# SCIM Push Configuration

For identity providers that don't support SCIM, customers can utilize the Keeper Commander [scim push](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands/..#scim-command) command to provision users and teams.

## Common Setup Steps

Prerequisites: please be familiar with [User and Team provisioning](https://docs.keeper.io/enterprise-guide/user-and-team-provisioning)

1. Create a SCIM provisioning for your enterprise with the Admin Console or Commander
2. Create a record in Keeper with `login` record type to store the SCIM configuration 
3. Paste the SCIM URL to the `Website Address` field of the Keeper record
4. Paste the SCIM Token to the `Password` field of the Keeper record

## Google Workspace 

The setup steps in this section allow you to provision users and teams from your Google Workspace account.

Prerequisites: [Active Google Workspace](https://admin.google.com) subscription and [Google Cloud Platform](https://console.cloud.google.com/) account

Commander installed with `pip:` Make sure Google API Client Python package is installed

<pre class="language-bash"><code class="lang-bash"><strong>(keeper) % pip install google-api-python-client
</strong></code></pre>

1. [Google Cloud Platform](https://console.cloud.google.com/): Create a project or chose an existing one
2. [Google Cloud Platform](https://console.cloud.google.com/): Enable `Admin SDK API` for your project
   * in the `APIs & Services` click `+ENABLE APIS AND SERVICES`
   * in the `Search for APIs & Services` enter `Admin SDK API`
   * click `ENABLE`
3. [Google Cloud Platform](https://console.cloud.google.com/): Create a Service Account
   * In the `IAM and Admin` menu select `Service accounts`
   * click `+CREATE SERVICE ACCOUNT` with suggested service account name: `keeper-scim`
   * For newly created service account click `Actions`/dots and select `Manage Keys`
   * click `ADD KEYS` -> `Create New Key.` Choose JSON key type then `CREATE`
   * A JSON file with service account credentials will be downloaded to your computer
   * Rename this file to `credentials.json` and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
4. Grant the Service Account access to your Google Workspace Directory
   * [Google Cloud Platform](https://console.cloud.google.com/)
     * Navigate to your Service Account and select `DETAILS` tab
     * in the `Domain-wide delegation` section copy the `Client ID`. You will need to grant this Client ID access to the Google Workspace Directory
   * [Google Workspace Admin Console](https://admin.google.com/)
     * Navigate to `Security` -> `API controls`
     * Under the `Domain wide delegation` click `MANAGE DOMAIN WIDE DELEGATION`
     * Click `Add new` in `API Clients`
     * Paste `Client ID`&#x20;
     * Paste  the following text into `OAuth scopes (comma-delimited)`` `<mark style="color:green;">`https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly`</mark>
     * Click `AUTHORIZE` - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership
5. [Google Workspace Admin Console](https://admin.google.com/):  Provider Keeper with the `Service Account`&#x20;
   * In Google, navigate to `Account` -> `Account settings`&#x20;
   * Copy the `Primary admin` email into the clipboard (upper right area)
   * Paste this email into the login field of your Google SCIM configuration record in Keeper
6. [Google Workspace Admin Console](https://admin.google.com/): create a group that holds users to be exported to Keeper.&#x20;
   * Optional: skip this step if you want all user accounts to be imported
   * Navigate to `Directory` -> `Group`&#x20;
   * Click `Create group`
   * Assign all users that need to be provisioned to Keeper to this group

The Google SCIM configuration record in Keeper should now contain the following fields:

<table><thead><tr><th width="209">Field</th><th width="130.33333333333331">Section</th><th>Value</th></tr></thead><tbody><tr><td>Login</td><td>Google #5</td><td>Google Workspace admin email </td></tr><tr><td>Password</td><td>Common #4</td><td>SCIM Token generated in the Keeper Admin Console</td></tr><tr><td>Website Address</td><td>Common #3</td><td>SCIM URL pasted from the Keeper Admin Console</td></tr><tr><td>SCIM Group</td><td>Google #6</td><td>Google group name or empty to import all users</td></tr><tr><td>credentials.json</td><td>Google #3</td><td>File attachment with Google Service Account credentials</td></tr></tbody></table>

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F6DJsI6QFbIhARs3Tj7Zp%2FScreen%20Shot%202023-06-20%20at%2010.48.24%20AM.png?alt=media&#x26;token=50e318aa-556c-42ad-b867-521b2204191d" alt=""><figcaption><p>Record in Keeper containing the Google Cloud service account information</p></figcaption></figure>

### Pushing Provisioning Data

To perform a push of the Google users and Teams into Keeper, use the below command:

```
scim push <SCIM ID> --source=google --record=<RECORD UID>
```

The SCIM ID can be found in the Admin Console or using Commander. For example:

```
My Vault> scim list
        SCIM ID  Node Name              Node ID          Status   Last Synced
---------------  ---------------------  ---------------  -------  ------------
288797895952358  Lurey, Inc.\Corporate  288797895950343  active   Wed Jul  6 09:44:44 2022
288797895951707  Lurey, Inc.\Azure      288797895951061  active   Fri Jul  7 14:25:31 2023
288797895951110  Lurey, Inc.\Google     288797895951063  active   Mon May 30 23:42:52 2022
```

### Automatic Provisioning of Google Workspace

Keeper has created a Google Cloud Function to automatically perform provisioning of Google Workspace users and teams. The step by step instructions can be found here:

{% embed url="<https://docs.keeper.io/sso-connect-cloud/identity-provider-setup/g-suite-keeper/google-workspace-user-and-group-provisioning-with-cloud-function>" %}

## Active Directory

The setup steps in this section allow you to provision users and teams from Active Directory using the `scim push` command.

Prerequisites:

1. In your Active Directory browser, create a Group and add AD users and groups that need to be provisioned in Keeper.
2. Get the Active Directory connect URL, e.g. `ldap(s):<domain controller host or IP`>
3. Pick a user that can read Active Directory

The Active Directory configuration record in Keeper should now contain the following fields:

<table><thead><tr><th width="190">Field</th><th width="170.33333333333331">Section</th><th>Value</th></tr></thead><tbody><tr><td>Password</td><td>Common #4</td><td>SCIM Token generated in the Keeper Admin Console</td></tr><tr><td>Website Address</td><td>Common #3</td><td>SCIM URL pasted from the Keeper Admin Console</td></tr><tr><td>SCIM Group</td><td>AD # 1</td><td>AD group name that lists all users and groups to import</td></tr><tr><td>AD URL</td><td>AD #2</td><td><p>AD Connect URL</p><p><code>ldap(s)://&#x3C;domain controller></code></p></td></tr><tr><td>AD User</td><td>AD #3</td><td>AD User login or distinguished name<br><code>DOMAIN\USERNAME</code><br><code>CN=...</code></td></tr><tr><td>AD Password</td><td>AD #3</td><td>AD Password</td></tr></tbody></table>

### Pushing Provisioning Data

To perform a push of the Active Directory users and Teams into Keeper, use the below command:

```
scim push <SCIM ID> --source=ad --record=<RECORD UID>
```