LogoLogo
SSO Connect Cloud
SSO Connect Cloud
  • Keeper SSO Connect Cloud
  • Overview
  • Admin Console Configuration
  • SSO Identity Providers
    • Amazon AWS
    • Auth0
    • Centrify
    • CloudGate UNO
    • DUO SSO
    • Entra ID (Azure AD)
    • F5
    • Google Workspace
      • Google Workspace User and Group Provisioning with Cloud Function
      • Google Workspace User Provisioning with SCIM
    • HENNGE
    • Imprivata
    • JumpCloud
    • Microsoft AD FS
    • Okta
    • OneLogin
    • Ping Identity
    • PingOne
    • Rippling
    • RSA SecurID Access
    • SecureAuth
    • Shibboleth
    • Other SAML 2.0 Providers
  • Passwordless Providers
    • Traitware
    • Trusona
    • Veridium
    • Beyond Identity
  • Device Approvals
    • Keeper Push
    • Admin Approval
    • Keeper Automator Service
      • Version 17.0 Overview
      • Ingress Requirements
      • Azure Container App
      • Azure App Services
      • Azure App Gateway (Advanced)
      • AWS Elastic Container Service
      • AWS Elastic Container Service with KSM (Advanced)
      • Java on Linux
      • Docker on Linux
      • Docker Compose
      • Google Cloud with GCP Cloud Run
      • Kubernetes Service
      • Windows Service
      • Multi-Tenant Mode
      • Custom SSL Certificate
      • Advanced Settings
      • Troubleshooting
    • CLI Approvals
  • Certificate Renewal
  • Logout Configuration
  • User Provisioning
  • System Architecture
  • Security and User Flow
  • Migrate from OnPrem
  • Graphic Assets
  • Links & Resources
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Technical Details
  • Approval Methods

Was this helpful?

Export as PDF

Device Approvals

SSO Cloud device approval system

PreviousBeyond IdentityNextKeeper Push

Last updated 1 year ago

Was this helpful?

Overview

Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.

For customers who authenticate with Keeper SSO Connect Cloud, device approval performs a key transfer, in which the user's encrypted data key is delivered to the device, which is then decrypted locally using their elliptic curve private key.

Technical Details

Keeper SSO Connect Cloud provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".

Using Guest, Private or Incognito mode browser modes will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.

To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customer to host a service which performs the device approvals and key exchange automatically, without any user interaction.

Approval Methods

Device approval methods include the following:

(using push notifications) to existing user devices

via the Keeper Admin Console

Automatic approval via service (preferred)

Semi-automated Admin Approval via

Keeper Push
Admin Approval
Keeper Automator
Commander CLI