Admin Guide to SSO & Keepabl

Keepabl and SSO

 

This Admin Guide will take you through all the details of setting up SSO in Keepabl’s Privacy Management Software, and managing your users. For security reasons, you’ll have to be the Super Admin on your Keepabl account.

If you want to learn more about SSO first, we’ve set out some FAQs in What is SSO?

 

Which Identity Providers does Keepabl support?

Once you’ve read this Guide, you can see detailed instructions to set up SSO with the two leading Identity Providers, with 62% of the market according to Bitglass:

We’ll continue to add more IdPs. If the one you use isn’t shown on this page, let us know!

 

3 Steps to set up SSO

As with everything Keepabl, setting up SSO is super simple! There are just 3 steps.

  1. Go to Admin Portal > Your Organisation in Keepabl account and click the Set up SSO button. Choose your Identity Provider and you’ll see the Keepabl details you’ll need to give to your IdP.
  2. Now go to your IdP, select the Keepabl app. You’ll see the Identity Provider’s SSO details, which you’ll need to give to Keepabl. Enter Keepabl’s SSO details into your Identity Provider, there can be some provisioning steps, and click Save.
  3. Enter the Identity Provider’s SSO details into Keepabl and click Save.

That’s it! You can now assign your users to Keepabl in your Identity Provider. Because we support least privilege access, they’ll be set up with ‘bare accounts’ in Keepabl, so you can provide them with exactly the access you want them to have by going to Edit User in Keepabl.

We’ve set out more details for these steps, including the exact information you’ll need, for Okta and OneLogin.

When you enable SSO for a user, we assume you’re looking to use your Identity Provider as your single source of truth, so, while you always manage their access rights in Keepabl, you’ll only be able to take certain actions (edit their profile, suspend, unsuspend, etc) in your IdP. Let’s look at that now.

 

Managing a User who has SSO enabled

If you enable SSO for a user, we assume you want your IdP to be your record of truth. While you always manage their tailored access rights for Keepabl in Keepabl, the following actions will be blocked in Keepabl, and you can only carry them out in your IdP:

  • edit the user’s name and email,
  • suspend and unsuspend the user, and
  • revoke Keepabl for the user, in effect deleting the user*.

We’ll receive corresponding instructions from your IdP to edit, suspend, unsuspend and delete your user in Keepabl.

Please note, it has the same effect in Keepabl whether you revoke access to Keepabl for a user in your IdP or delete your user from your IdP (for example, if they become an ex-employee): we receive a delete instruction and delete the user from your organisation in Keepabl.

* Okta does not send us a deletion instruction so, if Okta is your IdP, you can always (indeed you can only) delete them from Keepabl in Keepabl.

 

3 Types of User

Keepabl’s simple to manage philosophy extends to SSO. You’ve got full flexibility to create any type of user you want: 

  1. SSO Users, who can only use SSO to log into Keepabl. You can also think of these users as ‘passwordless’. 
  2. Password Users, who can only use a Keepabl password to log into Keepabl.
  3. SSO+Password Users, who can use both SSO and a Keepabl password to log into Keepabl.

Of course, if you don’t set up SSO, then all your users are Password users and simply log in with their Keepabl password. We strongly recommend you enforce two-factor authentication (2FA) on your Organisation. You can do that, again, in Admin Portal > Your Organisation.

Right, let’s look at each of these users in turn.

 

SSO Users

SSO Users can only use SSO to log into Keepabl. They cannot use a Keepabl password to log into Keepabl.

Create an SSO User
  1. First things, first – for anyone to use SSO they have to exist in your Identity Provider.
  2. You then assign the user to Keepabl in your Identity Provider.
  3. We’ll automatically receive an instruction from your Identity Provider to create the user within Keepabl, with the ability to use SSO to log in. We do not send an SSO User a provisioning email, we assume you will manage messaging to your users about SSO.
What about existing Users?

An existing user in Keepabl must be a Password User. So when you assign them to Keepabl in your IdP so they can use SSO, they’ll become an SSO+Password User.

Revoke SSO for an SSO User

Before you revoke SSO for a user, please note that their access to your organisation in Keepabl will automatically be terminated.

  • If they are a user on other organisations in Keepabl, they will still be able to log into those other organisations.
  • If they were only a user on your organisation, they will not be able to access Keepabl at all.

So, if you want the user to be able to access Keepabl as a Password User after you’ve revoked SSO, you’ll either have to:

  • make them an SSO+Password User before you revoke SSO, and then revoke SSO, or
  • let them be deleted and create them again as a new user in Keepabl.

 

Password Users

Password Users can only use a Keepabl password to log into Keepabl.  They cannot use SSO to log into Keepabl. For Password Users, it’s as if you hadn’t enabled SSO.  

Create a Password User

You create Password Users in Keepabl as normal. Simply go to your Admin Portal in Keepabl, click the New User button and follow the process.

What about existing Users?

If a user can log into Keepabl but hasn’t got a Keepabl password, they must be an SSO User that you assigned to Keepabl in your Identity Provider. You cannot create a new Password User in Keepabl with that same email address.

