Okta Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Okta platform.

Features

Keeper/Okta provisioning integration supports the following features:

  • Create users in Keeper

  • Update user attributes

  • Activate or deactivate users (locks or unlocks them in Keeper)

  • Creates teams in Keeper (from Okta groups)

  • Seamless Authentication

When provisioning users, Okta directory is mapped to a single Keeper node. Okta creates users and groups in a pending state, new users will receive an email invitation prompting them to create a Keeper account.

IMPORTANT: Integration of Okta with SCIM first requires that you configure and install Keeper SSO Connect with Okta. To learn more about Keeper SSO Connect and for step by step Okta instructions please see the Keeper SSO Connect Guide.

Requirements

To setup Keeper user provisioning with Okta, you need to have an access to the Keeper Admin Console and an Okta account.

Configuration Steps

1. Go to your Okta Admin account and add Keeper Password Manager to the list of your applications. If Okta asks for a Base URL, use https://keepersecurity.com. Open the app and go to the Provisioning/API integration screen.

2. Open the Keeper Admin Console and navigate to a node which should be synchronized with your Okta account. Select Add Method.

3. Choose SCIM option and select Next. Select Create Provisioning Token.

4. Copy the values for URL and Token and paste them into their corresponding fields in the Okta Keeper app. Select Save to finish provisioning setup on the Keeper side.

Note: Customers need to make sure that the username and email for users should always be the same during user assignment.

5. After pasting in the Base URL and the API Token in Okta, select Test API Credentials. If successful, save the credentials. Assign the app to some users and after a short period, select the Sync button in the Admin Console. Verify that users appear under the Users tab.

6. In the Okta Provisioning tab, click on Edit under Provisioning to App. Enable "Create Users", "Update User Attributes", "Deactivate Users" capabilities. Click Save.

7. In the Okta Sign On tab, click Edit under Settings. Set the Application username format to Email. Click Save.

Known Issues/Troubleshooting and Tips

  • If you have decided to test API credentials before saving the provisioning method in the Admin Console, the test will fail.

  • Keeper user is identified by the email, therefore when assigning the Okta user to the Keeper app, make sure the Username contains a valid email address.

  • Keeper can use First and Last names that come from an Okta user record, but does not show those in the user interface of the Keeper Admin Console.

  • Groups assigned to the Keeper Okta application do not get created as teams in Keeper by default, only group members are pushed to Keeper. To sync groups and group memberships to Keeper you need to add the groups to "Push Groups" in Keeper Okta application.

  • When synchronizing group memberships from Okta, Keeper creates team memberships which are not immediately visible. For the provisioned users to become actual team members, the user must register with Keeper, accept the invitation and be approved to the group by a Keeper administrator or auto-approved by an existing Keeper team member logged into their Web Vault.