OneLogin Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the OneLogin platform.

Overview

Keeper Enterprise supports integration with OneLogin with automated user provisioning using the SCIM (System for Cross-Domain Identity Management) protocol. SCIM is an open standard that enables automated user provisioning between identity providers (like OneLogin) and service providers (like Keeper).

IMPORTANT: If you want your users to authenticate via SAML 2.0 with OneLogin, you must first configure and install Keeper SSO Connect. Please follow one of the guides: https://docs.keeper.io/sso-connect-cloud/ - Cloud or https://docs.keeper.io/sso-connect-guide/ - On-Prem

If you don't want to authenticate users using SAML 2.0 and you simply just want to provision users via SCIM provisioning, proceed to the SCIM Only Configuration section below.

Companies utilizing OneLogin for their identity services can easily deploy Keeper’s EPM solution to their users without the need to manually provision. When auto-provisioning for Keeper Enterprise is enabled in OneLogin, any users created, modified or deleted in OneLogin are automatically added, edited or deleted in Keeper.

In addition to provisioning and deprovisioning users, Keeper Enterprise provides zero-knowledge, SAML 2.0 compliant authentication with OneLogin for seamless and frictionless access.

Integration of Keeper Enterprise into OneLogin enables organizations of any size to secure their passwords and confidential information within an encrypted vault. By including Keeper Enterprise in their SSO implementation, organizations fill critical security and functionality gaps that are essential from a cybersecurity perspective which includes:

  • Protects and generates strong passwords for any non-SAML application or website

  • Implements zero-knowledge security architecture with full end-to-end encryption

  • Stores SSH keys, digital certificates and any other confidential information

  • Enforces password compliance and policy-based access controls across the entire organization – all employees on all their devices for every website, application and system

  • Manages shared passwords for financial, business, social media or any other critical service

User encryption keys are generated dynamically by Keeper SSO Connect, encrypted and stored locally on the installed server, providing the customer with full control over the encryption keys that are used to encrypt and decrypt their digital vaults.

SSO + SCIM Configuration - Application Connector

OneLogin has a built-in Keeper application in their catalog that supports both SSO + SCIM integration.

For OneLogin integration instructions, visit the Keeper SSO Connect Cloud guide: https://docs.keeper.io/sso-connect-cloud/identity-provider-setup/onelogin-keeper This will walk through setting up the integration of SSO and getting SCIM connected.

After the API Connect status is Enabled, navigate to the Provisioning section and check the box for "Enable provisioning".

Add Users to the application.

Users can be added to the Keeper Password Manger connector in Onelogin in a couple different ways. The application can be added to the user's account or the user can be added to a Role, and the role gets added to the application via the Access section of the application in OneLogin. After the user has been added, in order for SCIM to send the request to Keeper, the OneLogin Admin will need to approve the change by navigating to the Users section in the Keeper Password Manager application connector and clicking on the "pending" status to Approve the user. The approval link can also be reached by going to the Applications section of the Users OneLogin profile and clicking the "pending" status. Click the Approve button to allow the user to be provisioned from OneLogin to Keeper.

Observe the user status changes from "Pending" to "Provisioned".

Enable OneLogin Roles to Keeper Teams mapping

On the Parameters section, click on Groups in the Optional Parameters section. On the Edit Fields Group pop-out select 'Include in User Provisioning'.

Click save and observe the Groups status changes to Enabled. Next, navigate to the Rules section of the application connector and select the "Add Rule" button.

Give the rule a name like "Create Team from Role. Under the Actions section, select "Set Groups in Keeper Password Manager" from the pull down. Next, select (or search) 'role' from the pull down and add the value .* (dot star) for the matching text.

.* is regular expression to match any character 0 or more times. To refine the search to a specific role or roles alter the regular expression. Please contact OneLogin if your search results are not aligning.

SCIM Only Configuration

For SCIM-only configuration, users are directed to the following OneLogin instructions, https://developers.onelogin.com/scim.

On the Configuration page of your app, use the following SCIM JSON template (Keeper username must be a valid email address):

{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"userName": "{$user.email}",
"displayName": "{$user.display_name}"
}

Obtain the SCIM Base URL and SCIM Bearer Token from the Admin Console

Add the following line to the Custom Headers section

Content-Type: application/scim+json

After you have enabled provisioning, your configuration would look similar to the screen capture below:

SSO Connect Cloud:

SCIM + Team-to-Role Mapping

To use team-to-role mapping, administrators simply assign a role to an entire “Team,” opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.

Typically, identity providers that use SCIM such as OneLogin, support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles.

Unique Group Names

OneLogin appears to have a timing issue with their SCIM system which can possibly send multiple simultaneous requests to create the same Group. Keeper normally will accept the new group creation even if the Group Name is identical.

If you encounter an issue with duplicate group names, please contact Keeper and we will set a flag on your SCIM connection which enforces unique names.

Contact Keeper Support to enforce unique group names on your SCIM instance.