If you want to, you can give that SSO User a Keepabl password to make them an SSO+Password User. And you can then revoke SSO to leave them as a Password user.

Managing Password Users

Password Users don’t have SSO enabled. You fully manage Password Users in Keepabl.

 

SSO+Password Users

As the name implies, SSO+Password Users can use both SSO and a Keepabl password to log into Keepabl. They’re given the choice when they log in.

Create an SSO+Password User

You can’t create an SSO+Password User immediately, but it’s easy to do. You’ve 2 choices:

  • create them first as an SSO User by assigning them to Keepabl in your IdP, and then go to Users in Keepabl and give them a Keepabl password, or
  • create them first as a Password User in Keepabl, and then go to your Identity Provider and assign them to Keepabl. 
Manage an SSO+Password User

As they have SSO enabled, you can only edit their name and email, suspend and unsuspend them, or delete them*, in your IdP. As always, you manage their tailored access rights for the Keepabl app in your Keepabl Admin Portal.

* Okta does not send us a deletion instruction so, if Okta is your IdP, you can always (indeed you can only) delete them from Keepabl in Keepabl.

Revoke SSO for an SSO+Password User

If you’re using SSO, we assume you want to use your IdP as your single source of truth so, when you revoke SSO for an SSO+Password User, Keepabl suspends their Keepabl account (which is now as a Password User), and sends your Super Admin an email that the User is suspended.

Your Super Admin can then unsuspend that user in Keepabl and they can continue using Keepabl, without being terminated, as a Password User.

 

Can you use 2FA or MFA with SSO?

Yes!

  • SSO Users, who can only log into Keepabl using SSO, can use your Identity Provider’s MFA. They will not be able to use Keepabl’s 2FA.
  • SSO+Password Users, who can log into Keepabl using both SSO and their Keepabl password, can use Keepabl’s 2FA when logging in with their Keepabl password and your Identity Provider’s MFA when logging in with SSO. 

 

Create a Keepabl Password

When you create a Password User in Keepabl, they will automatically have a Keepabl password.

You can also give an SSO User a Keepabl password at any time by going to Edit User in Keepabl and clicking the Create Password button (if they have a Keepabl password for another organisation in Keepabl this button will say Allow Password). They’re then an SSO+Password User, able to log into Keepabl with both SSO and a Keepabl password as they choose.

 

Delete a Keepabl Password

For SSO+Password Users, you can delete their Keepabl password at any time by going to Edit User in Keepabl and clicking the Delete Password button (if they have a password for another account in Keepabl this button will say Disallow Password). They’ll then become an SSO User, only able to log in with SSO.

You cannot delete a Keepabl password for a Password User. You can suspend or delete them from your organisation in Keepabl’s Admin Portal.  

 

Edit your Identity Provider details

You can edit your Identity Provider details at any time. When you edit your Identity Provider details, it has no effect on your users.

Just go to Your Organisation and click the Edit Identity Provider button. Remember to click Save when you’ve made your changes.

 

Change your Identity Provider

You can change your Identity Provider at any time, but there are consequences for your users

To change your Identity Provider, go to Your Organisation in Keepabl and click the Edit Identity Provider button, choose another Identity Provider and set them up just as you did your first provider. Remember to click Save when you’ve made your changes

Before you change your Identity Provider, it’s important to prepare so that there are no surprises for your users:

  • SSO Users will be deleted from Keepabl when you change your Identity Provider. It’s effectively the same as revoking SSO for an SSO User, but for all your SSO Users at once. You’ll need to create them again as new users in your new Identity Provider or as Password Users in Keepabl.
  • SSO+Password Users will remain in Keepabl as suspended Password Users. Again, it’s effectively the same as revoking SSO for a SSO+Password User, but for all your SSO+Password Users at once. You can unsuspend them as Password Users, and you can add them in your new Identity Provider so they can use SSO.
  • Password Users will be unaffected, as they’re essentially users within Keepabl, as if SSO didn’t exist.

If you don’t want to terminate your users’ Keepabl accounts when you change Identity Provider, you’ll need to make them SSO+Password Users or Password Users before you switch providers.

 

Stop using SSO

If you want to stop using SSO, this will have the same effect on your users as Changing Identity Provider.

Before you stop using SSO, it’s important to prepare so that there are no surprises for your users:

  • SSO Users will be deleted from Keepabl when you stop using SSO. It’s effectively the same as revoking SSO for an SSO User, but for all your SSO Users at once. You’ll need to create them again as new Password Users in Keepabl.
  • SSO+Password Users will remain in Keepabl as suspended Password Users. Again, it’s effectively the same as revoking SSO for a SSO+Password User, but for all your SSO+Password Users at once. You can unsuspend them as Password Users.
  • Password Users will be unaffected as, for them, it’s as if SSO didn’t exist.

If you don’t want to terminate your users’ Keepabl accounts when you stop using SSO, you’ll need to make them SSO+Password Users or Password Users before you stop using SSO.