(3) In the new node, click on Provisioning > Add Method
(4) Select Email Auto-Provisioning then Next
(5) Choose a method of domain name ownership. You can use DNS lookup or HTML file upload.
(6) Once verification is complete, the status will show the email domain.
When using the email provisioning method, the easiest way to invite users to sign up is to provide them a link to the vault:
US Data Center:
EU Data Center: AU Data Center:
CA Data Center:
JP Data Center:
Users simply click "Set up now" and use your company email to create your vault.
The user types in their email and clicks "Next".
User will set a Master Password.
After the user confirms their email with a verification code, the user will be provisioned to the specified Node and Default Role in the Admin Console.
Keeper Commander is an open-source Python SDK which can perform many vault and administrative functions within the Keeper system.
Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Commander SDK can assist in the following use cases:
Command line access to your Keeper vault
Running reports
Importing passwords, folders and shared folder
Provisioning users and teams
Pushing records to users and teams
Sharing records and folders with users and teams
Performing targeted password rotation
Managing Secrets Manager and Keeper PAM
Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.
Commander resources:
Commander's command-line interface and interactive shell is a powerful and convenient way to access and control your Keeper vault and perform many administrative operations. To see all available commands, just type:
To run a series of commands and stay logged in, you will enjoy using Commander's interactive shell.
Type h to display all commands and help information.
Commander has hundreds of features. Specifically with regards to User and Team provisioning, the following commands are relevant:
create-user
enterprise-info
enterprise-node
enterprise-user
There are two methods for creating user accounts with Commander:
Invite users to an enterprise with the enterprise-user --add command
Create new user accounts and vaults with the create-user command
For the full list of commands offered by Commander, visit:
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Azure AD / Entra ID platform.
Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams to receive shared folders.
Before setting this up, we recommend that you consider activating Keeper's powerful SSO Connect integration with Azure AD that provides realtime user authentication and Just-In-Time provisioning.
###### heading 6
Heading of font size 11
enterprise-role
enterprise-team
enterprise-push
team-approve
transfer-user
scim
automator
To setup Keeper user provisioning with CloudGate, you need to have access to the Keeper Admin Console and a CloudGate Admin account.
Navigate to your Keeper Admin console and add the SCIM Provisioning Method to your desired "Node".
Select "SCIM (System for Cross-Domain Identity Management)" and select "Next".
At the next screen select "Generate" to generate your Token to connect your SCIM provisioning method.
At the next screen, you will be presented with your URL and Token. You will need this information for the step 8 to configure the SCIM section of the Keeper SSO Application within CloudGate. Select "Save".
You will now see your SCIM Provisioning Method in a Pending State.
Navigate to your CloudGate Admin Console -> Service Provider and select the Add service provider to add Keeper Password Manager to the list of your SSO applications.
On the "ADD SERVICE PROVIDER" page, search for Keeper Security in the search bar. Select Add on the Keeper SSO Cloud Connect icon.
Click "edit" on the Keeper SSO Cloud Connect icon you created at SERVICE PROVIDERS page and go to the provisioning settings tab.
This is where you will supply the previously generated URL and Token within the SCIM Provisioning Method in your Keeper Admin Console at the step 4. Now you can click "Test" to check if the SCIM provisioning is OK.
Select "save".
User provisioning with CloudGate is complete. Moving forward, new users who have been configured to use Keeper, in CloudGate and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and will be under the control of CloudGate.
View the full SSO Connect Cloud setup guide: https://docs.keeper.io/sso-connect-cloud/
If you have already setup Keeper SSO Connect Cloud or you don't have the need for SSO, proceed to Step 1 in the Configuration Steps below.
Keeper/Azure provisioning integration supports the following features:
Creates users in Keeper
Updates user attributes (display name in Keeper)
Deletes users (locks users in Keeper)
Creates teams in Keeper (from Azure groups)
Adds or removes users to groups (to teams in Keeper)
When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.
