LogoLogo
SSO Connect Cloud
SSO Connect Cloud
  • Keeper SSO Connect Cloud
  • Overview
  • Admin Console Configuration
  • SSO Identity Providers
    • Amazon AWS
    • Auth0
    • Centrify
    • CloudGate UNO
    • DUO SSO
    • Entra ID (Azure AD)
    • F5
    • Google Workspace
      • Google Workspace User and Group Provisioning with Cloud Function
      • Google Workspace User Provisioning with SCIM
    • HENNGE
    • Imprivata
    • JumpCloud
    • Microsoft AD FS
    • Okta
    • OneLogin
    • Ping Identity
    • PingOne
    • Rippling
    • RSA SecurID Access
    • SecureAuth
    • Shibboleth
    • Other SAML 2.0 Providers
  • Passwordless Providers
    • Traitware
    • Trusona
    • Veridium
    • Beyond Identity
  • Device Approvals
    • Keeper Push
    • Admin Approval
    • Keeper Automator Service
      • Version 17.0 Overview
      • Ingress Requirements
      • Azure Container App
      • Azure App Services
      • Azure App Gateway (Advanced)
      • AWS Elastic Container Service
      • AWS Elastic Container Service with KSM (Advanced)
      • Java on Linux
      • Docker on Linux
      • Docker Compose
      • Google Cloud with GCP Cloud Run
      • Kubernetes Service
      • Windows Service
      • Multi-Tenant Mode
      • Custom SSL Certificate
      • Advanced Settings
      • Troubleshooting
    • CLI Approvals
  • Certificate Renewal
  • Logout Configuration
  • User Provisioning
  • System Architecture
  • Security and User Flow
  • Migrate from OnPrem
  • Graphic Assets
  • Links & Resources
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Google Workspace SAML Configuration
  • Setup Keeper App
  • Service Provider Details
  • Attribute Mapping
  • Keeper SAML App Details
  • Enable SSO Connect on Everyone
  • Enable SSO Connect on Groups
  • Import Google Workspace Metadata
  • Note about Single Logout (SLO) Settings with Google Workspace
  • SSO Setup Complete!
  • User and Team Provisioning
  • Option 1 (Recommended): Provisioning Users and Groups
  • Option 2: Provisioning Users Only

Was this helpful?

Export as PDF
  1. SSO Identity Providers

Google Workspace

How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication, user provisioning and group provisioning.

PreviousF5NextGoogle Workspace User and Group Provisioning with Cloud Function

Last updated 1 year ago

Was this helpful?

Please complete the steps in the section first.

Google Workspace supports the following integration with Keeper:

  • SSO authentication with SAML 2.0

  • Automatic Provisioning with Google Cloud APIs and SCIM (Users and Groups)

  • Automatic Provisioning with SCIM (Users only)

You can configure with SSO, SSO+Provisioning or Provisioning by itself.

Google Workspace SAML Configuration

Visit the Apps > Web and Mobile Apps screen.

Then select "Add App" and select "Search for apps".

In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.

Setup Keeper App

Use Option 1 to Download IdP metadata and then select Continue.

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.

To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.

Within the Service Provider section you will find the values for the ACS URL and Entity ID.

Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.

Attribute Mapping

In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.

If you have selected / created a Custom SAML App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.

Keeper SAML App Details

Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.

Enable SSO Connect on Everyone

To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.

Enable SSO Connect on Groups

To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.

Note: Google does not currently support Group provisioning to Keeper teams.

Import Google Workspace Metadata

Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Select Browse Files and select the Google Metadata file previously downloaded.

You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.

Note about Single Logout (SLO) Settings with Google Workspace

As of 2022, Google defaults the configuration to not enable Single Logout. This means logging out of Keeper does not initiate a full logout of Google.

SSO Setup Complete!

Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:

  1. Open the Keeper vault and click on "Enterprise SSO Login".

  2. Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".

  3. Click "Connect" and login with your Google Workspace credentials.

User and Team Provisioning

Next, we'll show how to configure User and Team Provisioning from Google Workspace. There are two methods of integrating with Google Workspace.

Option 1 (Recommended): Provisioning Users and Groups

Since Google Workspace doesn't natively support SCIM Groups, Keeper has developed a Google Cloud Function that integrates with Google Workspace for automated user and group provisioning. Step by step instructions for setting up this service is documented below:

Option 2: Provisioning Users Only

To provision users directly from Google Workspace to Keeper using a direct SCIM integration, follow the guide below (this only provisions users, not groups):

To access Google Workspace Admin Console, login to

For the end-user experience (Keeper-initiated Login Flow) see the guide below:

End-user Video Tour for SSO Users is here:

https://admin.google.com/
https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
https://vimeo.com/329680541
Google Workspace User and Team Provisioning with Cloud Service
Google Workspace User Provisioning with SCIM
Admin Console Configuration
Web and mobile apps
Add new Keeper SAML App
Select Keeper Web (SAML) app
Download Google Metadata
Keeper SP Details
SSO Connect Cloud Info
ACS URL and Entity ID
Keeper SP Details Filled
Google Attributes
Edit SSO Connect Cloud
Upload Google Metadata File