How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication, user provisioning and group provisioning.
Please complete the steps in the Admin Console Configuration section first.
Google Workspace supports the following integration with Keeper:
SSO authentication with SAML 2.0
Automatic Provisioning with Google Cloud APIs and SCIM (Users and Groups)
Automatic Provisioning with SCIM (Users only)
You can configure with SSO, SSO+Provisioning or Provisioning by itself.
To access Google Workspace Admin Console, login to https://admin.google.com/
Visit the Apps > Web and Mobile Apps screen.
Then select "Add App" and select "Search for apps".
In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.
Use Option 1 to Download IdP metadata and then select Continue.
On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.
To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.
Within the Service Provider section you will find the values for the ACS URL and Entity ID.
Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.
In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.
If you have selected / created a Custom SAML App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.
To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.
To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.
Note: Google does not currently support Group provisioning to Keeper teams.
Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Select Browse Files and select the Google Metadata file previously downloaded.
You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.
As of 2022, Google defaults the configuration to not enable Single Logout. This means logging out of Keeper does not initiate a full logout of Google.
Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:
Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your Google Workspace credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
End-user Video Tour for SSO Users is here: https://vimeo.com/329680541
Next, we'll show how to configure User and Team Provisioning from Google Workspace. There are two methods of integrating with Google Workspace.
Since Google Workspace doesn't natively support SCIM Groups, Keeper has developed a Google Cloud Function that integrates with Google Workspace for automated user and group provisioning. Step by step instructions for setting up this service is documented below:
Google Workspace User and Team Provisioning with Cloud Service
To provision users directly from Google Workspace to Keeper using a direct SCIM integration, follow the guide below (this only provisions users, not groups):
Google Workspace User Provisioning with SCIM
Directly integrating SCIM into Google Workspace for User provisioning
This document provides instructions for provisioning users from Google Workspace to Keeper using a direct SCIM integration. This method does not support pushing Groups and Group assignments. If you require group push and group assignments, see the next guide: Google Workspace User and Team Provisioning with Cloud Service.
User Provisioning provides several features for lifecycle management:
New users added to Google Workspace will get an email invitation to set up their Keeper vault
Users can be assigned to Keeper on a user or team basis
When a user is de-provisioned, their Keeper account will be automatically locked
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the next screen will be provided to Google in the Google Workspace Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.
Back on the Google Workspace admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.
Select Configure auto-provisioning towards the bottom of the page.
Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Leave the default Attribute mappings as they are and click CONTINUE.
If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.
At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.
Once Auto-provisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active
Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.
You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.
Auto-provisioning is complete. Moving forward, new users who have been configured to use Keeper, in Google Workspace and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of Google Workspace.
If you would like to provision users to Keeper via Google Workspace SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso
Once Keeper application is set up in Google Workspace, turn on the automated provisioning method as described, above, in this document.
Note: Google does not currently support Group provisioning to Keeper teams.
If you receive the error "not_a_saml_app" please ensure that you have turned "Auto-provisioning" to "ON" in the SAML application.
Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.
When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.
Login to Google Workspace Admin Console: https://admin.Google.com
Click on Apps then select Web and Mobile Apps.
Select Keeper app
Expand service provider
Click “Manage Certificates”
Click “ADD CERTIFICATE”
Click “DOWNLOAD METADATA”
Save the metadata file. This is the IdP metadata.
Login to the Keeper Admin Console
Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method
Upload the Google IdP metadata into Keeper
For more information on this topic, see Google's support page:
https://support.google.com/a/answer/7394709
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
Step by Step guide to automatically provisioning Users and Groups from Google Workspace using a Cloud Function
This document describes how to automatically provision users from Google Workspace to Keeper using a Google Cloud Function, which includes the provisioning of Users, Groups and user assignments. User and Team Provisioning provides several features for lifecycle management:
You can specify which Google Groups and/or users are provisioned to Keeper
Matching of Groups can be performed by Group name or Group email
Google Groups assigned to Keeper are created as Keeper Teams
Keeper Teams can be assigned to Shared Folders in the vault
New users added to the group are automatically invited to Keeper
Group and user assignments are applied every sync
When a user is de-provisioned, their Keeper account will be automatically locked
The process is fully cloud-based. No on-prem infrastructure or services are required.
