Azure AD Provisioning with SCIM
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Azure platform.
Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams to receive shared folders.
Before setting this up, we recommend that you consider activating Keeper's powerful SSO Connect integration with Azure AD that provides realtime user authentication and Just-In-Time provisioning.
If you have already setup Keeper SSO Connect Cloud or you don't have the need for SSO, proceed to Step 1 in the Configuration Steps below.
Keeper/Azure provisioning integration supports the following features:
- Creates users in Keeper
- Updates user attributes (display name in Keeper)
- Deletes users (locks users in Keeper)
- Creates teams in Keeper (from Azure groups)
- Adds or removes users to groups (to teams in Keeper)
When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.
To setup Keeper user provisioning with Azure AD, you need to have access to the Keeper Admin Console and an Azure account.
Watch the video below to learn more about Azure AD provisioning with SCIM.
User Provisioning with SCIM
Step 1. Navigate to your Azure Admin account and select Azure Active Directory > Enterprise Applications and then New Application. Search for Keeper and select Keeper Password Manager & Digital Vault.
Step 2. After adding the application, click on the Provisioning section and select Automatic from the listed options.
In a separate window, you will retrieve the Tenant URL and Secret Token from the Keeper Admin Console.
Step 3. From the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method.
Note: SCIM integration can only be applied to specific nodes (e.g. organizational units) within your Admin Console. Be sure to host the provisioner within a "subnode" as opposed to the "root" node.
Step 4. Choose the SCIM option and click Next then select Create Provisioning Token.
Step 5. Copy the Tenant URL and Secret Token values and paste them into the Tenant URL and Secret Token fields in the Azure AD screen from step one. Select Save to finish the Keeper provisioning setup.
Create Provisioning Method
Step 6. Return to the Azure AD screen and click Test Connection. If successful, save the credentials. Turn the Provisioning Status "on" and click Save.
Step 7. Go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app.
Users and groups
Step 8. Start Provisioning
Ensure that provisioning is started by clicking on the "Start" button.
Wait for approximately five minutes (in some cases, Microsoft can take up to 40 minutes for the first time run), then click the Sync button in the Admin Console. Verify that users appear under the Users tab.
When syncing groups for teams, they are not immediately created but rather put into a “Pending Queue” where they are approved by the Admin upon simply signing into the Admin Console. This is because encryption keys must be generated for teams, to preserve Zero Knowledge.
In Azure, you can also instantly provision a user by clicking on Provisioning > Provision on demand.
Provision on demand
Typically, identity providers that use SCIM such as Azure, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role.
Keeper's Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.
To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.
When setting up User and Team SCIM provisioning with Azure, make sure of the following:
- Ensure that you have assigned the Azure groups in the SAML application
- When you invite a user from Azure or assign a user into a group that has been provisioned, Azure will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
- If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
- After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
This document described the provisioning process with Azure AD. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Cloud Guide.