To setup Keeper user provisioning with Azure AD, you need to have access to the Keeper Admin Console and an Azure account.
Watch the video below to learn more about Azure AD provisioning with SCIM.
Step 1. Navigate to your Azure Admin account and select Azure Active Directory > Enterprise Applications and then New Application. Search for Keeper and select Keeper Password Manager & Digital Vault.
Step 2. After adding the application, click on the Provisioning section and select Automatic from the listed options.
In a separate window, you will retrieve the Tenant URL and Secret Token from the Keeper Admin Console.
Step 3. From the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method.
Note: SCIM integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console. Be sure to host the provisioner within a "subnode" as opposed to the "root" node.
Step 4. Choose the SCIM option and click Next then select Create Provisioning Token.
Step 5. Copy the Tenant URL and Secret Token values and paste them into the Tenant URL and Secret Token fields in the Azure AD screen from step one. Select Save to finish the Keeper provisioning setup.
Step 6. Return to the Azure AD screen and click Test Connection. If successful, save the credentials. Turn the Provisioning Status "on" and click Save.
Step 7. Go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app.
Step 8. Start Provisioning
Ensure that provisioning is started by clicking on the "Start" button.
Wait for approximately five minutes (in some cases, Microsoft can take up to 40 minutes for the first time run), then click the Sync button in the Admin Console. Verify that users appear under the Users tab.
Instant Provisioning
In Azure, you can also instantly provision a user by clicking on Provisioning > Provision on demand.
Note: If a new domain needs to be used for SCIM provisioning, a support ticket must be submitted to Keeper to properly reserve the domain with your account.
Typically, identity providers that use SCIM such as Azure, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role.
Keeper's Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.
To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.
When setting up User and Team SCIM provisioning with Azure, make sure of the following:
Ensure that you have assigned the Azure groups in the SAML application
When you invite a user from Azure or assign a user into a group that has been provisioned, Azure will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
To streamline this process, the Keeper Automator service as of version 3.2 performs instant approval of Teams and team assignments. More information about the Automator service is .
This document described the provisioning process with Azure AD. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Cloud Guide.
Keeper supports SAML 2.0 Authentication and SCIM provisioning with JumpCloud
This guide covers JumpCloud Automated Provisioning with SCIM which will update and deactivate Keeper user accounts as changes are made in JumpCloud.
To setup Keeper user provisioning with JumpCloud®, you need to have access to the and a JumpCloud® Admin account.
Navigate to your Keeper Admin console and add the SCIM Provisioning Method to your desired "Node".
Select "SCIM (System for Cross-Domain Identity Management)" and select "Next".
At the next screen select "Generate" to generate your Token to connect your SCIM provisioning method.
At the next screen, you will be presented with your URL and Token. You will need this information, for future use, to configure the SCIM section of the Keeper SSO Application within JumpCloud®. Select "Save".
You will now see your SCIM Provisioning Method in a Pending State.
Navigate to your JumpCloud® Admin Console -> SSO and select the Plus Sign to add Keeper Password Manager to the list of your SSO applications.
On the "Configure New SSO Application" page, search for Keeper Security in the search bar. Select Configure on the right hand side of Keeper Application.
Under "General Info", provide your Keeper application a Display Label such as "Keeper EPM" in the provided field and then select "activate".
You will now see your Keeper application in an active status.
Click on the active Keeper application and within the Keeper App Configuration, scroll down to the bottom and select "Configure" under the "Identity Management Section".
This is where you will supply the previously generated URL and Token within the SCIM Provisioning Method in your Keeper Admin Console.
To enable Team Provisioning, click on "Enable management of User Groups..."
Select "save".
User and Team provisioning with JumpCloud is complete. Moving forward, new users who have been configured to use Keeper, in JumpCloud and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and will be under the control of JumpCloud.
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the OneLogin platform.
