G Suite supports the following integration with Keeper:
SSO authentication with SAML 2.0
Automatic Provisioning with SCIM
You can configure SSO, SSO+SCIM or SCIM without SSO.
To access G Suite Admin Console, login to https://gsuite.google.com.
Visit the Apps screen.
Click on SAML apps
On the lower right click on the ( + ) button to create a SAML app.
Search for Keeper and select the application.
On the Google IdP Information screen, download the IDP metadata and save it to your computer and select NEXT. (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).
On the Basic Information for Keeper screen, select NEXT
On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.
To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.
Within the Service Provider section you will find the values for the ACS URL and Entity ID.
Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select Next.
In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.
If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Select OK and you will have completed your G Suite SAML integration into Keeper. You will be informed that you still need to import the IDP data on Keeper SSO Connect.
Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.
To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.
To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.
Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Select Browse Files and select the Google Metadata file previously downloaded.
You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.
As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.
If you want to prevent full SAML Logout from all SAML apps you should change the IDP type, in the previous step, to GENERIC. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.
Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:
Open the Keeper vault and click on "Enterprise SSO Login".
Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
Click "Connect" and login with your G Suite credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
End-user Video Tour for SSO Users is here: https://vimeo.com/329680541
Next, we'll show how to configure User Provisioning using SCIM.
User Provisioning provides several features for lifecycle management:
New users added to G Suite will be sent an email invitation to set up their Keeper vault
Users can be assigned to Keeper on a user or team basis
When a user is de-provisioned, their Keeper account will be automatically locked
From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.
Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.
Select Configure auto-provisioning towards the bottom of the page.
Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Leave the default Attribute mappings as they are and click CONTINUE.
If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.
If you would like to provision a specific group(s) of people, you can select the desired Group(s) within the Search groups field. Select CONTINUE when complete.
At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.
Once Auto-Provisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active
Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.
You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.
User provisioning and deprovisioning setup is complete. Moving forward, new users who have been configured to use Keeper, in G Suite and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of G Suite.
If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso
Once Keeper application is set up in G Suite, turn on the automated provisioning method as described, above, in this document.