Google Workspace
How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication, user provisioning and group provisioning.
Last updated
Was this helpful?
SSO Connect Cloud
How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication, user provisioning and group provisioning.
Last updated
Was this helpful?
Please complete the steps in the section first.
Google Workspace supports the following integration with Keeper:
SSO authentication with SAML 2.0
Automatic Provisioning with Google Cloud APIs and SCIM (Users and Groups)
Automatic Provisioning with SCIM (Users only)
You can configure with SSO, SSO+Provisioning or Provisioning by itself.
Visit the Apps > Web and Mobile Apps screen.
Then select "Add App" and select "Search for apps".
In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.
Use Option 1 to Download IdP metadata and then select Continue.
On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.
To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.
Within the Service Provider section you will find the values for the ACS URL and Entity ID.
Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.
In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.
Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.
To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.
To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.
Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Select Browse Files and select the Google Metadata file previously downloaded.
You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.
Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:
Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your Google Workspace credentials.
Next, we'll show how to configure User and Team Provisioning from Google Workspace. There are two methods of integrating with Google Workspace.
Since Google Workspace doesn't natively support SCIM Groups, Keeper has developed a Google Cloud Function that integrates with Google Workspace for automated user and group provisioning. Step by step instructions for setting up this service is documented below:
To provision users directly from Google Workspace to Keeper using a direct SCIM integration, follow the guide below (this only provisions users, not groups):
To access Google Workspace Admin Console, login to
For the end-user experience (Keeper-initiated Login Flow) see the guide below:
End-user Video Tour for SSO Users is here:
