SCIM Push Configuration

Use Commander to push SCIM messages to the Keeper backend API

For identity providers that don't support SCIM, customers can utilize the Keeper Commander scim push command to provision users and teams.

Common Setup Steps

Prerequisites: please be familiar with User and Team provisioning

  1. Create a SCIM provisioning for your enterprise with the Admin Console or Commander

  2. Create a record in Keeper with login record type to store the SCIM configuration

  3. Paste the SCIM URL to the Website Address field of the Keeper record

  4. Paste the SCIM Token to the Password field of the Keeper record

Google Workspace

The setup steps in this section allow you to provision users and teams from your Google Workspace account.

Prerequisites: Active Google Workspace subscription and Google Cloud Platform account

Commander installed with pip: Make sure Google API Client Python package is installed

(keeper) % pip install google-api-python-client
  1. Google Cloud Platform: Create a project or chose an existing one

  2. Google Cloud Platform: Enable Admin SDK API for your project

    • in the APIs & Services click +ENABLE APIS AND SERVICES

    • in the Search for APIs & Services enter Admin SDK API

    • click ENABLE

  3. Google Cloud Platform: Create a Service Account

    • In the IAM and Admin menu select Service accounts

    • click +CREATE SERVICE ACCOUNT with suggested service account name: keeper-scim

    • For newly created service account click Actions/dots and select Manage Keys

    • click ADD KEYS -> Create New Key. Choose JSON key type then CREATE

    • A JSON file with service account credentials will be downloaded to your computer

    • Rename this file to credentials.json and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.

  4. Grant the Service Account access to your Google Workspace Directory

    • Google Cloud Platform

      • Navigate to your Service Account and select DETAILS tab

      • in the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory

    • Google Workspace Admin Console

      • Navigate to Security -> API controls

      • Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION

      • Click Add new in API Clients

      • Paste Client ID

      • Paste the following text into OAuth scopes (comma-delimited) https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly

      • Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership

  5. Google Workspace Admin Console: Provider Keeper with the Service Account

    • In Google, navigate to Account -> Account settings

    • Copy the Primary admin email into the clipboard (upper right area)

    • Paste this email into the login field of your Google SCIM configuration record in Keeper

  6. Google Workspace Admin Console: create a group that holds users to be exported to Keeper.

    • Optional: skip this step if you want all user accounts to be imported

    • Navigate to Directory -> Group

    • Click Create group

    • Assign all users that need to be provisioned to Keeper to this group

The Google SCIM configuration record in Keeper should now contain the following fields:

FieldSectionValue

Login

Google #5

Google Workspace admin email

Password

Common #4

SCIM Token generated in the Keeper Admin Console

Website Address

Common #3

SCIM URL pasted from the Keeper Admin Console

SCIM Group

Google #6

Google group name or empty to import all users

credentials.json

Google #3

File attachment with Google Service Account credentials

Pushing Provisioning Data

To perform a push of the Google users and Teams into Keeper, use the below command:

scim push <SCIM ID> --source=google --record=<RECORD UID>

The SCIM ID can be found in the Admin Console or using Commander. For example:

My Vault> scim list
        SCIM ID  Node Name              Node ID          Status   Last Synced
---------------  ---------------------  ---------------  -------  ------------
288797895952358  Lurey, Inc.\Corporate  288797895950343  active   Wed Jul  6 09:44:44 2022
288797895951707  Lurey, Inc.\Azure      288797895951061  active   Fri Jul  7 14:25:31 2023
288797895951110  Lurey, Inc.\Google     288797895951063  active   Mon May 30 23:42:52 2022

Automatic Provisioning of Google Workspace

Keeper has created a Google Cloud Function to automatically perform provisioning of Google Workspace users and teams. The step by step instructions can be found here:

Active Directory

The setup steps in this section allow you to provision users and teams from Active Directory using the scim push command.

Prerequisites:

  1. In your Active Directory browser, create a Group and add AD users and groups that need to be provisioned in Keeper.

  2. Get the Active Directory connect URL, e.g. ldap(s):<domain controller host or IP>

  3. Pick a user that can read Active Directory

The Active Directory configuration record in Keeper should now contain the following fields:

FieldSectionValue

Password

Common #4

SCIM Token generated in the Keeper Admin Console

Website Address

Common #3

SCIM URL pasted from the Keeper Admin Console

SCIM Group

AD # 1

AD group name that lists all users and groups to import

AD URL

AD #2

AD Connect URL

ldap(s)://<domain controller>

AD User

AD #3

AD User login or distinguished name DOMAIN\USERNAME CN=...

AD Password

AD #3

AD Password

Pushing Provisioning Data

To perform a push of the Active Directory users and Teams into Keeper, use the below command:

scim push <SCIM ID> --source=ad --record=<RECORD UID>

Last updated