# SCIM Push Configuration For identity providers that don't support SCIM, customers can utilize the Keeper Commander [scim push](/en/keeperpam/commander-cli/command-reference/enterprise-management-commands.md#scim-command) command to provision users and teams. ## Common Setup Steps Prerequisites: please be familiar with [User and Team provisioning](/en/enterprise-guide/user-and-team-provisioning.md) 1. Create a SCIM provisioning for your enterprise with the Admin Console or Commander 2. Create a record in Keeper with `login` record type to store the SCIM configuration 3. Paste the SCIM URL to the `Website Address` field of the Keeper record 4. Paste the SCIM Token to the `Password` field of the Keeper record ## Google Workspace The setup steps in this section allow you to provision users and teams from your Google Workspace account. Prerequisites: [Active Google Workspace](https://admin.google.com) subscription and [Google Cloud Platform](https://console.cloud.google.com/) account Commander installed with `pip:` Make sure Google API Client Python package is installed 
(keeper) % pip install google-api-python-client
1. [Google Cloud Platform](https://console.cloud.google.com/): Create a project or chose an existing one 2. [Google Cloud Platform](https://console.cloud.google.com/): Enable `Admin SDK API` for your project * in the `APIs & Services` click `+ENABLE APIS AND SERVICES` * in the `Search for APIs & Services` enter `Admin SDK API` * click `ENABLE` 3. [Google Cloud Platform](https://console.cloud.google.com/): Create a Service Account * In the `IAM and Admin` menu select `Service accounts` * click `+CREATE SERVICE ACCOUNT` with suggested service account name: `keeper-scim` * For newly created service account click `Actions`/dots and select `Manage Keys` * click `ADD KEYS` -> `Create New Key.` Choose JSON key type then `CREATE` * A JSON file with service account credentials will be downloaded to your computer * Rename this file to `credentials.json` and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above. 4. Grant the Service Account access to your Google Workspace Directory * [Google Cloud Platform](https://console.cloud.google.com/) * Navigate to your Service Account and select `DETAILS` tab * in the `Domain-wide delegation` section copy the `Client ID`. You will need to grant this Client ID access to the Google Workspace Directory * [Google Workspace Admin Console](https://admin.google.com/) * Navigate to `Security` -> `API controls` * Under the `Domain wide delegation` click `MANAGE DOMAIN WIDE DELEGATION` * Click `Add new` in `API Clients` * Paste `Client ID` * Paste the following text into ` OAuth scopes (comma-delimited)`` `` ``https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly` * Click `AUTHORIZE` - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership 5. [Google Workspace Admin Console](https://admin.google.com/): Provider Keeper with the `Service Account` * In Google, navigate to `Account` -> `Account settings` * Copy the `Primary admin` email into the clipboard (upper right area) * Paste this email into the login field of your Google SCIM configuration record in Keeper 6. [Google Workspace Admin Console](https://admin.google.com/): create a group that holds users to be exported to Keeper. * Optional: skip this step if you want all user accounts to be imported * Navigate to `Directory` -> `Group` * Click `Create group` * Assign all users that need to be provisioned to Keeper to this group The Google SCIM configuration record in Keeper should now contain the following fields:
FieldSectionValue
LoginGoogle #5Google Workspace admin email
PasswordCommon #4SCIM Token generated in the Keeper Admin Console
Website AddressCommon #3SCIM URL pasted from the Keeper Admin Console
SCIM GroupGoogle #6Google group name or empty to import all users
credentials.jsonGoogle #3File attachment with Google Service Account credentials

Record in Keeper containing the Google Cloud service account information

### Pushing Provisioning Data To perform a push of the Google users and Teams into Keeper, use the below command: ``` scim push --source=google --record= ``` The SCIM ID can be found in the Admin Console or using Commander. For example: ``` My Vault> scim list SCIM ID Node Name Node ID Status Last Synced --------------- --------------------- --------------- ------- ------------ 288797895952358 Lurey, Inc.\Corporate 288797895950343 active Wed Jul 6 09:44:44 2022 288797895951707 Lurey, Inc.\Azure 288797895951061 active Fri Jul 7 14:25:31 2023 288797895951110 Lurey, Inc.\Google 288797895951063 active Mon May 30 23:42:52 2022 ``` ### Automatic Provisioning of Google Workspace Keeper has created a Google Cloud Function to automatically perform provisioning of Google Workspace users and teams. The step by step instructions can be found here: {% embed url="" %} ## Active Directory The setup steps in this section allow you to provision users and teams from Active Directory using the `scim push` command. Prerequisites: 1. In your Active Directory browser, create a Group and add AD users and groups that need to be provisioned in Keeper. 2. Get the Active Directory connect URL, e.g. `ldap(s): 3. Pick a user that can read Active Directory The Active Directory configuration record in Keeper should now contain the following fields:
FieldSectionValue
PasswordCommon #4SCIM Token generated in the Keeper Admin Console
Website AddressCommon #3SCIM URL pasted from the Keeper Admin Console
SCIM GroupAD # 1AD group name that lists all users and groups to import
AD URLAD #2

AD Connect URL

ldap(s)://<domain controller>

AD UserAD #3AD User login or distinguished name
DOMAIN\USERNAME
CN=...
AD PasswordAD #3AD Password
### Pushing Provisioning Data To perform a push of the Active Directory users and Teams into Keeper, use the below command: ``` scim push --source=ad --record= ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/enterprise-management-commands/scim-push-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.