SCIM Push Configuration
Use Commander to push SCIM messages to the Keeper backend API
For identity providers that don't support SCIM, customers can utilize the Keeper Commander scim push command to provision users and teams.
Common Setup Steps
Prerequisites: please be familiar with User and Team provisioning
Create a SCIM provisioning for your enterprise with the Admin Console or Commander
Create a record in Keeper with
login
record type to store the SCIM configurationPaste the SCIM URL to the
Website Address
field of the Keeper recordPaste the SCIM Token to the
Password
field of the Keeper record
Google Workspace
The setup steps in this section allow you to provision users and teams from your Google Workspace account.
Prerequisites: Active Google Workspace subscription and Google Cloud Platform account
Commander installed with pip:
Make sure Google API Client Python package is installed
Google Cloud Platform: Create a project or chose an existing one
Google Cloud Platform: Enable
Admin SDK API
for your projectin the
APIs & Services
click+ENABLE APIS AND SERVICES
in the
Search for APIs & Services
enterAdmin SDK API
click
ENABLE
Google Cloud Platform: Create a Service Account
In the
IAM and Admin
menu selectService accounts
click
+CREATE SERVICE ACCOUNT
with suggested service account name:keeper-scim
For newly created service account click
Actions
/dots and selectManage Keys
click
ADD KEYS
->Create New Key.
Choose JSON key type thenCREATE
A JSON file with service account credentials will be downloaded to your computer
Rename this file to
credentials.json
and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
Grant the Service Account access to your Google Workspace Directory
Navigate to your Service Account and select
DETAILS
tabin the
Domain-wide delegation
section copy theClient ID
. You will need to grant this Client ID access to the Google Workspace Directory
Google Workspace Admin Console
Navigate to
Security
->API controls
Under the
Domain wide delegation
clickMANAGE DOMAIN WIDE DELEGATION
Click
Add new
inAPI Clients
Paste
Client ID
Paste the following text into
OAuth scopes (comma-delimited)
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
Click
AUTHORIZE
- These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership
Google Workspace Admin Console: Provider Keeper with the
Service Account
In Google, navigate to
Account
->Account settings
Copy the
Primary admin
email into the clipboard (upper right area)Paste this email into the login field of your Google SCIM configuration record in Keeper
Google Workspace Admin Console: create a group that holds users to be exported to Keeper.
Optional: skip this step if you want all user accounts to be imported
Navigate to
Directory
->Group
Click
Create group
Assign all users that need to be provisioned to Keeper to this group
The Google SCIM configuration record in Keeper should now contain the following fields:
Field | Section | Value |
---|---|---|
Login | Google #5 | Google Workspace admin email |
Password | Common #4 | SCIM Token generated in the Keeper Admin Console |
Website Address | Common #3 | SCIM URL pasted from the Keeper Admin Console |
SCIM Group | Google #6 | Google group name or empty to import all users |
credentials.json | Google #3 | File attachment with Google Service Account credentials |
Pushing Provisioning Data
To perform a push of the Google users and Teams into Keeper, use the below command:
The SCIM ID can be found in the Admin Console or using Commander. For example:
Automatic Provisioning of Google Workspace
Keeper has created a Google Cloud Function to automatically perform provisioning of Google Workspace users and teams. The step by step instructions can be found here:
Active Directory
The setup steps in this section allow you to provision users and teams from Active Directory using the scim push
command.
Prerequisites:
In your Active Directory browser, create a Group and add AD users and groups that need to be provisioned in Keeper.
Get the Active Directory connect URL, e.g.
ldap(s):<domain controller host or IP
>Pick a user that can read Active Directory
The Active Directory configuration record in Keeper should now contain the following fields:
Field | Section | Value |
---|---|---|
Password | Common #4 | SCIM Token generated in the Keeper Admin Console |
Website Address | Common #3 | SCIM URL pasted from the Keeper Admin Console |
SCIM Group | AD # 1 | AD group name that lists all users and groups to import |
AD URL | AD #2 | AD Connect URL
|
AD User | AD #3 | AD User login or distinguished name
|
AD Password | AD #3 | AD Password |
Pushing Provisioning Data
To perform a push of the Active Directory users and Teams into Keeper, use the below command:
Last updated