Processing can be performed on your desired scheduler or on-demand
The setup steps in this section allow you to provision users and groups from your Google Workspace account. Setting up this method requires access to several resources:
Keeper Secrets Manager is used in this implementation to perform the most secure method of integration between Google and Keeper, ensuring least privilege. If you don't use Keeper Secrets Manager, please contact the Keeper customer success team.
Login to Google Cloud and create a project or chose an existing project. The project name can be "Keeper SCIM Push" or whatever you prefer.
In the APIs & Services click +ENABLE APIS AND SERVICES
In the Search for APIs & Services enter Admin SDK API
Click ENABLE
The service account created here will be used to access the Google Workspace user and group information.
In the IAM and Admin menu select Service accounts
Click +CREATE SERVICE ACCOUNT with suggested service account name: keeper-scim
For newly created service account click Actions/dots and select Manage Keys
Click ADD KEYS -> Create New Key. Choose JSON key type then CREATE
A JSON file with service account credentials will be downloaded to your computer
Rename this file to credentials.json and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
Navigate to your Service Account and select DETAILS tab > Advanced Settings
In the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory in the next step.
In the Google Workspace Panel (https://admin.google.com):
Navigate to Security -> API controls
Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION
Click Add new in API Clients
Paste the Client ID (copied from previous step)
Paste the following text into OAuth scopes (comma-delimited)
Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.
In Google Workspace (https://admin.google.com), navigate to Account -> Account settings
Copy the Primary admin email into the clipboard (upper right area) for use in the next step.
In your Keeper Vault, create a new Shared Folder. This folder can be named anything, for example "Google SCIM Push". The user and record permissions for this folder can be set any way you prefer.
Assuming that you have Keeper Secrets Manager enabled and activated for this vault, click on Secrets Manager from the left side and then select Create Application.
Call the Application name "Google SCIM Push" (or whatever you prefer) and click Generate Access Token. This token will be discarded and not used in this scenario.
Next, select the "Google SCIM Push" application from the list, and click on Edit then Add Device.
Select the base64 configuration and download it to your computer.
Save the file to your computer as config.base64.
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the screen will be used in the next step. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save. These parameters are used in the next step.
Inside the Shared Folder created in step 7, create a Keeper record that contains the following fields:
All Groups and users within the specified Groups will be provisioned to Keeper.
You can specify either the Group Email address or the Group Name in the list of groups. Keeper will match either value and provision all associated users and groups.
The Group Name and Group Email is CASE SENSITIVE
At this point, the configuration on Keeper is complete. The remaining steps are performed back on the Google Cloud console by setting up a Cloud Function.
From the Google Cloud console, open Cloud Functions and then click CREATE FUNCTION.
Select environment of "2nd gen"
Select Function name of keeper-scim-push
Select your preferred region and note this for later
Trigger is HTTPS
Authentication set to Require authentication
Memory allocated: 256MiB
CPU: 0.333
Timeout: 120 seconds
Concurrency: 1
Autoscaling min: 0
Autoscaling max: 1
Runtime service account: select
Under Runtime service account, select the Default compute service account
If the Default compute service account does not exist yet, select a different account temporarily then go back and edit the service account after saving.
Below is an example full configuration:
Create two variables:
Set Name 1 to KSM_CONFIG_BASE64 and Value 1 to the contents of the KSM configuration file generated in Step 8
Set Name 2 to KSM_RECORD_UID and Value 2 to the record UID created in the vault in Step 10.
You can find the Record UID by clicking on the (info) icon from the Keeper vault record. Click on the Record UID to copy the value.
Click on CONNECTIONS and select "Allow internal traffic only"
Scroll down and click NEXT to upload the Cloud Function source.