Keeper Enterprise supports integration with OneLogin with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like OneLogin) and service providers (like Keeper).
$ keeper
usage: keeper [--server SERVER] [--user USER] [--password PASSWORD]
[--version] [--config CONFIG] [--debug]
[command] [options [options ...]]
positional arguments:
command Command
options Options
optional arguments:
--server SERVER, -ks SERVER
Keeper Host address.
--user USER, -ku USER
Email address for the account.
--password PASSWORD, -kp PASSWORD
Master password for the account.
--version Display version
--config CONFIG Config file to use
--debug Turn on debug mode$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
|_|
password manager & digital vault
Logging in...
Syncing...
Decrypted [400] Records
My Vault>
If you don't want to authenticate users using SAML 2.0 and you simply just want to provision users via SCIM provisioning, proceed to the SCIM Only Configuration section below.
Companies utilizing OneLogin for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision. When auto-provisioning for Keeper Enterprise is enabled in OneLogin, any users created, modified or deleted in OneLogin are automatically added, edited or deleted in Keeper.
In addition to provisioning and deprovisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with OneLogin for seamless and frictionless access.
Integration of Keeper Enterprise into OneLogin enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:
Protects and generates strong passwords for any non-SAML application or website
Implements zero-knowledge security architecture with full end-to-end encryption
Stores SSH keys, digital certificates and any other confidential information
Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system
Manages shared passwords for financial, business, social media or any other critical service
User encryption keys are generated dynamically by Keeper SSO Connect, encrypted and stored locally on the installed server, providing the customer with full control over the encryption keys that are used to encrypt and decrypt their digital vaults.
OneLogin has a built-in Keeper application in their catalog that supports both SSO + SCIM integration.
After the API Connect status is Enabled, navigate to the Provisioning section and check the box for "Enable provisioning".
Add Users to the application.
Users can be added to the Keeper Password Manger connector in Onelogin in a couple different ways. The application can be added to the user's account or the user can be added to a Role, and the role gets added to the application via the Access section of the application in OneLogin. After the user has been added, in order for SCIM to send the request to Keeper, the OneLogin Admin will need to approve the change by navigating to the Users section in the Keeper Password Manager application connector and clicking on the "pending" status to Approve the user. The approval link can also be reached by going to the Applications section of the Users OneLogin profile and clicking the "pending" status. Click the Approve button to allow the user to be provisioned from OneLogin to Keeper.
Observe the user status changes from "Pending" to "Provisioned".
On the Parameters section, click on Groups in the Optional Parameters section. On the Edit Fields Group pop-out select 'Include in User Provisioning'.
Click save and observe the Groups status changes to Enabled. Next, navigate to the Rules section of the application connector and select the "Add Rule" button.
Give the rule a name like "Create Team from Role. Under the Actions section, select "Set Groups in Keeper Password Manager" from the pull down. Next, select (or search) 'role' from the pull down and add the value .* (dot star) for the matching text.
For SCIM-only configuration, users are directed to the following OneLogin instructions, https://developers.onelogin.com/scim.
On the Configuration page of your app, use the following SCIM JSON template (Keeper username must be a valid email address):
Obtain the SCIM Base URL and SCIM Bearer Token from the Admin Console
Add the following line to the Custom Headers section
After you have enabled provisioning, your configuration would look similar to the screen capture below:
To use team-to-role mapping, administrators simply assign a role to an entire “Team,” opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.
Typically, identity providers that use SCIM such as OneLogin, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.
OneLogin appears to have a timing issue with their SCIM system which can possibly send multiple simultaneous requests to create the same Group. Keeper normally will accept the new group creation even if the Group Name is identical.
If you encounter an issue with duplicate group names, please contact Keeper and we will set a flag on your SCIM connection which enforces unique names.
Contact Keeper Support to enforce unique group names on your SCIM instance.
Keeper supports direct SCIM API provisioning for any 3rd party identity provider
System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems [].
Identity providers such as Okta, Azure AD / Entra ID, Google G Suite, JumpCloud and other popular IdP platforms support the use of SCIM for provisioning Teams and Users to Keeper Enterprise. The terminology differs between platforms. For example, Okta and Azure call it "Automated Provisioning".
Other identity management products such as SailPoint also support the use of SCIM 2.0 for provisioning users automatically.
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"userName": "{$user.email}",
"displayName": "{$user.display_name}"
}Content-Type: application/scim+jsonUser/Team Provisioning
Retrieve user/team information
Add a user/team
Update a user/team profile
Delete a user/team
A user can have multiple nodes synchronizing with different identity providers (Azure AD, Okta directory, etc.) from the same vendor or different vendors. One node per identity provider, parent-child relationship is not supported (e.g if SCIM is setup on a node, the sub-nodes of this node are not controlled by the integration, but they can be controlled by their own provider).
The authentication is the Header Authentication, with the token generated by Keeper when setting up the node.
Keeper SCIM endpoint supports Users and Groups resources, according to the following table:
Users/GET
https://keepersecurity.com/api/rest/scim/v2/123/Users
Returns all users for the node 123
Users/GET
https://keepersecurity.com/api/rest/scim/v2/123/Users/456
Returns the user 456 for the node 123 or 404 if not found
Users/POST
https://keepersecurity.com/api/rest/scim/v2/123/Users
Parses SCIM content () of the requests and adds an user to the node 123
Users/PATCH
https://keepersecurity.com/api/rest/scim/v2/123/Users/456
Parses SCIM content () and adds or removes the user 456 to/from teams referenced in add/remove operations as groups. Also, can process “active” property making user locked or unlocked in Keeper. The referenced teams must belong to the same node. Returns 404 if user is not found.
Users/DELETE
https://keepersecurity.com/api/rest/scim/v2/123/Users/456
Locks user 456 from the node 123. Returns 404 if user is not found.
Note: Keeper locks the account instead of deletion to prevent data loss. Admin can perform permanent user deletion within the Admin Console interface or Commander API.
Per specification: https://tools.ietf.org/html/rfc7644#section-3.4.2.5
Keeper supports the “excludedAttributes” for “members” attribute. To improve performance of working with groups that contain a large number of members, you can add a parameter such as:
...on SCIM queries for multiple groups and a single group, and on PATCH query for a group.
Per specification: https://tools.ietf.org/html/rfc7644#section-3.4.2.4
By default, Keeper SCIM API will only return the first 1000 entries for queries that yield large result sets. To query the entire data set, use SCIM pagination parameters according to the specification. Pagination is supported on Users and Groups "GET" requests.
Pagination requires use of the startIndex and count parameters in the request.
Per RFC 7644, Section 3.7, Keeper supports bulk API operations through the URL structure below:
https://keepersecurity.com/api/rest/scim/v2/xxx/Bulk
The SCIM bulk operation is an optional server feature that enables clients to send a potentially large collection of resource operations in a single POST request.
The body of a bulk operation contains a set of HTTP resource operations using one of the HTTP methods supported by the API, i.e., POST, PUT, PATCH, or DELETE.
Current limits can be discovered in response of /ServiceProviderConfig request:
... "bulk": { "supported": true, "maxOperations": 1000, "maxPayloadSize": 1048576 }, ...
Those 3 parameters are populated from next properties: SCIM_BULK_SUPPORTED,
SCIM_BULK_MAX_OPERATIONS and SCIM_BULK_MAX_PAYLOAD_SIZE.
We do not support circular bulk references. HTTP status code 409 (Conflict) will be returned in this case.
For security reasons, SCIM provisioning is only accepted by Keeper when the enterprise tenant has the affected email domain reserved. For example, if the email address being provisions is example.com, then this domain must be reserved to the specific tenant.
For more information about domain reservation process, please see this page.
The SCIM identity provider maps to a single node, and the username of the provider maps to the Keeper user name (email address), which needs to be unique globally. Therefore, if an identity provider contains a user defined by the email which is already a member of the same or different Keeper Enterprise account, any attempt to provision this user will fail. The only exception is if the user is already a member of the same node, then the provisioning will be successful, establishing the link between the identity provider and Keeper. To avoid problems, if you already have manually created users in Keeper that match ones that you plan to use in the identity provider, move them manually under the SCIM node prior to setting up the integration in the provider.
When a user is provisioned, Keeper requires either their username or email to contain a valid email address. If not, the provisioning can be rejected (e.g. in Okta you can set username to be some arbitrary string and an email is not required). If the email is fake, it will be accepted, but the provisioned user will not be able to receive the invitation email and as such will not be able to join the enterprise.
New users added by the SCIM sync are created in the “invited” state and will receive an invite to join Keeper. New teams created by the SCIM sync are created in the “pending” state and require final approval from either the Keeper Administrator or another team member.
Users added to teams via SCIM are added in a "pending" state and require approval. Team and user approval occurs automatically when the Admin logs in to the Keeper Admin Console. Approvals can also be automated using the Keeper Automator service or using Keeper Commander. The reason that teams and users are approved using this method is because encryption keys must be generated and/or shared. In Keeper's Zero-Knowledge environment, this action must be performed by a Keeper Administrator, by another team member, or by the automation service. Keeper's support team can assist customers in installing the automation service.
By default, Keeper will accept group creation even if the Group Name is identical to a previously used name.
If you encounter an issue with duplicate group names, please contact Keeper and we will set a flag on your SCIM connection which enforces unique names.
Keeper has integrated SCIM into the Keeper Commander SDK. Users and groups can be pushed from any directory source directly into the Keeper SCIM endpoint.
Learn More about the SCIM Push command.
If you click the "Test" button before saving the SCIM provisioning method in the Admin Console, the test will fail. Copy the token first, then click Save.
Keeper users are identified by their email, therefore when assigning so make sure the User Name contains a valid email address.
When setting up User and Team SCIM provisioning, make sure of the following:
When you invite a user from SCIM, if the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen or.... (b) A user from the relevant team logs into the Web Vault or Desktop App or.... (c) Admin runs team-approve from Keeper Commander or... (d) The Keeper Automator service approves the transaction. The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
To streamline this process, the Keeper Automator service as of version 3.2 performs instant approval of Teams and team assignments. More information about the Automator service is .
If you are testing or programming against Keeper's SCIM API, we have created a guide with examples on working with Keeper using Postman.
?excludedAttributes=membersGroups/GET
https://keepersecurity.com/api/rest/scim/v2/123/Groups
Returns all teams for the node 123
Groups/GET
https://keepersecurity.com/api/rest/scim/v2/123/Groups/789
Returns the team 789 for the node 123 or 404 if not found
Groups/POST
https://keepersecurity.com/api/rest/scim/v2/123/Groups
Parses SCIM content (Group) of the requests and adds a team to the node 123
Groups/PATCH
https://keepersecurity.com/api/rest/scim/v2/123/Groups/789
Parses SCIM content (Operations) and adds or removes to the team 789 users referenced in add/remove operations. The referenced users must belong to the same node. Returns 404 if team is not found.
Groups/DELETE
https://keepersecurity.com/api/rest/scim/v2/123/Groups/789
Deletes team 789 from the node 123. Returns 404 if team is not found.
ServiceProviderConfig/GET
https://keepersecurity.com/api/rest/scim/v2/123/ServiceProviderConfig
Returns SCIM Service Provider Configuration for Keeper SCIM service
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Okta platform.
This guide covers Okta Automated Provisioning with SCIM. Before you begin the setup, we recommend that you first activate Keeper's powerful SSO Connect integration with Okta that provides realtime user authentication and Just-In-Time provisioning.
