G Suite (Google Workspace) Configuration
How to configure Keeper SSO Connect On-Prem with Google for seamless and secure SAML 2.0 authentication.
For a 100% cloud-based integration with Google Workspace, see Keeper SSO Connect Cloud
G Suite supports the following integration with Keeper:
SSO authentication with SAML 2.0
Automatic Provisioning with SCIM
You can configure SSO, SSO+SCIM or SCIM without SSO.
G Suite Setup
To access G Suite Admin Console, login to https://gsuite.google.com.
Visit the Apps screen.
Click on SAML apps
On the lower right click on the ( + ) button to create a SAML app.
Setup Keeper App
Search for Keeper and select the application.
IdP Information
On the Google IdP Information screen, download the IDP metadata and save it to your computer (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).
Service Provider Details
On the Service Provider Details screen, there are a few fields to fill out. You will replace the {host name] and {port} with the values that you'll be using from your SSO Connect instance.
Type in the ACS URL, Entity ID and select "Signed Response". For example, in the setup below, sso2.lurey.com is the host name and 8443 is the port.
You must also check the box for "Signed Response".
Attribute Mapping
In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.
If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Select on FINISH and your G Suite setup is complete. You will be informed that you still need to import the IDP data on Keeper SSO Connect.
Enable SSO Connect
To enable Keeper SSO Connect, for your users, select the more button and enable:
Alternatively, you can click on the Keeper SAML app and Edit the service to configure specific groups that have access:
Import G Suite Metadata
Back on the Keeper SSO Connect application configuration screen, drag-and-drop the metadata file into the SAML Metadata section of Keeper SSO Connect:
Select on Save and verify that all of the parameters match your G Suite SAML connection screens.
Once you save, assuming that you have already configured the SSL certificate and other parameters, your Keeper SSO Connect instance should show as fully operational in the Status screen:
Note about Single Logout (SLO) Settings with Google G Suite
As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.
If you want to prevent full SAML Logout from all SAML apps you should change the IDP type in the previous step to Default. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.
If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "Default" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:
Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.
From a user perspective this is a more friendly, less disruptive flow
From a security perspective, be aware the Google account therefore controls the session handling of the Keeper vault on that user's browser.
SSO Setup Complete!
Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:
Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your G Suite credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
End-user Video Tour for SSO Users is here: https://vimeo.com/329680541
Next, we'll show how to configure User Provisioning using SCIM.
User Provisioning with SCIM
User Provisioning provides several features for lifecycle management:
New users added to G Suite will be sent an email invitation to set up their Keeper vault
Users can be assigned to Keeper on a user or team basis
When a user is de-provisioned, their Keeper account will be automatically locked
Note: Google does not support Group provisioning to Keeper teams. When they implement this feature, this will allow the Keeper user to be placed into Teams that are synchronized between G Suite and Keeper.
From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.
Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.
Click on Set Up User Provisioning
Paste the provisioning token that was saved above into this next screen and click Next.
Paste the URL saved from above and paste into the endpoint URL field and click Next.
Leave the Map attributes to default settings and click Next.
If you would like to assign Keeper to a specific group, you can set the Provisioning Scope in the next screen. If you are using SSO, ensure that the groups with provisioning access are also assigned Keeper SSO access. Click Finish when complete.
Ignore this error message below, it's a Google bug.
Next, you can activate provisioning.
You may need to click "Activate Provisioning" to turn it on.
User Provisioning will display as ON.
User provisioning setup is complete. Moving forward, new users who have been configured to use Keeper in G Suite and are within the provisioning scope definitions will receive invites to Keeper and be under the control of G Suite.
User Provisioning without using SSO
If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
Using this guide, follow the steps of SSO configuration but use SSO url and Entity ID that point to a domain name which you control, but is not actually a live SSO Connect instance (e.g. null.mycompany.com)
Once Keeper application is set up in G Suite, turn on the automated provisioning method as described in this document.
Google Certificate Updates
Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.
When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.
Login to Google Workspace Admin Console: https://admin.Google.com
Click on Apps then select Web and Mobile Apps.
Select Keeper app
Expand service provider
Click “Manage Certificates”
Click “ADD CERTIFICATE”
Click “DOWNLOAD METADATA”
Save the metadata file. This is the IdP metadata.
Login to the Keeper Admin Console
Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method
Upload the Google IdP metadata into Keeper
For more information on this topic, see Google's support page:
Last updated