Visit the Keeper Google SCIM Push release page: https://github.com/Keeper-Security/ksm-google-scim/releases
Download the source.zip file and save it to your computer
Select Runtime of Go 1.21
Select Source code of Zip Upload
Type Entry point of GcpScimSyncHttp
Zip upload destination bucket: Create a bucket with any name you choose, using the default bucket permissions (not public).
Zip file: upload the source.zip file saved from the above step
Click DEPLOY to create the Cloud Function. After a few minutes, the function will be created and published.
The function is private and requires authentication, so the next step is creating a Cloud Scheduler.
From the Cloud Function screen, copy the URL as seen below:
From the Google Cloud console, search for Cloud Scheduler and open it.
Click SCHEDULE A JOB
Set any description, such as "Keeper SCIM Push for Google Workspace"
Set the frequency, for example 0 * * * * for running once per hour
Set the Timezone according to your location
Set the Target type to HTTP
Set the URL to the Cloud Function URL copied from Step 13 above
Set the HTTP method to GET
Set the Auth Header to Add OIDC token
Set the Service account to Default compute service account
Click CONTINUE then CREATE
On the Scheduler Jobs screen, the job will now be listed. To force execution, click on the overflow menu on the right side and select Force run.
This will execute the Cloud Function immediately.
If successful, the status of last execution will show success:
To ensure that Keeper received the sync information, login to the Keeper Admin Console. You will see a list of any pending / invited users, teams and team assignments.
Once the process is working successfully, delete all local files and secrets created during this process.
IMPORTANT: Delete all local or temporary files on your computer, such as:
config.base64 file
credentials.json file
SCIM tokens
Any other screenshots or local files generated in this process
By default, "unmanaged" teams and team assignments in the Keeper Admin Console will not be deleted during the sync process. However, if your preferred method of syncing is to delete any unmanaged teams or team assignments, you can simply create a custom field in the Keeper record with a particular value.
The Keeper record can be modified to create verbose logs in the Google Cloud Function logs.
Keeper performs exact string matches on the Group Name or Group Email address when performing the Cloud Function provisioning. The group name and email is case sensitive.
Users in an invited state are not added to assigned teams until the user creates their vault and the Keeper administrator logs in to the Admin Console. Team membership can also be performed when another member of the team logs in to the vault. Clicking "Sync" from the Admin Console will also perform the additions.
Some operations such as the creation of Teams can only occur upon logging into the Keeper Admin Console, or when running the Keeper Automator service. This is because encryption keys need to be generated.
For large deployments, we recommend setting up the Keeper Automator service to automate and streamline the process of device approvals, user approvals and team approvals.
When you would like to add new Groups, simply add them to the list inside the Keeper vault record as described in Step 10. Keeper will search on either Group email or Group name when identifying the target.
Nested groups in Google Workspace will be flattened when syncing to Keeper. Users from the nested groups are added to the parent group on the Keeper side.
When new versions of the Cloud Function are created, updating the code is very simple:
Download a new source.zip file from the Releases page of the ksm-google-scim Github repo
Navigate to the Cloud Functions area of Google Cloud
Click on the cloud function details and click EDIT
Click on Code
Under Source code select "ZIP Upload"
Select the source.zip file saved to your computer
Click DEPLOY
Wait a few minutes for the new function to deploy
Navigate to Cloud Scheduler
Click on Actions > Force Run
| Field | Value |
|---|---|
| "Destructive" Field Value | Description |
|---|---|
| Verbose Field Value | Description |
|---|---|
Login
Google Workspace admin email
Password
SCIM Token generated from Step 9 above
Website Address
SCIM URL generated from Step 9 above
credentials.json
File attachment from Step 3 with Google Service Account credentials
SCIM Group
Multi-line custom text field containing a list of all groups to be provisioned. The names can either be Group Email or Group Name.
-1
Nothing is deleted on the Keeper side during sync
0 (Default)
Only SCIM-controlled Groups and Membership can be deleted during sync. (Default Setting)
1
Any manually created or SCIM-controlled Groups and Memberships can be deleted during sync.
0 (Default)
No logging
1
Verbose logging enabled
