Keeper Commander & Automator

User Prompted for Device Approval

Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.

• Users can approve their additional devices by using a previously approved device. For example, if you are logged into your web vault on your computer already, and logging into your phone app for the first time, you will get a device approval prompt on your web vault with the mobile device's information which you can approve or deny.

• Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

• When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".

• Using Guest, Private or Incognito mode browser modes or clearing the browsers cache will identify itself to Keeper as a new device each time it is launched, and therefore will require a new device approval.

To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customers to host a service which performs the device approvals and key exchange automatically, without any user interaction.

When logging into a new or unrecognized device, the user has two options:

• Keeper Push (using their own devices)

• Admin Approval (request administrator approval)

Or, you can skip this step completely by deploying the Keeper Automator service.

Deploying Automator

Keeper Automator can be deployed many ways, depending on your requirements. The most cost effective way of deploying Automator would be using a micro instance of a Linux VM using the Docker Compose method. If you would like to use only cloud services, we recommend the AWS Container Service or Azure App Gateway method.

Delays in Login and Device Approval

If logging into a new device takes 20-30 seconds to complete, this could be caused by your Keeper Automator service being misconfigured or inaccessible by the Keeper servers. Please disable the Keeper Automator in your environment using the "automator disable" command.

Automator Fails After Instance Reboot (When Using Azure App Gateway)

After an unexpected reboot of the container instance in Azure the container can sometimes come back up with a new IP address (e.g. x.x.0.5 even when the App Gateway had originally been provisioned with an IP of x.x.0.4 in the backend pool). Updating the IP of the container in the backend pool resolves this issue.

• In the Azure cloud shell, retrieve the current IP: az container show --name keeperautomatorcontainer --resource-group keeper_automator_rg --query ipAddress.ip --output tsv

• In Azure portal select Resource groups > $your_resource_group > your Application Gateway > Backend pools > change Target IP to the new one from above.

Commander Scripting or Coding Questions

Please see the Keeper Commander troubleshooting page.

Contact Us

If you need help, please open a support ticket in our ServiceNow system.

If you need to speak to our support team, simply make the request and we will schedule it during enterprise hours. Please be patient as we coordinate the call.

Emergency Support

If you're a enterprise customer having an emergency and need urgent support, use our ServiceNow support portal. On the support form, select the option "This is an emergency, outage, or other time-sensitive issue which requires immediate assistance".

Feature Requests

We love hearing from Enterprise customers. Send your feature requests to: [email protected].

Join our Slack Workspace

Join our Slack Workspace to post questions, feedback or receive new beta versions.