Okta Provisioning with SCIM
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Okta platform.


This guide covers Okta Automated Provisioning with SCIM. Before you begin the setup, we recommend that you first activate Keeper's powerful SSO Connect integration with Okta that provides realtime user authentication and Just-In-Time provisioning.
Please review the Okta SSO implementation guides:
SSO Connect Cloud: Click Here SSO Connect On-Prem: Click Here

Provisioning Features

Keeper/Okta automated provisioning supports the following features:
  • Create users in Keeper
  • Update user attributes
  • Activate or deactivate users (locks or unlocks them in Keeper)
  • Creates teams in Keeper (from Okta groups)
  • Seamless authentication
When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.


To setup Keeper user provisioning with Okta, you need to have access to the Keeper Admin Console and an Okta Admin account.

Configuration Steps

If you haven't added Keeper to your Okta Admin, Select the Applications tab and then select Browse App Catalog and search for "Keeper".
Add Keeper
Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account. If you are using SAML 2.0 authentication, use add the SCIM connector to the same node. Select Add Method > SCIM.
Add Method
Select SCIM
Copy the URL and paste into Okta
Navigate back to your Okta Admin account and copy-paste the URL from Keeper into the Base URL of the Okta API Integration screen.
Paste the Base URL
Next, on the Keeper side click on Generate.
Click Generate
Immediately copy the generated token to your clipboard then click Save (important to Save now)
Note: If you click "Test" on the Okta side before saving the token in Keeper, the test will fail.
Now paste the token into the Okta console.
Paste API Token
Select Save on Okta to finish the Keeper provisioning setup.

Provisioning Users

Please ensure that the username and email for users remains the same during user assignment.
In the Okta Provisioning tab, click Edit under Provisioning to App. Enable "Create Users", "Update User Attributes", "Deactivate Users" capabilities then click Save.
Provisioning Options
Assign the app to a user from Okta, and after a short period, select the Full Sync button in the Keeper Admin Console.
Users will show in either an "Invite" state or a "Pending transfer acceptance" state (if Vault Transfer policy is active for the default role).
Invited State
The user will receive an email invitation (unless email invites are disabled at the Role Policy level). Clicking the invite link will allow the user to login with Okta and complete the provisioning process.
Alternatively, the user can simply login to Keeper with their email address or Enterprise Domain and complete the sign-in process.
Vault Login
After the user has created their Keeper vault, the status on the Admin Console will change to "Active".
Active Status

Team Provisioning

Keeper supports Team provisioning through Okta "Push Groups".
  • Push Groups are added as Keeper Teams within the Admin Console
  • Users who are assigned to Push Groups are assigned to the Keeper Team
  • Keeper Teams can then be provisioned to Shared Folders
  • Keeper Teams can be mapped to Role Policies through Team-to-Role Mapping
Okta Push Groups to Keeper Teams

Team and User Approvals

Processing of Team and Team-User assignments must be completed locally on the Admin Console or through one of Keeper's automated tools.
After pushing Users or Teams to the Keeper Admin Console, simply login or click "Full Sync" to process and approve the transactions.
A notification will appear along the bottom of the screen when team approvals have been processed.
Team Approval
Team-User Approvals
Team and user approvals can also be performed by Keeper Commander with the team-approve command. More information on this feature can be found below:

SCIM + Team-to-Role Mapping

Okta Automated provisioning maps Push Groups to Keeper Teams. To automatically assign different teams to different Keeper Roles, you can use our "Team to Role mapping" feature.
From the Roles screen, simply add the Team to the role.
Team to Role Mapping
To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team. Note that Team-Role mapping cannot be used with Administrative roles.

Known Issues/Troubleshooting and Tips

  • If you have click the "Test" button before saving the SCIM provisioning method in the Admin Console, the test will fail.
  • Keeper users are identified by their email, therefore when assigning the Okta user to the Keeper app, make sure the User Name contains a valid email address.
  • Keeper can use first and last names that come from an Okta user record, but does not show those in the user interface of the Keeper Admin Console.
  • Groups assigned to the Keeper Okta application are not created as teams in Keeper by default; only group members are pushed to Keeper. To sync groups and group memberships to Keeper you need to add the groups to "Push Groups" in the Keeper Okta application.
  • When synchronizing group memberships from Okta, Keeper creates team memberships which are not immediately visible. For the provisioned users to become actual team members, the user must register with Keeper, accept the invitation and be receive approval for group entry by a Keeper Administrator or auto-approved by an existing Keeper team member logged into their Web Vault. The Okta admin will then need to manually push groups to complete group synchronization.

User Authentication with SAML 2.0

Please visit the Okta + Keeper SSO Connect guide for realtime authentication.
SSO Connect Cloud: Click Here
SSO Connect On-Prem: Click Here
Last modified 16d ago