G Suite Configuration

How to configure Keeper SSO Connect with G Suite for seamless and secure SAML 2.0 authentication.

G Suite supports the following integration with Keeper:

  • SSO authentication with SAML 2.0

  • Automatic Provisioning with SCIM

You can configure SSO, SSO+SCIM or SCIM without SSO.

G Suite Setup

To access G Suite Admin Console, login to https://gsuite.google.com.

Login to G Suite

Visit the Apps screen.

Apps

Click on SAML apps

Visit the SAML Apps

On the lower right click on the ( + ) button to create a SAML app.

Add SAML Application

Setup Keeper App

Search for Keeper and select the application.

Search for Keeper

IdP Information

On the Google IdP Information screen, download the IDP metadata and save it to your computer (Note: this is the file you need to drag & drop into the Keeper SSO Connect screen).

Download IdP metadata

Service Provider Details

On the Service Provider Details screen, there are a few fields to fill out. You will replace the {host name] and {port} with the values that you'll be using from your SSO Connect instance.

Type in the ACS URL, Entity ID and select "Signed Response". For example, in the setup below, sso2.lurey.com is the host name and 8443 is the port.

Service Provider Details

You must also check the box for "Signed Response".

Attribute Mapping

In the Attribute Mapping screen, ensure that there are 3 mappings exactly as they appear below. Set the First, Last and Email fields to "First Name", "Last Name" and "Primary Email" as displayed below.

Attribute Mapping

If you have selected a Custom App, you'll need to click on "Add New Mapping" to create the 3 fields: First, Last and Email. The spelling needs to be exact.

Select on FINISH and your G Suite setup is complete. You will be informed that you still need to import the IDP data on Keeper SSO Connect.

Enable SSO Connect

To enable Keeper SSO Connect, for your users, select the more button and enable:

Turn on Keeper for Users

Alternatively, you can click on the Keeper SAML app and Edit the service to configure specific groups that have access:

Edit Service Status

Import G Suite Metadata

Back on the Keeper SSO Connect application configuration screen, drag-and-drop the metadata file into the SAML Metadata section of Keeper SSO Connect:

Select on Save and verify that all of the parameters match your G Suite SAML connection screens.

Once you save, assuming that you have already configured the SSL certificate and other parameters, your Keeper SSO Connect instance should show as fully operational in the Status screen:

Fully configured SSO Connect Status

Note about Single Logout (SLO) Settings with Google G Suite

As of right now, G Suite does not support "Single Logout" at the application level. This means that users who explicitly Log Out of Keeper will also be logged out from their other Google services. Single Logout (SLO) is a feature of many identity providers which will logout the user from the specific application. Unfortunately Google doesn't support this yet.

If you want to prevent full SAML Logout from all SAML apps you should change the IDP type in the previous step to Default. Don't set it to Google, which will log you out of Gmail and all other Google apps on SAML Logout.

Change IdP to Default to prevent Google Logout

If you prefer that clicking "Logout" from Keeper does not log you out of Google, then simply change the SSO Connect configuration to select the "Default" provider instead of Google in the drop-down. However you should be aware of the consequences from a security perspective:

  • Keeper's session will be logged out, however logging back into the vault will not prompt the user to re-enter their Google login credentials while the browser's Google session is still active.

  • From a user perspective this is a more friendly, less disruptive flow

  • From a security perspective, be aware the Google account therefore controls the session handling of the Keeper vault on that user's browser.

SSO Setup Complete!

Your Keeper SSO Connect setup with G Suite is now complete! Users can now login into Keeper using their Google account by following the below steps:

  1. Open the Keeper vault and click on "Enterprise SSO Login".

  2. Type in the Enterprise Domain that was provided to the Keeper Admin Console when setting up SSO. On the SSO Connect status screen it is called "SSO Connect Domain".

  3. Click "Connect" and login with your G Suite credentials.

For the end-user experience (Keeper-initiated Login Flow) see the guide below: https://docs.keeper.io/user-guides/enterprise-end-user-setup-sso#keeper-initiated-login-flow

End-user Video Tour for SSO Users is here: https://vimeo.com/329680541

Next, we'll show how to configure User Provisioning using SCIM.

User Provisioning with SCIM

User Provisioning provides several features for lifecycle management:

  • New users added to G Suite will be sent an email invitation to set up their Keeper vault

  • Users can be assigned to Keeper on a user or team basis

  • When a user is de-provisioned, their Keeper account will be automatically locked

Note: Google does not support Group provisioning to Keeper teams. When they implement this feature, this will allow the Keeper user to be placed into Teams that are synchronized between G Suite and Keeper.

From the Keeper Admin Console, go to the Provisioning tab for the G Suite node and click Add Method.

Add SCIM Provisioning Method

Select SCIM and click Next.

Add SCIM Provisioning Method

Click on "Create Provisioning Token"

Create Provisioning Token

The URL and Token displayed on the next screen will be provided to Google in the G Suite Admin Console. Save the URL and Token in a file somewhere temporarily and then click Save.

Save the URL and Token

Make sure to save these two parameters (URL and Token) and then click Save or else provisioning will fail.

Back on the G Suite admin console, go to Home > Apps > SAML Apps and click on the "Provisioning Available" text of the Keeper app you set up.

Go to Keeper Provisioning

Click on Set Up User Provisioning

Paste the provisioning token that was saved above into this next screen and click Next.

Paste Provisioning Token

Paste the URL saved from above and paste into the endpoint URL field and click Next.

Paste Endpoint URL

Leave the Map attributes to default settings and click Next.

If you would like to assign Keeper to a specific group, you can set the Provisioning Scope in the next screen. If you are using SSO, ensure that the groups with provisioning access are also assigned Keeper SSO access. Click Finish when complete.

Provisioning Scope

Ignore this error message below, it's a Google bug.

Ignore this Google Bug

Next, you can activate provisioning.

Activate Provisioning

You may need to click "Activate Provisioning" to turn it on.

Confirm to Activate Provisioning

User Provisioning will display as ON.

User Provisioning Status

User provisioning setup is complete. Moving forward, new users who have been configured to use Keeper in G Suite and are within the provisioning scope definitions will receive invites to Keeper and be under the control of G Suite.

User Provisioning without using SSO

If you would like to provision users to Keeper via G Suite SCIM provisioning, but you do NOT want to authenticate users via SSO, please follow the below instructions:

  • Using this guide, follow the steps of SSO configuration but use SSO url and Entity ID that point to a domain name which you control, but is not actually a live SSO Connect instance (e.g. null.mycompany.com)

  • Once Keeper application is set up in G Suite, turn on the automated provisioning method as described in this document.