OneLogin Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the OneLogin platform.


Keeper Enterprise is now available for OneLogin with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like OneLogin) and service providers (like Keeper).

IMPORTANT: If you want your users to authenticate via SAML 2.0 with OneLogin, you must first configure and install Keeper SSO Connect.

View the full SSO Connect setup guides:

SSO Connect On-Prem: SSO Connect Cloud: If you don't want to use SAML 2.0 and you just want to provision users via SCIM provisioning, proceed with the guide below.

Companies utilizing OneLogin for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision. When auto-provisioning for Keeper Enterprise is enabled in OneLogin, any users created, modified or deleted in OneLogin are automatically added, edited or deleted in Keeper.

In addition to provisioning and deprovisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with OneLogin for seamless and frictionless access.

Integration of Keeper Enterprise into OneLogin enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:

  • Protects and generates strong passwords for any non-SAML application or website

  • Implements zero-knowledge security architecture with full end-to-end encryption

  • Stores SSH keys, digital certificates and any other confidential information

  • Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system

  • Manages shared passwords for financial, business, social media or any other critical service

User encryption keys are generated dynamically by Keeper SSO Connect, encrypted and stored locally on the installed server, providing the customer with full control over the encryption keys that are used to encrypt and decrypt their digital vaults.

SCIM + Team-to-Role Mapping

Typically, identity providers that use SCIM such as OneLogin, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

SSO Configuration

For full SSO configuration instructions, visit the Keeper SSO Connect guide: For step-by-step OneLogin specific configuration use the following link:

SCIM Configuration

For SCIM configuration, users are directed to the following OneLogin instructions,

On the Configuration page of your app, use the following SCIM JSON template (Keeper username must be a valid email address):

"schemas": [
"userName": "{$}",
"displayName": "{$user.display_name}"

Obtain the SCIM Base URL and SCIM Bearer Token from the Admin Console

Add the following line to the Custom Headers section

Content-Type: application/scim+json

After you have enabled provisioning, your configuration would look similar to the screen capture below: