Okta Provisioning with SCIM
Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Okta platform.
This guide covers Okta Automated Provisioning with SCIM. Before you begin the setup, we recommend that you first activate Keeper's powerful SSO Connect integration with Okta that provides realtime user authentication and Just-In-Time provisioning.
Keeper/Okta automated provisioning supports the following features:
- Create users in Keeper
- Update user attributes
- Activate or deactivate users (locks or unlocks them in Keeper)
- Creates teams in Keeper (from Okta groups)
- Seamless authentication
When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state and new users will receive an email invitation prompting them to create a Keeper account.
To setup Keeper user provisioning with Okta, you need to have access to the Keeper Admin Console and an Okta Admin account.
If you haven't added Keeper to your Okta Admin, Select the Applications tab and then select Browse App Catalog and search for "Keeper".
Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account. If you are using SAML 2.0 authentication, add the SCIM connector to the same node. Select Add Method > SCIM (System for Cross-Domain Identity Management) and click Next.
Copy the URL.
Copy the URL and paste into Okta
Navigate back to your Okta Admin account and paste the URL from Keeper into the Base URL of the Okta API Integration screen.
Paste the Base URL
Switch back to the Keeper Admin Console click Generate.
Immediately copy the generated token to your clipboard then click Save (important to Save now)
Note: If you click "Test" on the Okta side before saving the token in Keeper, the test will fail.
Paste the token into the Okta console.
Paste API Token
Select Save on Okta to finish the Keeper provisioning setup.
In the Okta Provisioning tab, click Edit under Provisioning to App. Enable "Create Users", "Update User Attributes", "Deactivate Users" capabilities, then click Save.
Assign the app to a user from Okta, and after a short period, select the Full Sync button in the Keeper Admin Console.
Please ensure that the username and email for users remains the same during user assignment.
In the Keeper Admin Console, users will show in either an "Invite" state or a "Pending transfer acceptance" state (if Vault Transfer policy is active for the default role).
The user will receive an email invitation (unless email invites are disabled at the Role Policy level). Clicking the invite link will allow the user to login with Okta and complete the provisioning process.
Alternatively, the user can simply login to Keeper with their email address or Enterprise Domain and complete the sign-in process.
After the user has created their Keeper vault, the status on the Admin Console will change to "Active".
Keeper supports Team provisioning through Okta "Push Groups".
- Push Groups are added as Keeper Teams within the Admin Console
- Users who are assigned to Push Groups are assigned to the Keeper Team
- Keeper Teams can then be provisioned to Shared Folders
- Keeper Teams can be mapped to Role Policies through Team-to-Role Mapping
Okta Push Groups to Keeper Teams
Processing of Team and Team-User assignments must be completed locally on the Admin Console or through one of Keeper's automated tools.
After pushing Users or Teams to the Keeper Admin Console, simply login or click "Full Sync" to process and approve the transactions.
A notification will appear along the bottom of the screen when team approvals have been processed.
Team and user approvals can also be performed by Keeper Commander with the
team-approvecommand. More information on this feature can be found below:
Okta Automated provisioning maps Push Groups to Keeper Teams. To automatically assign different teams to different Keeper Roles, you can use our "Team to Role mapping" feature.
From the Roles screen, simply add the Team to the role.
Team to Role Mapping
To use team-to-role mapping, administrators simply assign a role to an entire “Team,” as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team. Note that Team-Role mapping cannot be used with Administrative roles.
- If you click the "Test" button before saving the SCIM provisioning method in the Admin Console, the test will fail. Copy the token then click Save.
- Keeper users are identified by their email, therefore when assigning the Okta user to the Keeper app, make sure the User Name contains a valid email address.
- Groups assigned to the Keeper Okta application are not created as teams in Keeper by default; only group members are pushed to Keeper. To sync groups and group memberships to Keeper you need to add the groups to "Push Groups" in the Keeper Okta application.
- When synchronizing group memberships from Okta, Keeper creates team memberships which are not immediately visible. For the provisioned users to become actual team members, the user must register with Keeper, accept the invitation and be receive approval for group entry by a Keeper Administrator or auto-approved by an existing Keeper team member logged into their Web Vault.
- When creating a new Push Group, the Okta admin will need to manually push the groups to complete group synchronization at least one time.
When setting up User and Team SCIM provisioning with Okta, make sure of the following:
- Ensure that you have assigned the Okta groups as Push Groups in the SAML application
- When you invite a user from Okta or assign a user into a group that has been provisioned as a Push Group, Okta will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
- If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
- After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
If you receive the error "Unable to update Group Push mapping target App group xxx: Error while updating user group membership... Not Found"
- This error can occur if the Keeper Enterprise User ID is different between the Keeper backend and the Okta admin. This can occur if you delete and re-create a user's account from the Keeper side, instead of properly creating the user from a SCIM invitation. In this case, Okta does not have knowledge of the user's new Enterpriser User ID.
- To resolve this issue, you need to simply remove the application assignment to Keeper, and re-assign the user to the Keeper application.
Push Group Membership
Please visit the Okta + Keeper SSO Connect guide for realtime authentication.