Keeper/Okta automated provisioning supports the following features:
Create users in Keeper
Update user attributes
Activate or deactivate users (locks or unlocks them in Keeper)
Creates teams in Keeper (from Okta groups)
When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.
To setup Keeper user provisioning with Okta, you need to have access to the Keeper Admin Console and an Okta Admin account.
If you haven't added Keeper to your Okta Admin, Select the Applications tab and then select Browse App Catalog and search for "Keeper".
Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account. If you are using SAML 2.0 authentication, add the SCIM connector to the same node. Select Add Method > SCIM (System for Cross-Domain Identity Management) and click Next.
Copy the URL.
Navigate back to your Okta Admin account and paste the URL from Keeper into the Base URL of the Okta API Integration screen.
Switch back to the Keeper Admin Console click Generate.
Immediately copy the generated token to your clipboard then click Save (important to Save now)
Note: If you click "Test" on the Okta side before saving the token in Keeper, the test will fail.
Paste the token into the Okta console.
Select Save on Okta to finish the Keeper provisioning setup.
In the Okta Provisioning tab, click Edit under Provisioning to App. Enable "Create Users", "Update User Attributes", "Deactivate Users" capabilities, then click Save.
Assign the app to a user from Okta, and after a short period, select the Full Sync button in the Keeper Admin Console.
Please ensure that the username and email for users remains the same during user assignment.
In the Keeper Admin Console, users will show in either an "Invite" state or a "Pending transfer acceptance" state (if Vault Transfer policy is active for the default role).
The user will receive an email invitation (unless email invites are disabled at the Role Policy level). Clicking the invite link will allow the user to login with Okta and complete the provisioning process.
Alternatively, the user can simply login to Keeper with their email address or Enterprise Domain and complete the sign-in process.
After the user has created their Keeper vault, the status on the Admin Console will change to "Active".
Keeper supports Team provisioning through Okta "Push Groups".
Push Groups are added as Keeper Teams within the Admin Console
Users who are assigned to Push Groups are assigned to the Keeper Team
Keeper Teams can then be provisioned to Shared Folders
Keeper Teams can be mapped to Role Policies through Team-to-Role Mapping
Processing of Team and Team-User assignments must be completed locally on the Admin Console or through one of Keeper's automated tools.
After pushing Users or Teams to the Keeper Admin Console, simply login or click "Full Sync" to process and approve the transactions.
A notification will appear along the bottom of the screen when team approvals have been processed.
Team and user approvals can also be performed by the or using with the team-approve command.
Okta Automated provisioning maps Push Groups to Keeper Teams. To automatically assign different teams to different Keeper Roles, you can use our "Team to Role mapping" feature.
From the Roles screen, simply add the Team to the role.
To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team. Note that Team-Role mapping cannot be used with Administrative roles.
If you click the "Test" button before saving the SCIM provisioning method in the Admin Console, the test will fail. Copy the token then click Save.
Keeper users are identified by their email, therefore when assigning the Okta user to the Keeper app, make sure the User Name contains a valid email address.
Groups assigned to the Keeper Okta application are not created as teams in Keeper by default; only group members are pushed to Keeper. To sync groups and group memberships to Keeper you need to add the groups to "Push Groups" in the Keeper Okta application.
When setting up User and Team SCIM provisioning with Okta, make sure of the following:
Ensure that you have assigned the Okta groups as Push Groups in the SAML application
When you invite a user from Okta or assign a user into a group that has been provisioned as a Push Group, Okta will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
If you receive the error "Unable to update Group Push mapping target App group xxx: Error while updating user group membership... Not Found"
This error can occur if the Keeper Enterprise User ID is different between the Keeper backend and the Okta admin. This can occur if you delete and re-create a user's account from the Keeper side, instead of properly creating the user from a SCIM invitation. In this case, Okta does not have knowledge of the user's new Enterpriser User ID.
To resolve this issue, you need to simply remove the application assignment to Keeper, and re-assign the user to the Keeper application.
