G Suite

How to configure Keeper SSO Connect Cloud with G Suite for seamless and secure SAML 2.0 authentication.

Be sure to have already performed the steps in the Admin Console Configuration section.

G Suite supports the following integration with Keeper:

  • SSO authentication with SAML 2.0

  • Automatic Provisioning with SCIM

You can configure SSO, SSO+SCIM or SCIM without SSO.

G Suite Setup

To access G Suite Admin Console, login to https://gsuite.google.com.

Visit the Apps screen.

Click on SAML apps

On the lower right click on the ( + ) button to create a SAML app.

Setup Keeper App

Search for Keeper and select the application.

IdP Information

On the Google IdP Information screen, download the IDP metadata and save it to your computer and select NEXT. (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).

Basic Information for Keeper

On the Basic Information for Keeper screen, select NEXT

Basic Keeper Information

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the ACS URL and the Entity ID with the values that you'll be using from your SSO Connect Cloud instance.

To obtain the ACS URL and Entity ID, locate your SSO Connect Cloud Provisioning method, within the Keeper Admin Console, and select View.

SSO Connect Cloud Info

Within the Service Provider section you will find the values for the ACS URL and Entity ID.

ACS URL and Entity ID

Copy and Paste the ACS URL, Entity ID into the Service Provider Details and select "Signed Response" and select Next.

Attribute Mapping

In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.

If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.

Select OK and you will have completed your G Suite SAML integration into Keeper. You will be informed that you still need to import the IDP data on Keeper SSO Connect.

Keeper SAML App Details

Once complete, you will be taken to Keeper SAML App Details Page in which provides you a quick detail overview of the SAML connection and service. Click within the area where it states OFF for everyone to enable SSO for your users.

Enable SSO Connect on Everyone

To enable Keeper SSO Connect, for your users, select ON for everyone and select SAVE.

Alternatively, you can configure specific groups that have access.

Enable SSO Connect on Groups

To enable Keeper SSO Connect on specific groups, select Groups to the left of the Service status, search and select the Group in which you want associated to the Keeper SSO Connect App, select / tick "ON" the select SAVE.

Import G Suite Metadata

Back on the Keeper Admin console, locate your SSO Connect Cloud Provisioning method and select Edit.

Edit SSO Connect Cloud

Select Browse Files and select the Google Metadata file previously downloaded.

Upload Google Metadata File

You will know this was successful when your metadata file reflects within your provisioning method. You may now exit the provisioning configuration.

Note about Single Logout (SLO) Settings with Google G Suite

As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.

If you want to prevent full SAML Logout from all SAML apps you should change the IDP type, in the previous step, to GENERIC. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.

Disable Google Single Logout

If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "GENERIC" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:

  • Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.

  • From a user perspective this is a more friendly, less disruptive flow

  • From a security perspective, be aware the Google account therefore controls the session handling of the Keeper vault on that user's browser.

SSO Setup Complete!

Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:

  1. Open the Keeper vault and click on "Enterprise SSO Login".

  2. Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".

  3. Click "Connect" and login with your G Suite credentials.

For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow

End-user Video Tour for SSO Users is here: https://vimeo.com/329680541

Next, we'll show how to configure User Provisioning using SCIM.

User Provisioning with SSO+SCIM

User Provisioning provides several features for lifecycle management:

  • New users added to G Suite will be sent an email invitation to set up their Keeper vault

  • Users can be assigned to Keeper on a user or team basis

  • When a user is de-provisioned, their Keeper account will be automatically locked

Note: Google does not currently support Group provisioning to Keeper teams.

From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.

Select SCIM and click Next.

Click on "Create Provisioning Token"

The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.

Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.

Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.

Select Configure auto-provisioning towards the bottom of the page.

SCIM Provisioning

STEP 1: App authorization

Paste the Access Token previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.

STEP 2: Endpoint URL

Paste the Endpoint URL previously saved when you created your SCIM Provisioning Method in the Keeper Admin Console and select CONTINUE.

STEP 3: Default Attribute Mappings

Leave the default Attribute mappings as they are and click CONTINUE.

Default Attribute Mappings

STEP 4: Provisioning Scope

If you will be provisioning all users assigned to the Keeper SSO Connect app, you can simply select CONTINUE.

SCIM all Users

STEP 4.1: Provisioning Scope (Specific Groups)

If you would like to provision a specific group(s) of people, you can select the desired Group(s) within the Search groups field. Select CONTINUE when complete.

Provisioning Spcific Groups

STEP 5: Deprovisioning

At the Deprovisioning Screen, you can simply select FINISH to automate the deprovisioning of your users.

Activate Auto-provisioning

Once Auto-Provisioning setup is finished, you will be taken back to the details screen of the Keeper App. You will find the Auto-Provisioning is inactive. Toggle this to Active

Inactive Auto-Provisioning

Once toggled, a Pop-Out window will appear Confirming that you are ready to turn on Auto-Provisioning. Select TURN ON.

You will be taken back to the details screen of the Keeper App. You now see Auto-Provisioning is Active.

Active Auto-Provisioning

User provisioning and deprovisioning setup is complete. Moving forward, new users who have been configured to use Keeper, in G Suite and are within the provisioning scope definitions, will receive invites to utilize the Keeper Vault and be under the control of G Suite.

User Provisioning / SCIM without SSO

If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:

  1. Following the same steps, as above to setup SSO, during the Service Provider Details Screen, you will replace the ACS URL and the Entity ID with the values that point to a domain in your control but is a "NULL" value in which has no communicable source. Ex: Entity ID=https://null.yourdomain.com/sso-connect ACS URL=https://null.yourdomain.com/sso-connect/saml/sso

  2. Once Keeper application is set up in G Suite, turn on the automated provisioning method as described, above, in this document.

In order for G Suite groups to be SCIM provisioned to teams in Keeper, the groups have to be added to both the User Access section (for SSO) as well as in the Provisioning scope section. Failure to be in both will result in SCIM not pushing Teams to Keeper.