Okta Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Okta platform.


This guide covers Okta Automated Provisioning with SCIM. Before you begin the setup, we recommend that you consider activating Keeper's powerful SSO Connect integration with Okta that provides realtime user authentication and Just-In-Time provisioning. The full SSO Connect setup guide can be found here. For Okta-specific configuration, click here.


Keeper/Okta provisioning integration supports the following features:

  • Create users in Keeper

  • Update user attributes

  • Activate or deactivate users (locks or unlocks them in Keeper)

  • Creates teams in Keeper (from Okta groups)

  • Seamless authentication

When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.


To setup Keeper user provisioning with Okta, you need to have access to the Keeper Admin Console and an Okta account.

Configuration Steps

1. Navigate to your Okta Admin account and add Keeper Password Manager to the list of your applications. If Okta asks for a Base URL, use https://keepersecurity.com. Open the app and go to the Provisioning/API integration screen.

2. Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account. Select Add Method.

3. Choose the SCIM option and select Next then select Create Provisioning Token.

4. Copy the values of the Base URL and API Token and paste them into their corresponding fields in the Okta Keeper app. Select Save to finish the Keeper provisioning setup.

Customers need to ensure that the username and email for users remain the same during user assignment.

5. After pasting the Base URL and the API Token in Okta, select Test API Credentials. If successful, save the credentials. Assign the app to some users and after a short period, select the Sync button in the Admin Console. Verify that users appear under the Users tab.

6. In the Okta Provisioning tab, click Edit under Provisioning to App. Enable "Create Users", "Update User Attributes", "Deactivate Users" capabilities then click Save.

SCIM + Team-to-Role Mapping

Typically, identity providers that use SCIM such as Okta, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

Known Issues/Troubleshooting and Tips

  • If you have decided to test API credentials before saving the provisioning method in the Admin Console, the test will fail.

  • Keeper users are identified by their email, therefore when assigning the Okta user to the Keeper app, make sure the User Name contains a valid email address.

  • Keeper can use first and last names that come from an Okta user record, but does not show those in the user interface of the Keeper Admin Console.

  • Groups assigned to the Keeper Okta application are not then created as teams in Keeper by default; only group members are pushed to Keeper. To sync groups and group memberships to Keeper you need to add the groups to "Push Groups" in the Keeper Okta application.

  • When synchronizing group memberships from Okta, Keeper creates team memberships which are not immediately visible. For the provisioned users to become actual team members, the user must register with Keeper, accept the invitation and be receive approval for group entry by a Keeper Administrator or auto-approved by an existing Keeper team member logged into their Web Vault. Okta admin will then need to manually push groups to complete group synchronization.

User Authentication with SAML 2.0

Please visit the Keeper SSO Connect guide here for realtime authentication.