Please visit the Okta + Keeper SSO Connect guide for sign-on authentication.
SSO Connect Cloud (Recommended):
SSO Connect On-Prem:
Seamless authentication
When creating a new Push Group, the Okta admin will need to manually push the groups to complete group synchronization at least one time.
The Keeper Automator service as of version 3.2 performs instant approval of Teams and team assignments. More information about the Automator service is located here.
Method: GET , POST, DELETE, PATCH or PUT
URL: https://keepersecurity.com/api/rest/scim/v2/<node_id>
Set the Headers
Authorization
Bearer YOUR_AUTH_TOKEN
Content-Type
application/scim+json
Set the Body
Choose raw and select JSON format.
Set the HTTP Method and URL
Set the HTTP method to POST using the dropdown menu.
Enter the URL for adding a user:
Set the Body
Click on the "Body" tab below the URL field
Choose raw and select JSON format
Add the JSON body with the details of the user you want to add. Here's an example JSON body:
Send the Request
HTTP code
Meaning
201
Created
success
409
Conflict
Email already taken
428
Precondition Required
Number of licensed seats was exceeded.
Set the Method to PATCH and the URL to the following:
Set the body of the JSON request
Choose raw and select JSON format
Add the JSON body with the details of the user you want to add. Here's an example JSON body:
Send the request
Open Postman and set the HTTP method to GET
For a information about all the users in a node, use the following URL:
For information on a specific user, specify the user ID
Send the request
We also support filter for users, below is an example for searching based on user id:
Additionally, you can use pagination by using startIndex and count:
Open Postman and create a new GET request
Set the URL:
Send the request
The response will be a JSON object containing details of all groups under the specified node. The "id" field within each group object represents the group ID. In Keeper, a group is represented by a Keeper Team object. The ID is the Keeper Team UID.
Create a New Request
Click on "New" and then select "Request" from the dropdown menu.
Alternatively, you can click on the "Request" tab if it is already open
Set the HTTP Method and URL
Set the HTTP method to POST using the dropdown menu
Enter the URL for adding a team
Set the Body
Click on the "Body" tab below the URL field.
Choose raw and select JSON format.
Add the JSON body with the details of the team you want to create. Here's an example JSON body:
Send the Request
Click on the "Send" button in Postman to execute the request
Set the HTTP Method and URL
Set the HTTP method to DELETE using the dropdown menu.
Set the URL:
Send the request
Set the HTTP Method and URL
Set the HTTP method to PATCH using the dropdown menu.
Set the URL:
Set the Body
Click on the "Body" tab below the URL field
Choose raw and select JSON format
Add the JSON body with the details of the user you want to add to the team. Here's an example JSON body:
Send the request
While Keeper's SCIM integration does not handle the roles argument of the User object, you can create and assign roles by using the role prefix.
In the settings of the SCIM Provisioning Method on the Admin Console, you can define a Role Mapping Prefix:
Any SCIM Group object created with this prefix will not generate a Team, but a Role instead. Likewise, you can assign the role to your users by running the same request as a team assignment.
Create a New Request
Click on "New" and then select "Request" from the dropdown menu.
Alternatively, you can click on the "Request" tab if it is already open.
Set the HTTP Method and URL
Set the HTTP method to PUT.
