G Suite Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the G Suite platform.

Keeper Enterprise is now available for G Suite with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like G Suite) and service providers (like Keeper).

IMPORTANT: If you want your users to authenticate via SAML 2.0 with G Suite, you must first configure and install Keeper SSO Connect with G Suite.

View the full SSO Connect setup guides:

SSO Connect On-Prem: https://docs.keeper.io/sso-connect-guide/ SSO Connect Cloud: https://docs.keeper.io/sso-connect-cloud/ If you don't want to use SAML 2.0 and you just want to provision users via SCIM provisioning, proceed with the guide below.

SCIM Overview

Companies utilizing G Suite for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision. When auto-provisioning for Keeper Enterprise is enabled in G Suite, any users created, modified or deleted in G Suite are automatically added, edited or deleted in Keeper.

In addition to provisioning and deprovisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with G Suite for seamless and frictionless access.

Integration of Keeper Enterprise into G Suite enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:

  • Protects and generates strong passwords for any non-SAML application or website

  • Implements zero-knowledge security architecture with full end-to-end encryption

  • Stores SSH keys, digital certificates and any other confidential information

  • Enforces password compliance and policy-based access controls across the entire organization –

    all employees on all their devices for every website, application and system.

  • Manages shared passwords for financial, business, social media or any other critical service

User encryption keys are generated dynamically by Keeper SSO Connect, encrypted and stored locally on the installed server, providing the customer with full control over the encryption keys that are used to encrypt and decrypt their digital vaults.

Keeper is available for all G Suite Education, Business and Enterprise customers.

SCIM + Team-to-Role Mapping

Typically, identity providers that use SCIM such as G Suite, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

Setup and Configuration

G Suite supports the following integrations with Keeper:

  • SSO authentication with SAML 2.0

  • Automatic Provisioning with SCIM

For step-by-step G Suite specific configuration use the following link: https://docs.keeper.io/sso-connect-guide/identity-provider-setup/g-suite-configuration