Google Workspace
How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication.
Google Workspace supports the following integration with Keeper:
- SSO authentication with SAML 2.0
- Automatic Provisioning with SCIM
You can configure SSO, SSO+SCIM or SCIM without SSO.
Visit the Apps > Web and Mobile Apps screen.

Web and mobile apps
Then select "Add App" and select "Search for apps".
Add new Keeper SAML App
In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.
Select Keeper Web (SAML) app
Use Option 1 to Download IdP metadata and then select Continue.
Download Google Metadata
On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.
Keeper SP Details
To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.

SSO Connect Cloud Info
Within the Service Provider section you will find the values for the ACS URL and Entity ID.
ACS URL and Entity ID
Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.
Keeper SP Details Filled
In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.
If you have selected / created a Custom SAML App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Google Attributes
Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.
To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.
To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.

Note: Google does not currently support Group provisioning to Keeper teams.
Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Edit SSO Connect Cloud
Select Browse Files and select the Google Metadata file previously downloaded.
Upload Google Metadata File
You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.
As of 2022, Google defaults the configuration to not enable Single Logout. This means logging out of Keeper does not initiate a full logout of Google.
Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:
- 1.Open the Keeper vault and click on "Enterprise SSO Login".
- 2.Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
- 3.Click "Connect" and login with your Google Workspace credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below:
https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
Next, we'll show how to configure User Provisioning using SCIM.
User Provisioning provides several features for lifecycle management:
- New users added to Google Workspace will get an email invitation to set up their Keeper vault
- Users can be assigned to Keeper on a user or team basis
- When a user is de-provisioned, their Keeper account will be automatically locked
Note: Google does not currently support Group provisioning to Keeper teams.
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".

Select SCIM and click Next.

Click on "Create Provisioning Token"

The URL and Token displayed on the next screen will be provided to Google in the Google Workspace Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.

Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.
Back on the Google Workspace admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.

Select Configure auto-provisioning towards the bottom of the page.
SCIM Provisioning
Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.
Leave the default Attribute mappings as they are and click CONTINUE.
Default Attribute Mappings
If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.
SCIM all Users
At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.
Once Auto-provisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active

Inactive Auto-Provisioning
Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.
You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.
Active Auto-Provisioning
Auto-provisioning is complete. Moving forward, new users who have been configured to use Keeper, in Google Workspace and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of Google Workspace.
If you would like to provision users to Keeper via Google Workspace SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
- 1.Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso
- 2.Once Keeper application is set up in Google Workspace, turn on the automated provisioning method as described, above, in this document.
Note: Google does not currently support Group provisioning to Keeper teams.
If you receive the error "not_a_saml_app" please ensure that you have turned "Auto-provisioning" to "ON" in the SAML application.
Google's IdP x.509 certificates for signing SAML assertions are set to expire after 5 years. In the Google Workspace "Manage Certificates" section, you should make note of the expiration and ensure to set a calendar alert in the future to prevent an outage.
When the certificate is expiring soon, or if the certificate has expired, you can follow the instructions below.
- 1.
- 2.Click on Apps then select Web and Mobile Apps.
- 3.Select Keeper app
- 4.Expand service provider
- 5.Click “Manage Certificates”
- 6.Click “ADD CERTIFICATE”
- 7.Click “DOWNLOAD METADATA”
- 8.Save the metadata file. This is the IdP metadata.
- 9.Login to the Keeper Admin Console
- 10.Navigate to Admin > SSO Node > Provisioning > Edit SSO Cloud provisioning method
- 11.Upload the Google IdP metadata into Keeper
For more information on this topic, see Google's support page:
Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.
An admin can not move themselves to the SSO enabled node. It requires another admin to perform this action.
After the user is moved to the SSO enabled node, they need to log into the Keeper vault initially by selecting the "Enterprise SSO" pull down and inputting in the Enterprise Domain configured on the SSO integration. The user may get prompted to confirm by entering in the master password.

Initially select 'Enterprise SSO Login'
Once the user has authenticated with SSO, they only need to use their email address moving forward to initiate SSO authentication.
They won't have to enter the Enterprise Domain. If typing in the email address and clicking Next does not route the user to the desired SSO, ensure that just-in-time provisioning is enabled in the Keeper SSO configuration and ensure that your email domain is reserved by Keeper. More information regarding routing and domain reservation can be found here.
Last modified 5mo ago