LogoLogo
SSO Connect On-Prem
SSO Connect On-Prem
  • Keeper SSO Connect On-Prem
  • Overview
  • System Requirements
  • Installation and Setup
    • Admin Console Configuration
    • Installation - Windows
    • Installation - Linux
      • GUI Configuration
      • Linux Command-line Configuration
      • Running Keeper SSO Connect as a Service on Linux
  • Identity Provider Setup
    • AD FS Configuration
    • Entra ID/Azure AD Configuration
    • AWS SSO Configuration
    • Centrify Configuration
    • F5 Configuration
    • G Suite (Google Workspace) Configuration
    • JumpCloud Configuration
    • Okta Configuration
    • OneLogin Configuration
    • Ping Identity Configuration
    • PingOne Configuration
    • RSA SecurID Access
    • Generic SAML Configuration
  • SSL Certificate Creation
  • High Availability (HA) Configuration
  • Integration with AWS CloudHSM
  • Integration with Gemalto HSM
  • Upgrading SSO Connect On-Prem
  • Update Instructions
  • Updating On-Prem Config
  • Migrating to a new SSO Connect Server
  • Service Management
  • Troubleshooting & FAQs
  • SSO Migration to Cloud
  • Technical Support
  • Links and Resources
  • Docs Home
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • G Suite Setup
  • Setup Keeper App
  • IdP Information
  • Service Provider Details
  • Attribute Mapping
  • Enable SSO Connect
  • Import G Suite Metadata
  • Note about Single Logout (SLO) Settings with Google G Suite
  • SSO Setup Complete!
  • User Provisioning with SCIM
  • User Provisioning without using SSO
  • Google Certificate Updates

Was this helpful?

Export as PDF
  1. Identity Provider Setup

G Suite (Google Workspace) Configuration

How to configure Keeper SSO Connect On-Prem with Google for seamless and secure SAML 2.0 authentication.

PreviousF5 ConfigurationNextJumpCloud Configuration

Last updated 1 year ago

Was this helpful?

For a 100% cloud-based integration with Google Workspace, see

G Suite supports the following integration with Keeper:

  • SSO authentication with SAML 2.0

  • Automatic Provisioning with SCIM

You can configure SSO, SSO+SCIM or SCIM without SSO.

G Suite Setup

To access G Suite Admin Console, login to .

Visit the Apps screen.

Click on SAML apps

On the lower right click on the ( + ) button to create a SAML app.

Setup Keeper App

Search for Keeper and select the application.

IdP Information

On the Google IdP Information screen, download the IDP metadata and save it to your computer (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the {host name] and {port} with the values that you'll be using from your SSO Connect instance.

Type in the ACS URL, Entity ID and select "Signed Response". For example, in the setup below, sso2.lurey.com is the host name and 8443 is the port.

You must also check the box for "Signed Response".

Attribute Mapping

In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.

If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.

Select on FINISH and your G Suite setup is complete. You will be informed that you still need to import the IDP data on Keeper SSO Connect.

Enable SSO Connect

To enable Keeper SSO Connect, for your users, select the more button and enable:

Alternatively, you can click on the Keeper SAML app and Edit the service to configure specific groups that have access:

Import G Suite Metadata

Back on the Keeper SSO Connect application configuration screen, drag-and-drop the metadata file into the SAML Metadata section of Keeper SSO Connect:

Select on Save and verify that all of the parameters match your G Suite SAML connection screens.

Once you save, assuming that you have already configured the SSL certificate and other parameters, your Keeper SSO Connect instance should show as fully operational in the Status screen:

Note about Single Logout (SLO) Settings with Google G Suite

As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.

If you want to prevent full SAML Logout from all SAML apps you should change the IDP type in the previous step to Default. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.

If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "Default" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:

  • Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.

  • From a user perspective this is a more friendly, less disruptive flow

  • From a security perspective, be aware the Google account therefore controls the session handling of the Keeper vault on that user's browser.

SSO Setup Complete!

Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:

  1. Open the Keeper vault and click on "Enterprise SSO Login".

  2. Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".

  3. Click "Connect" and login with your G Suite credentials.

Next, we'll show how to configure User Provisioning using SCIM.

User Provisioning with SCIM

User Provisioning provides several features for lifecycle management:

  • New users added to G Suite will be sent an email invitation to set up their Keeper vault

  • Users can be assigned to Keeper on a user or team basis

  • When a user is de-provisioned, their Keeper account will be automatically locked

Note: Google does not support Group provisioning to Keeper teams. When they implement this feature, this will allow the Keeper user to be placed into Teams that are synchronized between G Suite and Keeper.

From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.

Select SCIM and click Next.

Click on "Create Provisioning Token"

The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.

Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.

Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.

Click on Set Up User Provisioning

Paste the provisioning token that was saved above into this next screen and click Next.

Paste the URL saved from above and paste into the endpoint URL field and click Next.

Leave the Map attributes to default settings and click Next.

If you would like to assign Keeper to a specific group, you can set the Provisioning Scope in the next screen. If you are using SSO, ensure that the groups with provisioning access are also assigned Keeper SSO access. Click Finish when complete.

Ignore this error message below, it's a Google bug.

Next, you can activate provisioning.

You may need to click "Activate Provisioning" to turn it on.

User Provisioning will display as ON.

User provisioning setup is complete. Moving forward, new users who have been configured to use Keeper in G Suite and are within the provisioning scope definitions will receive invites to Keeper and be under the control of G Suite.

User Provisioning without using SSO

If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:

  • Using this guide, follow the steps of SSO configuration but use SSO url and Entity ID that point to a domain name which you control, but is not actually a live SSO Connect instance (e.g. null.mycompany.com)

  • Once Keeper application is set up in G Suite, turn on the automated provisioning method as described in this document.

Google Certificate Updates

Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.

When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.

  1. Click on Apps then select Web and Mobile Apps.

  2. Select Keeper app

  3. Expand service provider

  4. Click “Manage Certificates”

  5. Click “ADD CERTIFICATE”

  6. Click “DOWNLOAD METADATA”

  7. Save the metadata file. This is the IdP metadata.

  8. Login to the Keeper Admin Console

  9. Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method

  10. Upload the Google IdP metadata into Keeper

For more information on this topic, see Google's support page:

For the end-user experience (Keeper-initiated Login Flow) see the guide below:

End-user Video Tour for SSO Users is here:

Login to Google Workspace Admin Console:

https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
https://vimeo.com/329680541
https://admin.Google.com
https://support.google.com/a/answer/7394709
Keeper SSO Connect Cloud
https://gsuite.google.com
Login to G Suite
Apps
Visit the SAML Apps
Add SAML Application
Search for Keeper
Download IdP metadata
Service Provider Details
Attribute Mapping
Turn on Keeper for Users
Edit Service Status
Fully configured SSO Connect Status
Change IdP to Default to prevent Google Logout
Add SCIM Provisioning Method
Add SCIM Provisioning Method
Create Provisioning Token
Save the URL and Token
Go to Keeper Provisioning
Paste Provisioning Token
Paste Endpoint URL
Provisioning Scope
Ignore this Google Bug
Activate Provisioning
Confirm to Activate Provisioning
User Provisioning Status