Comment on page

SCIM Push Configuration

Use Commander to push SCIM messages to the Keeper backend API
For identity providers that don't support SCIM, customers can utilize the Keeper Commander scim push command to provision users and teams. This feature was originally created to support automated Google Workspace user and team provisioning (since they don't currently support SCIM), but there are other use cases which also apply.

Common Setup Steps

Prerequisites: please be familiar with User and Team provisioning
  1. 1.
    Create a SCIM provisioning for your enterprise with the Admin Console or Commander
  2. 2.
    Create a record in Keeper with login record type to store the SCIM configuration
  3. 3.
    Paste the SCIM URL to the Website Address field of the Keeper record
  4. 4.
    Paste the SCIM Token to the Password field of the Keeper record

Google Workspace

The setup steps in this section allow you to provision users and teams from your Google Workspace account.
Prerequisites: Active Google Workspace subscription and Google Cloud Platform account
Commander installed with pip: Make sure Google API Client Python package is installed
(keeper) % pip install google-api-python-client
  1. 1.
    Google Cloud Platform: Create a project or chose an existing one
  2. 2.
    Google Cloud Platform: Enable Admin SDK API for your project
    • in the APIs & Services click +ENABLE APIS AND SERVICES
    • in the Search for APIs & Services enter Admin SDK API
    • click ENABLE
  3. 3.
    Google Cloud Platform: Create a Service Account
    • In the IAM and Admin menu select Service accounts
    • click +CREATE SERVICE ACCOUNT with suggested service account name: keeper-scim
    • For newly created service account click Actions/dots and select Manage Keys
    • click ADD KEYS -> Create New Key. Choose JSON key type then CREATE
    • A JSON file with service account credentials will be downloaded to your computer
    • Rename this file to credentials.json and add this file as attachment to your Keeper configuration record that was created in the Setup Steps above.
  4. 4.
    Grant the Service Account access to your Google Workspace Directory
      • Navigate to your Service Account and select DETAILS tab
      • in the Domain-wide delegation section copy the Client ID. You will need to grant this Client ID access to the Google Workspace Directory
      • Navigate to Security -> API controls
      • Under the Domain wide delegation click MANAGE DOMAIN WIDE DELEGATION
      • Click Add new in API Clients
      • Paste Client ID
      • Paste the following text into OAuth scopes (comma-delimited) https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
      • Click AUTHORIZE - These scopes grant Service Account read-only access to Google Workspace Directory Users, Groups and Membership
  5. 5.
    Google Workspace Admin Console: Provider Keeper with the Service Account
    • In Google, navigate to Account -> Account settings
    • Copy the Primary admin email into the clipboard (upper right area)
    • Paste this email into the login field of your Google SCIM configuration record in Keeper
  6. 6.
    Google Workspace Admin Console: create a group that holds users to be exported to Keeper.
    • Optional: skip this step if you want all user accounts to be imported
    • Navigate to Directory -> Group
    • Click Create group
    • Assign all users that need to be provisioned to Keeper to this group
The Google SCIM configuration record in Keeper should now contain the following fields:
Field
Section
Value
Login
Google #5
Google Workspace admin email
Password
Common #4
SCIM Token generated in the Keeper Admin Console
Website Address
Common #3
SCIM URL pasted from the Keeper Admin Console
SCIM Group
Google #6
Google group name or empty to import all users
credentials.json
Google #3
File attachment with Google Service Account credentials
Record in Keeper containing the Google Cloud service account information

Pushing Provisioning Data

To perform a push of the Google users and Teams into Keeper, use the below command:
scim push <SCIM ID> --source=google --record=<RECORD UID>
The SCIM ID can be found in the Admin Console or using Commander. For example:
My Vault> scim list
SCIM ID Node Name Node ID Status Last Synced
--------------- --------------------- --------------- ------- ------------
288797895952358 Lurey, Inc.\Corporate 288797895950343 active Wed Jul 6 09:44:44 2022
288797895951707 Lurey, Inc.\Azure 288797895951061 active Fri Jul 7 14:25:31 2023
288797895951110 Lurey, Inc.\Google 288797895951063 active Mon May 30 23:42:52 2022

Active Directory

The setup steps in this section allow you to provision users and teams from Active Directory using the scim push command.
Prerequisites:
  1. 1.
    In your Active Directory browser, create a Group and add AD users and groups that need to be provisioned in Keeper.
  2. 2.
    Get the Active Directory connect URL, e.g. ldap(s):<domain controller host or IP>
  3. 3.
    Pick a user that can read Active Directory
The Active Directory configuration record in Keeper should now contain the following fields:
Field
Section
Value
Password
Common #4
SCIM Token generated in the Keeper Admin Console
Website Address
Common #3
SCIM URL pasted from the Keeper Admin Console
SCIM Group
AD # 1
AD group name that lists all users and groups to import
AD URL
AD #2
AD Connect URL
ldap(s)://<domain controller>
AD User
AD #3
AD User login or distinguished name DOMAIN\USERNAME CN=...
AD Password
AD #3
AD Password

Pushing Provisioning Data

To perform a push of the Active Directory users and Teams into Keeper, use the below command:
scim push <SCIM ID> --source=ad --record=<RECORD UID>