Use the URL:
Set the Body
Click on the "Body" tab below the URL field
Choose raw and select JSON format
Here is an example of the JSON body to update the user information:
Changing the "active" flag to false will lock the user account, changing it to true will unlock the account
Send the request
Click on the "Send" button in Postman to execute the request
Set the HTTP method to Get
Use the URL:
ServiceProviderConfig / ResourceTypes (User/Group) / Schemas
https://keepersecurity.com/api/rest/scim/v2/<node_id>/Users{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "[email protected]",
"displayName": "<user_name>",
"externalId": "",
"name": {
"familyName": "<first_name>",
"givenName": "<last_name>"
},
"emails":[
{
"value":"[email protected]"
}
],
"roles": [], // SCIM definition not used in Keeper
"groups":[
{
"value":"<group_id>",
"$ref":"http://keepersecurity.com/api/rest/scim/v2/<node_id>/<group_id>/scim/Groups",
"display":"<team_name>"
}
]
}https://keepersecurity.com/api/rest/scim/v2/<node_id>/Users/<user_id>{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "true"
}
]
}https://keepersecurity.com/api/rest/scim/v2/<node_id>/Usershttps://keepersecurity.com/api/rest/scim/v2/<node_id>/Users/<user_id>https://keepersecurity.com/api/rest/scim/v2/<node_ID>/Users?filter=id+eq+%22<user_ID>%22https://keepersecurity.com/api/rest/scim/v2/<node_id>/Users?startIndex=2&count=200https://keepersecurity.com/api/rest/scim/v2/<node_id>/Groups{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 2,
"Resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"id": "group_id_1",
"displayName": "Group 1",
"members": []
},
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"id": "group_id_2",
"displayName": "Group 2",
"members": []
}
]
}https://keepersecurity.com/api/rest/scim/v2/<node_id>/Groups{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group",
"http://schemas.microsoft.com/2006/11/ResourceManagement/ADSCIM/Group"
],
"displayName": "<team_name>",
"externalId": "dfe9166c-57f9-417d-83a6-072b5a56a4fe"
}https://keepersecurity.com/api/rest/scim/v2/<node_id>/Groups/<group_id>https://keepersecurity.com/api/rest/scim/v2/<node_id>/Groups/<group_id>{
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"value": "<user_id>"
}
]
}
]
}{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group",
"http://schemas.microsoft.com/2006/11/ResourceManagement/ADSCIM/Group"
],
"displayName": "ROLE_group",
"externalId": "dfe9166c-57f9-417d-83a6-072b5a56a4fe"
}https://keepersecurity.com/api/rest/scim/v2/<node_id>/Users/<user_id>{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "[email protected]",
"displayName": "<Desired display name>",
"externalId":"",
"name": {
"familyName": "<first_name>",
"givenName": "<last_name>"
},
"emails": [
{
"value": "[email protected]",
"primary": true
}
],
"roles":[], // SCIM definition not used in Keeper
"groups":[
{
"value":"<group_id>",
"$ref":"http://keepersecurity.com/api/rest/scim/v2/<node_id>/<group_id>/scim/Groups",
"display":"<group_name>"
}
],
"active": true
}{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"path": "userName",
"value": "<user_name>"
},
{
"op": "replace",
"path": "displayName",
"value": "<display_name>"
},
{
"op": "replace",
"path": "externalId",
"value": "<external_Id>"
},
{
"op": "replace",
"path": "name.familyName",
"value": "<last_name>"
},
{
"op": "replace",
"path": "name.givenName",
"value": "<first_name>"
},
{
"op": "replace",
"path": "active",
"value": false
},
{
"op": "add",
"path": "groups",
"value": [
{
"$ref": "https://example.com/v2/Users/1743756723210",
"value": "<group_id>"
}
]
},
{
"op": "remove",
"path": "groups",
"value": [
{
"$ref": "https://example.com/v2/Users/<user_id>",
"value": "<group_id>"
}
]
}
]
}https://keepersecurity.com/api/rest/scim/v2/<node_id>/ServiceProviderConfighttps://keepersecurity.com/api/rest/scim/v2/<node_id>/ResourceTypes/Userhttps://keepersecurity.com/api/rest/scim/v2/<node_id>/ResourceTypes/Grouphttps://keepersecurity.com/api/rest/scim/v2/<node_id>/Schemas/urn:ietf:params:scim:schemas:core:2.0:Userhttps://keepersecurity.com/api/rest/scim/v2/<node_id>/Schemas
