Reserve the use of domains for privacy and security
Keeper's Cloud architecture is Zero Knowledge (more information about our security model is here).
For security reasons, Keeper's Enterprise tenants are restricted to inviting and creating end-user accounts within certain email domains. When you sign up for a Keeper Business or Enterprise account, we recommend that you use a business email domain, e.g. mycompany.com.
If you sign up for the Enterprise account using @mycompany.com for your email address, this domain will be reserved to your tenant.
Keeper's architecture requires a domain to be reserved before it can be used by the Enterprise. This serves several purposes:
(1) Ensures that end-users cannot create "rogue" accounts without being explicitly invited or provisioned by the Enterprise Admin.
(2) Reduces administrative burden in locating free or personal accounts associated with a domain
(3) Prevents a malicious actor from creating a Keeper account with a domain reserved by an Enterprise customer.
If you require additional email domains (e.g. us.company1.com and eu.company2.com), please open a support ticket with the Keeper team and we will assist you in reserving the domain.
If you own a set of domains that your users will use for logging in, be sure to contact your Keeper account manager to request domain reservation for all of your domains. We can lock the domains to your preferred region to ensure that users don't sign up in the wrong geographic data center.
Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.
If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.
Organizations have the option to add a “corporate alias” to their account. For example, in situations where an organization domain change occurs, our team can easily transition your users to the new domain without any interruption in service. Please contact Keeper's support team to add a domain alias to your account.
If you are using Keeper SSO Connect Cloud or Keeper SSO Connect On-Prem, you can enable Just-In-Time Provisioning. If Just-In-Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.
If you would like to ensure that new users who access the vault are automatically routed to your SSO based on the email domain, please contact support and we will assist in setting up the routing.
Customers who attempt to login or provision accounts from a different region may or may not automatically get routed to the proper region where their tenant is hosted. If the routing is not occurring, please open a support ticket.