Azure AD Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Azure platform.

Overview

Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams to receive shared folders.

Before setting this up, we recommend that you consider activating Keeper's powerful SSO Connect integration with Azure AD that provides realtime user authentication and Just-In-Time provisioning.

View the full SSO Connect setup guides:

SSO Connect On-Prem: https://docs.keeper.io/sso-connect-guide/ SSO Connect Cloud: https://docs.keeper.io/sso-connect-cloud/

Features

Keeper/Azure provisioning integration supports the following features:

  • Creates users in Keeper

  • Updates user attributes (display name in Keeper)

  • Deletes users (locks users in Keeper)

  • Creates teams in Keeper (from Azure groups)

  • Adds or removes users to groups (to teams in Keeper)

When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.

Requirements

To setup Keeper user provisioning with Azure AD, you need to have access to the Keeper Admin Console and an Azure account.

Configuration Steps

1. Navigate to your Azure Admin account and select Azure Active Directory > Enterprise Applications and then New Application. Search for Keeper and select Keeper Password Manager & Digital Vault. After adding the application, click on the Provisioning section and select Automatic from the listed options.

In a separate window, you will retrieve the Tenant URL and Secret Token from the Keeper Admin Console.

Automatic Provisioning

2. From the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method.

3. Choose the SCIM option and click Next then select Create Provisioning Token.

4. Copy the Tenant URL and Secret Token values and paste them into the Tenant URL and Secret Token fields in the Azure AD screen from step one. Select Save to finish the Keeper provisioning setup.

Create Provisioning Method

5. Return to the Azure AD screen and click Test Connection. If successful, save the credentials. Turn the Provisioning Status "on" and click Save.

6. Go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app. Wait for approximately five minutes and click the Sync button in the Admin Console. Verify that users appear under the Users tab.

When syncing groups for teams, they are not immediately created but rather put into a “Pending Queue” where they must be approved by the Admin. For more information, see the section API Provisioning with SCIM.

SCIM + Team-to-Role Mapping

Typically, identity providers that use SCIM such as Azure, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

SAML 2.0 for Authentication

The SCIM protocol is used for provisioning of users and teams, not for authentication. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Guide or Keeper SSO Connect Cloud Guide.