Enterprise Admin

Troubleshooting and support for Keeper Enterprise

Enterprise Guide

The full Enterprise guide is located here. Part of the guide contains information on deploying to end-users.

License expired and need to to renew your subscription?

Visit our checkout page: https://keepersecurity.com/checkout

User Status Report with invalid Last Login date

The Admin Console user report currently contains empty login dates for accounts larger than 1,000 end-users. We recommend using Keeper Commander to generate a user status report using the user-report command. For example:

user-report --format csv --output last-logins.csv

SSO Login: Unable to parse the SAML Response from the IDP

Typically, this means you need to update your SAML signing certificate. Follow the guide below for step by step instructions:

https://docs.keeper.io/en/v/sso-connect-cloud/certificate-renewal

General SCIM Provisioning Issues with Teams and Users

  • Ensure that you have assigned users or groups to the correct SAML application in your IdP

  • When you invite a user from the identity provider or assign a user into a group that has been provisioned, the IdP will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.

  • If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)

  • After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.

  • Note: The next version of the Keeper Automator service (v3.0) will support the dynamic approvals of teams and team-user assignments. Read more about the Keeper Automator service.

SCIM Team User Assignment Delays

In Keeper, a team that is provisioned must generate the necessary public/private encryption key pair for that team. Similarly, when a user is assigned to a team, the team private key is encrypted with the public key of the user. This way, a user who is assigned team folders in the Keeper vault is able to decrypt the necessary folder keys and record keys. Since Keeper is a zero knowledge platform, this transaction must occur from one of the authenticated client device applications, such as the Admin Console, Vault, Commander CLI or Automator tools.

When a team or a team-user assignment is provisioned through SCIM, the team creation and the user team assignment goes into a "pending queue". This queue is then processed by the authenticated client side application that either creates the necessary team keys and shares the private keys with the intended users.

Currently, team creation and team-user assignment occurs when:

If you need to quickly clear out your pending Team and Team-User assignments, please run the following steps on a periodic basis:

  • Install the Keeper Commander CLI

  • Login to Keeper Commander using keeper shell

  • Run the following commands:

enterprise-down
team-approve --team
team-approve --email

Enterprise SSO Users unable to login

For security reasons, Keeper will prevent Enterprise users outside of an SSO node from logging in with a federated identity provider. If you have users unable to login with SSO, please ensure that the user is provisioned to the node within the Keeper Admin Console to the SSO-enabled node. To move a user into an SSO node, edit the user and select the node from the drop-down.

Users Not Receiving Email Invites

Keeper's email system will automatically suppress delivery to an email that has bounced. This typically occurs if you set up someone's Keeper account before their email inbox exists. If you are in this situation with a particular user, please contact the Keeper B2B support team and we'll remove the email from our suppression list.

Enterprise End-User's Email Changed

If your user's email has changed in your identity provider, you can simply add an alias to the user's identity in Keeper. This can be accomplished using the enterprise-user command. For example:

enterprise-user --add-alias new_email@acme-demo.com user@acme-demo.com

This command will only allow aliases to be created with reserved domains. To learn more about Keeper Commander, visit the documentation.

Enterprise Domain is Changing or has Changed

If your company is migrating users to a new email domain, Keeper supports enterprise-wide domain aliases to make the transition seamless. Open a support ticket to request a domain alias.

SSO Users asked for Master Password

If you have an SSO user being asked to enter a Master Password:

  • Ensure that the user has been provisioned to an SSO-enabled node

  • Ensure that the user is logging in from the correct data center (US, EU, AU, JP, CA, GOV)

User Prompted for Device Approval

Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.

  • Users can approve their additional devices by using a previously approved device. For example, if you are logged into your web vault on your computer already, and logging into your phone app for the first time, you will get a device approval prompt on your web vault with the mobile device's information which you can approve or deny.

  • Keeper SSO Connect Cloudâ„¢ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

  • When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".

  • Using Guest, Private or Incognito mode browser modes or clearing the browsers cache will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.

To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customers to host a service which performs the device approvals and key exchange automatically, without any user interaction.

When logging into a new or unrecognized device, the user has two options:

  • Keeper Push (using their own devices)

  • Admin Approval (request administrator approval)

Or, you can skip this step completely by deploying the Keeper Automator service.

Questions about Cost of Deploying Automator

Keeper Automator can be deployed many ways, depending on your requirements. The least expensive method of using Automator would be using a micro instance of a Linux VM using the Docker Compose method. If you would like to use only cloud services, we recommend the AWS Container Service or Azure App Gateway method.

Delays in Login and Device Approval

If logging into a new device takes 20-30 seconds to complete, this could be caused by your Keeper Automator service being misconfigured or inaccessible by the Keeper servers. Please disable the Keeper Automator in your environment using the "automator disable" command.

Automator Fails after Instance Reboot (when using Azure App Gateway)

After an unexpected reboot of the container instance in Azure the container can sometimes come back up with a new IP address (e.g. x.x.0.5 even when the App Gateway had originally been provisioned with an IP of x.x.0.4 in the backend pool). Updating the IP of the container in the backend pool resolves this issue.

  • In the Azure cloud shell, retrieve the current IP: az container show --name keeperautomatorcontainer --resource-group keeper_automator_rg --query ipAddress.ip --output tsv

  • In Azure portal select Resource groups > $your_resource_group > your Application Gateway > Backend pools > change Target IP to the new one from above.

SSO Cloud Certificate Update

Keeper's SSO Certificate expires annually in August timeframe. The new cert is available by logging into the Admin Console. If you need to update the Keeper SP Certificate, see the step by step instructions here.

SSO Connect On-Prem Certificate

Customers running SSO Connect On-Prem must renew SSL certificates on an annual basis. The date depends on when your SSL certificate is expiring. If you are receiving an SSL certificate error, please renew your cert by following the instructions here.

Commander scripting or coding questions

Please see the Keeper Commander troubleshooting page.

Secrets Manager

Please see the Secrets Manager troubleshooting page.

Keeper Connection Manager

Please see the KCM troubleshooting page.

Contact Us

If you need help, please open a support ticket in our ServiceNow system.

If you need a phone call or Zoom call, just request this from the team and we will schedule it during business hours. Please be patient as we coordinate the call.

Emergency Support

If you're a business customer having an emergency and need urgent support, make sure to use our ServiceNow support portal. On the support form, select the option "This is an emergency, outage, or other time-sensitive issue which requires immediate assistance".

Feature Requests

We love hearing from Enterprise customers. Send your feature requests to: feedback@keepersecurity.com.

Beta Slack Channel

Join our Beta Slack Channel to post questions, feedback or receive new beta versions.

PreviousAndroidNextVault

Last updated

Was this helpful?