Step by Step guide to automatically provisioning Users and Groups from Google Workspace using a Cloud Function
This document describes how to automatically provision users from Google Workspace to Keeper using a Google Cloud Function, which includes the provisioning of Users, Groups and user assignments. User and Team Provisioning provides several features for lifecycle management:
You can specify which Google Groups and/or users are provisioned to Keeper
Matching of Groups can be performed by Group name or Group email
Google Groups assigned to Keeper are created as Keeper Teams
Keeper Teams can be assigned to Shared Folders in the vault
New users added to the group are automatically invited to Keeper
Group and user assignments are applied every sync
When a user is de-provisioned, their Keeper account will be automatically locked
The process is fully cloud-based. No on-prem infrastructure or services are required.
Processing can be performed on your desired scheduler or on-demand
The setup steps in this section allow you to provision users and groups from your Google Workspace account. Setting up this method requires access to several resources:
Keeper Secrets Manager is used in this implementation to perform the most secure method of integration between Google and Keeper, ensuring least privilege. If you don't use Keeper Secrets Manager, please contact the Keeper customer success team.
Login to Google Cloud and create a project or chose an existing project. The project name can be "Keeper SCIM Push" or whatever you prefer.
In the APIs & Services
click +ENABLE APIS AND SERVICES
In the Search for APIs & Services
enter Admin SDK API
Click ENABLE
The service account created here will be used to access the Google Workspace user and group information.
In the IAM and Admin
menu select Service accounts
Click +CREATE SERVICE ACCOUNT
with suggested service account name: keeper-scim
For newly created service account click Actions
/dots and select Manage Keys
Click ADD KEYS
-> Create New Key.
Choose JSON key type then CREATE
A JSON file with service account credentials will be downloaded to your computer
Rename this file to credentials.json
and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
Navigate to your Service Account and select DETAILS
tab > Advanced Settings
In the Domain-wide delegation
section copy the Client ID
. You will need to grant this Client ID access to the Google Workspace Directory in the next step.
In the Google Workspace Panel (https://admin.google.com):
Navigate to Security
-> API controls
Under the Domain wide delegation
click MANAGE DOMAIN WIDE DELEGATION
Click Add new
in API Clients
Paste the Client ID
(copied from previous step)
Paste the following text into OAuth scopes (comma-delimited)
Click AUTHORIZE
- These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.
In Google Workspace (https://admin.google.com), navigate to Account
-> Account settings
Copy the Primary admin
email into the clipboard (upper right area) for use in the next step.
In your Keeper Vault, create a new Shared Folder. This folder can be named anything, for example "Google SCIM Push". The user and record permissions for this folder can be set any way you prefer.
Assuming that you have Keeper Secrets Manager enabled and activated for this vault, click on Secrets Manager
from the left side and then select Create Application
.
Call the Application name "Google SCIM Push" (or whatever you prefer) and click Generate Access Token
. This token will be discarded and not used in this scenario.
Next, select the "Google SCIM Push" application from the list, and click on Edit
then Add Device
.
Select the base64 configuration and download it to your computer.
Save the file to your computer as config.base64.
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL
and Token
displayed on the screen will be used in the next step. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save. These parameters are used in the next step.
Inside the Shared Folder created in step 7, create a Keeper record that contains the following fields:
Field | Value |
---|---|
Login | Google Workspace admin email |
Password | SCIM Token generated from Step 9 above |
Website Address | SCIM URL generated from Step 9 above |
credentials.json | File attachment from Step 3 with Google Service Account credentials |
SCIM Group | Multi-line custom text field containing a list of all groups to be provisioned. The names can either be Group Email or Group Name. |
All Groups and users within the specified Groups will be provisioned to Keeper.
You can specify either the Group Email address or the Group Name in the list of groups. Keeper will match either value and provision all associated users and groups.
The Group Name and Group Email is CASE SENSITIVE
At this point, the configuration on Keeper is complete. The remaining steps are performed back on the Google Cloud console by setting up a Cloud Function.
From the Google Cloud console, open Cloud Functions
and then click CREATE FUNCTION
.
Select environment of "2nd gen
"
Select Function name of keeper-scim-push
Select your preferred region and note this for later
Trigger is HTTPS
Authentication set to Require authentication
Memory allocated: 256MiB
CPU: 0.333
Timeout: 120 seconds
Concurrency: 1
Autoscaling min: 0
Autoscaling max: 1
Runtime service account: select
Under Runtime service account, select the Default compute service account
If the Default compute service account does not exist yet, select a different account temporarily then go back and edit the service account after saving.
