Logging in
How to login and use the Keeper Commander CLI
First Login on a New Device
To login to Commander for the first time, click the Keeper Commander icon or open a shell and type:
Once the shell is open, begin the login by typing login
. If this is your first login, you will need to follow the device approval workflow. This is only needed once, as an extra layer of security to trust the device you are on.
First Login Example:
If you wish to approve via email:
Type
email_send
ores
Enter the security code via
email_code=<code>
If you wish to approve via Keeper Push:
Type
keeper_push
Approve via push
Type
approval_check
If you wish to approve via 2fa code:
Input
2fa_send
Input
2fa_code=<code>
Once complete you will receive the following message:
Logging in with a Master Password
After device approval, you will immediately move to the login process, or if you previously approved the device, this will be the first step.
Login Example (approved device):
Logging in With 2FA
If you have 2FA enforced on your account, you will be required to pass the 2FA step before logging in with a Master Password. Your login flow in commander will follow the same rules you have for logging into the Vault.
Login Example (2FA):
Each 2FA method that is enabled will have a number next to it.
In this example, only TOTP is enabled, so 3
would need to be entered, followed by the TOTP code. Enter the corresponding number to proceed:
By default, Keeper Commander prompts for 2FA code on every login. To store 2FA authentication for this device either for 30 days or forever, type one of the following before entering the code:
2fa_duration=30_days
to prompt for 2FA every 30 days, or...2fa_duration=forever
to never prompt again on this device
Logging in with a Proxy
If your network configuration requires using a proxy server you can use the proxy
command before logging in.
Enterprise SSO Login
If SSO is configured for your Keeper enterprise, the following screen will appear for users that login to Commander:
To login to Commander using SSO, you will need to paste a token provided by the SSO provider from your web browser into Commander. To receive the SSO token, follow these steps:
Option 1: Open the Page Automatically From Commander
To have Commander automatically open the default browser to the SSO Connect page, enter "o" in the SSO selection and hit Enter
The default browser for your system will open to the SSO Connect page.
Depending on your operating system, settings, and administrator privileges, Commander may be unable to open the web browser, in this case use the following option to open the SSO Connect screen.
Option 2: Paste the SSO Login Screen URL into a Browser
You can copy the URL to your SSO's logins screen from the SSO Connect text in Commander, or enter "c" in the SSO selection and hit Enter
to copy the URL to your clipboard.
Once the URL is copied, paste it into a web browser to navigate to the SSO Connect page.
2. Paste Token into Commander
After a successful SSO login, the web page will show a yellow "Copy" button. Click the button to copy the token.
Once the token has been copied, go back to Commander to complete the SSO login.
In Commander enter "p" in the SSO selection screen and hit Enter
to paste the token from your clipboard into Commander and complete SSO login.
Device Approval with SSO Login
If device approval is turned on for your account, the device approval selection will be shown after the first SSO login.
Enter your selection and hit Enter
to continue with device approval.
1 : Approve with Keeper Push
2 : Approve with Admin Approval
r : Resume SSO login after the device has been approved
See First Login on a New Device section for more details on device approval.
Use a Master Password with SSO Login
Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator and then configured by the user. The steps are below:
(1) Login to the Keeper Admin Console
As the admin, login to the Keeper Admin Console as you normally do.
(2) Enable SSO Master Password Policy
For the User/Role who will be accessing Keeper Commander, open the Role Enforcement Policy setting screen. Enable the option "Allow users who login with SSO to create a Master Password"
(3) Login to the End-User Vault using SSO
As the user who will be using Commander, login to the Keeper Web Vault or Keeper Desktop app with your SSO provider as you normally do.
(4) Create a Master Password
Visit the Settings > General screen and setup a Master Password
After the Master Password is created, you are now able to login to Keeper Commander.
(5) Optional: Force SSO Master Password Login in the configuration file.
Add the following line to your configuration file.
Setting CLI Session Preferences
Commander can be configured to stay logged in between sessions, and you can also configure how long the device will remain logged in without activity.
Use the this-device
command to set your preferences.
Example:
To enable "Stay Logged In" so that you're not prompted for authentication, use these commands:
If persistent login is enabled, you won't be prompted to authenticate the next time you run Commander:
Changing persistent-login ("stay logged in") affects all devices that you use with Keeper
To set the inactivity logout timer to a certain number of minutes:
Working with Commander
Last updated