This Admin Guide will take you through all the details of setting up SSO in Keepabl’s Privacy Management Software, and managing your users. For security reasons, you’ll have to be the Super Admin on your Keepabl account.
If you want to learn more about SSO first, we’ve set out some FAQs in What is SSO?
Once you’ve read this Guide, you can see detailed instructions to set up SSO in Keepabl with the three leading Identity Providers, covering the vast majority of the market:
As with everything Keepabl, setting up SSO is super simple! There are just 3 steps.
That’s it! You can now assign your users to Keepabl in your Identity Provider. Because we support least privilege access, they’ll be set up with ‘bare accounts’ in Keepabl, so you can provide them with exactly the access you want them to have by going to Edit User in Keepabl.
When you enable SSO for a user, we assume you’re looking to use your Identity Provider as your single source of truth, so, while you always manage their access rights in Keepabl, you’ll only be able to take certain actions (edit their profile, suspend, unsuspend, etc) in your IdP. Let’s look at that now.
If you enable SSO for a user, we assume you want your IdP to be your record of truth. While you always manage their tailored access rights for Keepabl in Keepabl, the following actions will be blocked in Keepabl, and you can only carry them out in your IdP:
We’ll receive corresponding instructions from your IdP to edit, suspend, unsuspend and delete your user in Keepabl.
Please note, it has the same effect in Keepabl whether you revoke access to Keepabl for a user in your IdP or delete your user from your IdP (for example, if they become an ex-employee): we receive a delete instruction and delete the user from your organisation in Keepabl.
* We do not receive a deletion instruction from Azure AD or Okta so, if Azure AD or Okta is your IdP, you will need to make sure you also delete them from Keepabl in Keepabl.
Keepabl’s simple to manage philosophy extends to SSO. You’ve got full flexibility to create any type of user you want:
Of course, if you don’t set up SSO, then all your users are Password users and simply log in with their Keepabl password. We strongly recommend you enforce two-factor authentication (2FA) on your Organisation. You can do that, again, in Admin Portal > Your Organisation.
Right, let’s look at each of these users in turn.
SSO Users can only use SSO to log into Keepabl. They cannot use a Keepabl password to log into Keepabl.
An existing user in Keepabl must be a Password User. So when you assign them to Keepabl in your IdP so they can use SSO, they’ll become an SSO+Password User.
Before you revoke SSO for a user, please note that their access to your organisation in Keepabl will automatically be terminated.
So, if you want the user to be able to access Keepabl as a Password User after you’ve revoked SSO, you’ll either have to:
Password Users can only use a Keepabl password to log into Keepabl. They cannot use SSO to log into Keepabl. For Password Users, it’s as if you hadn’t enabled SSO.
You create Password Users in Keepabl as normal. Simply go to your Admin Portal in Keepabl, click the New User button and follow the process.
If a user can log into Keepabl but hasn’t got a Keepabl password, they must be an SSO User that you assigned to Keepabl in your Identity Provider. You cannot create a new Password User in Keepabl with that same email address.
If you want to, you can give that SSO User a Keepabl password to make them an SSO+Password User. And you can then revoke SSO to leave them as a Password user.
Password Users don’t have SSO enabled. You fully manage Password Users in Keepabl.
As the name implies, SSO+Password Users can use both SSO and a Keepabl password to log into Keepabl. They’re given the choice when they log in.
You can’t create an SSO+Password User immediately, but it’s easy to do. You’ve 2 choices:
As they have SSO enabled, you can only edit their name and email, suspend and unsuspend them, or delete them*, in your IdP. As always, you manage their tailored access rights for the Keepabl app in your Keepabl Admin Portal.
* As above, neither Azure AD nor Okta sends us a deletion instruction so, if Azure AD or Okta is your IdP, you will need to make sure you also delete them from Keepabl in Keepabl.
If you’re using SSO, we assume you want to use your IdP as your single source of truth so, when you revoke SSO for an SSO+Password User, Keepabl suspends their Keepabl account (which is now as a Password User), and sends your Super Admin an email that the User is suspended.
Your Super Admin can then unsuspend that user in Keepabl and they can continue using Keepabl, without being terminated, as a Password User.
When you create a Password User in Keepabl, they will automatically have a Keepabl password.
You can also give an SSO User a Keepabl password at any time by going to Edit User in Keepabl and clicking the Create Password button (if they have a Keepabl password for another organisation in Keepabl this button will say Allow Password). They’re then an SSO+Password User, able to log into Keepabl with both SSO and a Keepabl password as they choose.
For SSO+Password Users, you can delete their Keepabl password at any time by going to Edit User in Keepabl and clicking the Delete Password button (if they have a password for another account in Keepabl this button will say Disallow Password). They’ll then become an SSO User, only able to log in with SSO.
You cannot delete a Keepabl password for a Password User. You can suspend or delete them from your organisation in Keepabl’s Admin Portal.
You can edit your Identity Provider details at any time. When you edit your Identity Provider details, it has no effect on your users.
Just go to Your Organisation and click the Edit Identity Provider button. Remember to click Save when you’ve made your changes.
You can change your Identity Provider at any time, but there are consequences for your users.
To change your Identity Provider, go to Your Organisation in Keepabl and click the Edit Identity Provider button, choose another Identity Provider and set them up just as you did your first provider. Remember to click Save when you’ve made your changes
Before you change your Identity Provider, it’s important to prepare so that there are no surprises for your users:
If you don’t want to terminate your users’ Keepabl accounts when you change Identity Provider, you’ll need to make them SSO+Password Users or Password Users before you switch providers.
If you want to stop using SSO, this will have the same effect on your users as Changing Identity Provider.
Before you stop using SSO, it’s important to prepare so that there are no surprises for your users:
If you don’t want to terminate your users’ Keepabl accounts when you stop using SSO, you’ll need to make them SSO+Password Users or Password Users before you stop using SSO.