Below is an example full configuration:
Create two variables:
Set Name 1 to KSM_CONFIG_BASE64
and Value 1 to the contents of the KSM configuration file generated in Step 8
Set Name 2 to KSM_RECORD_UID
and Value 2 to the record UID created in the vault in Step 10.
You can find the Record UID by clicking on the (info) icon from the Keeper vault record. Click on the Record UID to copy the value.
Click on CONNECTIONS and select "Allow internal traffic only"
Scroll down and click NEXT
to upload the Cloud Function source.
Visit the Keeper Google SCIM Push release page: https://github.com/Keeper-Security/ksm-google-scim/releases
Download the source.zip
file and save it to your computer
Select Runtime of Go 1.21
Select Source code of Zip Upload
Type Entry point of GcpScimSyncHttp
Zip upload destination bucket: Create a bucket with any name you choose, using the default bucket permissions (not public).
Zip file: upload the source.zip
file saved from the above step
Click DEPLOY
to create the Cloud Function. After a few minutes, the function will be created and published.
The function is private and requires authentication, so the next step is creating a Cloud Scheduler.
From the Cloud Function screen, copy the URL as seen below:
From the Google Cloud console, search for Cloud Scheduler and open it.
Click SCHEDULE A JOB
Set any description, such as "Keeper SCIM Push for Google Workspace"
Set the frequency, for example 0 * * * *
for running once per hour
Set the Timezone according to your location
Set the Target type to HTTP
Set the URL to the Cloud Function URL copied from Step 13 above
Set the HTTP method to GET
Set the Auth Header to Add OIDC token
Set the Service account to Default compute service account
Click CONTINUE
then CREATE
On the Scheduler Jobs screen, the job will now be listed. To force execution, click on the overflow menu on the right side and select Force run
.
This will execute the Cloud Function immediately.
If successful, the status of last execution will show success:
To ensure that Keeper received the sync information, login to the Keeper Admin Console. You will see a list of any pending / invited users, teams and team assignments.
Once the process is working successfully, delete all local files and secrets created during this process.
IMPORTANT: Delete all local or temporary files on your computer, such as:
config.base64 file
credentials.json file
SCIM tokens
Any other screenshots or local files generated in this process
By default, "unmanaged" teams and team assignments in the Keeper Admin Console will not be deleted during the sync process. However, if your preferred method of syncing is to delete any unmanaged teams or team assignments, you can simply create a custom field in the Keeper record with a particular value.
"Destructive" Field Value | Description |
---|---|
-1 | Nothing is deleted on the Keeper side during sync |
0 (Default) | Only SCIM-controlled Groups and Membership can be deleted during sync. (Default Setting) |
1 | Any manually created or SCIM-controlled Groups and Memberships can be deleted during sync. |
The Keeper record can be modified to create verbose logs in the Google Cloud Function logs.
Verbose Field Value | Description |
---|---|
0 (Default) | No logging |
1 | Verbose logging enabled |
Keeper performs exact string matches on the Group Name or Group Email address when performing the Cloud Function provisioning. The group name and email is case sensitive.
Users in an invited state are not added to assigned teams until the user creates their vault and the Keeper administrator logs in to the Admin Console. Team membership can also be performed when another member of the team logs in to the vault. Clicking "Sync" from the Admin Console will also perform the additions.
Some operations such as the creation of Teams can only occur upon logging into the Keeper Admin Console, or when running the Keeper Automator service. This is because encryption keys need to be generated.
For large deployments, we recommend setting up the Keeper Automator service to automate and streamline the process of device approvals, user approvals and team approvals.
When you would like to add new Groups, simply add them to the list inside the Keeper vault record as described in Step 10. Keeper will search on either Group email or Group name when identifying the target.
Nested groups in Google Workspace will be flattened when syncing to Keeper. Users from the nested groups are added to the parent group on the Keeper side.
When new versions of the Cloud Function are created, updating the code is very simple:
Download a new source.zip
file from the Releases page of the ksm-google-scim Github repo
Navigate to the Cloud Functions area of Google Cloud
Click on the cloud function details and click EDIT
Click on Code
Under Source code select "ZIP Upload"
Select the source.zip file saved to your computer
Click DEPLOY
Wait a few minutes for the new function to deploy
Navigate to Cloud Scheduler
Click on Actions > Force Run