LogoLogo
SSO Connect Cloud
SSO Connect Cloud
  • Keeper SSO Connect Cloud
  • Overview
  • Admin Console Configuration
  • SSO Identity Providers
    • Amazon AWS
    • Auth0
    • Centrify
    • CloudGate UNO
    • DUO SSO
    • Entra ID (Azure AD)
    • F5
    • Google Workspace
      • Google Workspace User and Group Provisioning with Cloud Function
      • Google Workspace User Provisioning with SCIM
    • HENNGE
    • Imprivata
    • JumpCloud
    • Microsoft AD FS
    • Okta
    • OneLogin
    • Ping Identity
    • PingOne
    • Rippling
    • RSA SecurID Access
    • SecureAuth
    • Shibboleth
    • Other SAML 2.0 Providers
  • Passwordless Providers
    • Traitware
    • Trusona
    • Veridium
    • Beyond Identity
  • Device Approvals
    • Keeper Push
    • Admin Approval
    • Keeper Automator Service
      • Version 17.0 Overview
      • Ingress Requirements
      • Azure Container App
      • Azure App Services
      • Azure App Gateway (Advanced)
      • AWS Elastic Container Service
      • AWS Elastic Container Service with KSM (Advanced)
      • Java on Linux
      • Docker on Linux
      • Docker Compose
      • Google Cloud with GCP Cloud Run
      • Kubernetes Service
      • Windows Service
      • Multi-Tenant Mode
      • Custom SSL Certificate
      • Advanced Settings
      • Troubleshooting
    • CLI Approvals
  • Certificate Renewal
  • Logout Configuration
  • User Provisioning
  • System Architecture
  • Security and User Flow
  • Migrate from OnPrem
  • Graphic Assets
  • Links & Resources
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Securing the Service
  • Updating
  • Testing the User Experience

Was this helpful?

Export as PDF
  1. Device Approvals
  2. Keeper Automator Service

Docker Compose

Installation of Keeper Automator using the Docker Compose method

PreviousDocker on LinuxNextGoogle Cloud with GCP Cloud Run

Last updated 3 months ago

Was this helpful?

This guide provides step-by-step instructions to publish Keeper Automator on any Linux instance that can run Docker and Docker Compose.

Make sure you already have your SSL Certificate! If not, please follow the steps in the page.

Docker Compose benefits over standard Docker:

  • Data is preserved between container updates

  • Future updates are simple to install and maintain

Instructions for installing Automator using the Docker Compose method are below.

(1) Install Docker and Docker Compose

Instructions for installing Docker and Docker Compose vary by platform. Please refer to the official documentation below:

On Linux, a quick guide to installing Docker and Docker Compose:

Note: On Linux you may use docker-compose instead of docker compose.

After installing, you may still need to start the Docker service, if it's not running.

sudo service docker start

Then configure the service to start automatically 

sudo systemctl enable docker.service

To allow non-root users to run Docker (and if this meets your security requirements), run this command:

sudo chmod 666 /var/run/docker.sock

(2) Create docker-compose.yml file

Save the snippet below as the file docker-compose.yml on your server, in the location where you will be executing docker compose commands.

name: keeper-automator
services:
  automator:
    container_name: "automator"
    environment:
      - AUTOMATOR_PORT=443
      - AUTOMATOR_HOST=localhost
      - SSL_MODE=certificate
    restart: on-failure
    image: "keeper/automator:latest"
    ports:
      - 8089:443
    volumes:
      - automatordata:/usr/mybin/config
volumes:
  automatordata:

(3) Install the Container and Start it up

docker compose pull
docker compose up -d
docker cp ssl-certificate.pfx automator:/usr/mybin/config/
docker cp ssl-certificate-password.txt automator:/usr/mybin/config/

(5) Restart the service with the new cert

docker compose restart

(6) Install Keeper Commander

At this point, the service is running but it is not able to communicate with Keeper yet.

$ keeper shell

My Vault> login admin@company.com
.
.
My Vault>

(7) Initialize with Commander

Login to Keeper Commander and activate the Automator using a series of commands, starting with automator create

automator create --name="My Automator" --node="Azure Cloud"

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

The output of the command will display the Automator settings, including metadata from the identity provider. 

                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval

