Google Workspace User and Group Provisioning with Cloud Function

Step by Step guide to automatically provisioning Users and Groups from Google Workspace using a Cloud Function

Overview

This document describes how to automatically provision users from Google Workspace to Keeper using a Google Cloud Function, which includes the provisioning of Users, Groups and user assignments. User and Team Provisioning provides several features for lifecycle management:

  • You can specify which Google Groups and/or users are provisioned to Keeper

  • Matching of Groups can be performed by Group name or Group email

  • Google Groups assigned to Keeper are created as Keeper Teams

  • Keeper Teams can be assigned to Shared Folders in the vault

  • New users added to the group are automatically invited to Keeper

  • Group and user assignments are applied every sync

  • When a user is de-provisioned, their Keeper account will be automatically locked

  • The process is fully cloud-based. No on-prem infrastructure or services are required.

  • Processing can be performed on your desired scheduler or on-demand

The setup steps in this section allow you to provision users and groups from your Google Workspace account. Setting up this method requires access to several resources:

Keeper Secrets Manager is used in this implementation to perform the most secure method of integration between Google and Keeper, ensuring least privilege. If you don't use Keeper Secrets Manager, please contact the Keeper customer success team.

STEP 1: Create a Google Cloud Project

Login to Google Cloud and create a project or chose an existing project. The project name can be "Keeper SCIM Push" or whatever you prefer.

Create a New Google Cloud Project

STEP 2: Enable the Admin SDK API

  • In the APIs & Services click +ENABLE APIS AND SERVICES

  • In the Search for APIs & Services enter Admin SDK API

  • Click ENABLE

Enable APIs and Services
Enable Admin SDK API

STEP 3: Create a Service Account

The service account created here will be used to access the Google Workspace user and group information.

  • In the IAM and Admin menu select Service accounts

  • Click +CREATE SERVICE ACCOUNT with suggested service account name: keeper-scim

Create Service Account

For newly created service account click Actions/dots and select Manage Keys

Create Keys and credentials.json

Click ADD KEYS -> Create New Key. Choose JSON key type then CREATE

A JSON file with service account credentials will be downloaded to your computer

Create new key
Select JSON format

Rename this file to credentials.json and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.

Save as credentials.json

STEP 4: Copy the Client ID

Navigate to your Service Account and select DETAILS tab > Advanced Settings

In the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory in the next step.

Copy the Client ID

STEP 5: Authorize Service Account on Google Workspace

In the Google Workspace Panel (https://admin.google.com):

  • Navigate to Security -> API controls

  • Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION

  • Click Add new in API Clients

  • Paste the Client ID (copied from previous step)

Paste the following text into OAuth scopes (comma-delimited)

https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
Add a new client ID

Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership.

STEP 6: Retrieve the Primary Email

  • In Google Workspace (https://admin.google.com), navigate to Account -> Account settings

  • Copy the Primary admin email into the clipboard (upper right area) for use in the next step.

Get the primary admin email

STEP 7: Create a Shared Folder in your Keeper Vault

In your Keeper Vault, create a new Shared Folder. This folder can be named anything, for example "Google SCIM Push". The user and record permissions for this folder can be set any way you prefer.

Create New Shared Folder

STEP 8: Create a Secrets Manager Application

Assuming that you have Keeper Secrets Manager enabled and activated for this vault, click on Secrets Manager from the left side and then select Create Application.

Create Application

Call the Application name "Google SCIM Push" (or whatever you prefer) and click Generate Access Token. This token will be discarded and not used in this scenario.

Generate Access Token

Next, select the "Google SCIM Push" application from the list, and click on Edit then Add Device.

Edit Application
Add Device

Select the base64 configuration and download it to your computer.

Save the file to your computer as config.base64.

Save config.base64

STEP 9: Create a SCIM Provisioning Method

From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".

Select SCIM and click Next.

SCIM Configuration in Keeper

Click on "Create Provisioning Token"

Create Provisioning Token

The URL and Token displayed on the screen will be used in the next step. Save the URL and Token in a file somewhere temporarily and then click Save.

Save SCIM URL and Token

Make sure to save these two parameters (URL and Token) and then click Save. These parameters are used in the next step.

STEP 10: Create a Keeper Record in the Shared Folder

Inside the Shared Folder created in step 7, create a Keeper record that contains the following fields:

Field
Value

Login

Google Workspace admin email

Password

SCIM Token generated from Step 9 above

Website Address

SCIM URL generated from Step 9 above

credentials.json

File attachment from Step 3 with Google Service Account credentials

SCIM Group

Multi-line custom text field containing a list of all groups to be provisioned. The names can either be Group Email or Group Name.

All Groups and users within the specified Groups will be provisioned to Keeper.

Keeper Vault Record

You can specify either the Group Email address or the Group Name in the list of groups. Keeper will match either value and provision all associated users and groups.

The Group Name and Group Email is CASE SENSITIVE

At this point, the configuration on Keeper is complete. The remaining steps are performed back on the Google Cloud console by setting up a Cloud Function.

STEP 11: Create the Google Cloud Function

From the Google Cloud console, open Cloud Functions and then click CREATE FUNCTION.

Create Function

Under Basics:

  • Select environment of "2nd gen"

  • Select Function name of keeper-scim-push

  • Select your preferred region and note this for later

  • Trigger is HTTPS

  • Authentication set to Require authentication

Under Advanced -> Runtime:

  • Memory allocated: 256MiB

  • CPU: 0.333

  • Timeout: 120 seconds

  • Concurrency: 1

  • Autoscaling min: 0

  • Autoscaling max: 1

  • Runtime service account: select

  • Under Runtime service account, select the Default compute service account

If the Default compute service account does not exist yet, select a different account temporarily then go back and edit the service account after saving.

Below is an example full configuration:

Runtime Settings

In the Runtime environment variables:

Create two variables:

  • Set Name 1 to KSM_CONFIG_BASE64 and Value 1 to the contents of the KSM configuration file generated in Step 8

  • Set Name 2 to KSM_RECORD_UID and Value 2 to the record UID created in the vault in Step 10.

You can find the Record UID by clicking on the (info) icon from the Keeper vault record. Click on the Record UID to copy the value.

Runtime environment variables

Click on CONNECTIONS and select "Allow internal traffic only"

Allow internal traffic only

Scroll down and click NEXT to upload the Cloud Function source.

Click NEXT

STEP 12: Upload the Cloud Function Source

Cloud Function Code Source
  • Select Runtime of Go 1.21

  • Select Source code of Zip Upload

  • Type Entry point of GcpScimSyncHttp

  • Zip upload destination bucket: Create a bucket with any name you choose, using the default bucket permissions (not public).

  • Zip file: upload the source.zip file saved from the above step

Click DEPLOY to create the Cloud Function. After a few minutes, the function will be created and published.

The function is private and requires authentication, so the next step is creating a Cloud Scheduler.

STEP 13: Copy the Cloud Function URL

From the Cloud Function screen, copy the URL as seen below:

Copy Cloud Function URL

STEP 14: Create the Cloud Scheduler

From the Google Cloud console, search for Cloud Scheduler and open it.

Cloud Scheduler
  • Click SCHEDULE A JOB

Define the schedule:

  • Set any description, such as "Keeper SCIM Push for Google Workspace"

  • Set the frequency, for example 0 * * * * for running once per hour

  • Set the Timezone according to your location

  • Set the Target type to HTTP

  • Set the URL to the Cloud Function URL copied from Step 13 above

  • Set the HTTP method to GET

  • Set the Auth Header to Add OIDC token

  • Set the Service account to Default compute service account

  • Click CONTINUE then CREATE

STEP 15: Test the Scheduler

On the Scheduler Jobs screen, the job will now be listed. To force execution, click on the overflow menu on the right side and select Force run.

This will execute the Cloud Function immediately.

If successful, the status of last execution will show success:

Scheduler Success

To ensure that Keeper received the sync information, login to the Keeper Admin Console. You will see a list of any pending / invited users, teams and team assignments.

Step 16: Delete Local Files

Once the process is working successfully, delete all local files and secrets created during this process.

IMPORTANT: Delete all local or temporary files on your computer, such as:

  • config.base64 file

  • credentials.json file

  • SCIM tokens

  • Any other screenshots or local files generated in this process

Destructive Operations

By default, "unmanaged" teams and team assignments in the Keeper Admin Console will not be deleted during the sync process. However, if your preferred method of syncing is to delete any unmanaged teams or team assignments, you can simply create a custom field in the Keeper record with a particular value.

"Destructive" Field Value
Description

-1

Nothing is deleted on the Keeper side during sync

0 (Default)

Only SCIM-controlled Groups and Membership can be deleted during sync. (Default Setting)

1

Any manually created or SCIM-controlled Groups and Memberships can be deleted during sync.

Debug Logging

The Keeper record can be modified to create verbose logs in the Google Cloud Function logs.

Verbose Field Value
Description

0 (Default)

No logging

1

Verbose logging enabled

Example of Verbose and Destructive Settings in Keeper Record

Important Syncing Notes:

  • Keeper performs exact string matches on the Group Name or Group Email address when performing the Cloud Function provisioning. The group name and email is case sensitive.

  • Users in an invited state are not added to assigned teams until the user creates their vault and the Keeper administrator logs in to the Admin Console. Team membership can also be performed when another member of the team logs in to the vault. Clicking "Sync" from the Admin Console will also perform the additions.

  • Some operations such as the creation of Teams can only occur upon logging into the Keeper Admin Console, or when running the Keeper Automator service. This is because encryption keys need to be generated.

  • For large deployments, we recommend setting up the Keeper Automator service to automate and streamline the process of device approvals, user approvals and team approvals.

  • When you would like to add new Groups, simply add them to the list inside the Keeper vault record as described in Step 10. Keeper will search on either Group email or Group name when identifying the target.

  • Nested groups in Google Workspace will be flattened when syncing to Keeper. Users from the nested groups are added to the parent group on the Keeper side.

Updating the Cloud Function Source

When new versions of the Cloud Function are created, updating the code is very simple:

  • Download a new source.zip file from the Releases page of the ksm-google-scim Github repo

  • Navigate to the Cloud Functions area of Google Cloud

  • Click on the cloud function details and click EDIT

  • Click on Code

  • Under Source code select "ZIP Upload"

  • Select the source.zip file saved to your computer

  • Click DEPLOY

  • Wait a few minutes for the new function to deploy

  • Navigate to Cloud Scheduler

  • Click on Actions > Force Run

Last updated