User Provisioning with SCIM

User Provisioning with SCIM

Jul 27, 2022

Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams to receive shared folders.

Before setting this up, we recommend that you consider activating Keeper's powerful SSO Connect integration with Azure AD that provides realtime user authentication and Just-In-Time provisioning.

To set up Keeper user provisioning with Azure AD, you need to have access to the Keeper Admin Console and an Azure account.

First navigate to your Azure Admin account and select “Azure Active Directory,” then “Enterprise Applications” and then “New Application”. Search for Keeper, select “Keeper Password Manager,” and click “Create.”

After adding the application, click on the Provisioning section and select Automatic from the listed options.

In the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method and choose the SCIM option. Click Next then select Create Provisioning Token. Copy the Tenant URL and Secret Token values and paste them into the Tenant URL and Secret Token fields in the Azure AD screen. Select Save to finish the Keeper provisioning setup.

Click Test Connection. If successful, save the credentials. Turn the Provisioning Status ""on"" and click Save.

Now you can go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app. Wait for approximately five minutes, in some cases up to 40 minutes, then click the Sync button in the Admin Console. Verify that users appear under Users.

Typically, identity providers that use SCIM support assigning users to teams, but custom role assignment is done only on a user basis. SCIM-provisioned teams and users are applied to the default role, without the ability for a team provisioned from SCIM to be mapped into an alternative, pre-defined role. Team-to-role mapping allows organizations to use their existing identity provider to assign users directly into teams that can be assigned custom roles. To use team-to-role mapping, administrators simply assign a role to an entire Team as opposed to individual users and use role enforcements to establish different requirements and restrictions for each team.