Google Workspace
How to configure Keeper SSO Connect Cloud with Google Workspace for seamless and secure SAML 2.0 authentication.
Be sure to have already performed the steps in the Admin Console Configuration section.
Google Workspace supports the following integration with Keeper:
    SSO authentication with SAML 2.0
    Automatic Provisioning with SCIM
You can configure SSO, SSO+SCIM or SCIM without SSO.

Google Workspace Setup

To access Google Workspace Admin Console, login to https://admin.google.com/
Visit the Apps screen.
Click on SAML apps
On the SAML apps screen select "Add App" and select "Search for apps".
Add new Keeper SAML App
In the "Enter app name" search area, search for "Keeper" and select the "Keeper Web (SAML)" app.
Select Keeper Web (SAML) app

Setup Keeper App

Use Option 1 to Download IdP metadata and then select Continue.
Download Google Metadata

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.
Keeper SP Details
To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.
SSO Connect Cloud Info
Within the Service Provider section you will find the values for the ACS URL and Entity ID.
ACS URL and Entity ID
Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select CONTINUE.
Keeper SP Details Filled

Attribute Mapping

In the Attributes screen, ensure that there are 3 mappings exactly as they appear below. Set the mappings field to "First Name", "Last Name" and "Primary Email", as displayed below, and select Finish. You have completed your Google Workspace SAML integration into Keeper.
If you have selected / created a Custom SAML App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.
Google Attributes

Keeper SAML App Details

Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.

Enable SSO Connect on Everyone

To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.
Alternatively, you can configure specific groups that have access.

Enable SSO Connect on Groups

To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.

Import Google Workspace Metadata

Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.
Edit SSO Connect Cloud
Select Browse Files and select the Google Metadata file previously downloaded.
Upload Google Metadata File
You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.

Note about Single Logout (SLO) Settings with Google Workspace

As of the last update for this guide, Google Workspace does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.
If you want to prevent full SAML Logout from all SAML apps you should change the IDP type, in the previous step, to GENERIC. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.
Disable Google Single Logout
If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "GENERIC" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:
    Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.
    From a user perspective this is a more friendly, less disruptive flow
    From a security perspective, be aware the Google account therefore controls the session handling of the Keeper vault on that user's browser.

SSO Setup Complete!

Your Keeper SSO Connect setup with Google Workspace is now complete! Users can now login into Keeper using their Google account by following the below steps:
    1.
    Open the Keeper vault and click on "Enterprise SSO Login".
    2.
    Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".
    3.
    Click "Connect" and login with your Google Workspace credentials.
For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow
End-user Video Tour for SSO Users is here: https://vimeo.com/329680541
Next, we'll show how to configure User Provisioning using SCIM.

User Provisioning with SSO+SCIM

User Provisioning provides several features for lifecycle management:
    New users added to Google Workspace will get an email invitation to set up their Keeper vault
    Users can be assigned to Keeper on a user or team basis
    When a user is de-provisioned, their Keeper account will be automatically locked
Note: Google does not currently support Group provisioning to Keeper teams.
From the Keeper Admin Console, go to the Provisioning tab for the Google Workspace node and click "Add Method".
Select SCIM and click Next.
Click on "Create Provisioning Token"
The URL and Token displayed on the next screen will be provided to Google in the Google Workspace Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.
Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.
Back on the Google Workspace admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.
Select Configure auto-provisioning towards the bottom of the page.
SCIM Provisioning

STEP 1: App authorization

Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.

STEP 2: Endpoint URL

Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.

STEP 3: Default Attribute Mappings

Leave the default Attribute mappings as they are and click CONTINUE.
Default Attribute Mappings

STEP 4: Provisioning Scope

If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.
SCIM all Users

STEP 4.1: Provisioning Scope (Specific Groups)

If you would like to provision a specific group(s) of people, you can select the desired Group(s) within the Search groups field. Select CONTINUE when complete.
Provisioning Spcific Groups

STEP 5: Deprovisioning

At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.

Activate Autoprovisioning

Once Autoprovisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active
Inactive Auto-Provisioning
Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.
You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.
Active Auto-Provisioning
Autoprovisioning is complete. Moving forward, new users who have been configured to use Keeper, in Google Workspace and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of Google Workspace.

User Provisioning / SCIM without SSO

If you would like to provision users to Keeper via Google Workspace SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:
    1.
    Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso
    2.
    Once Keeper application is set up in Google Workspace, turn on the automated provisioning method as described, above, in this document.
In order for Google Workspace groups to be SCIM provisioned to teams in Keeper, the groups have to be added to both the User Access section (for SSO) as well as in the Provisioning scope section. Failure to be in both will result in SCIM not pushing Teams to Keeper.
Last modified 2mo ago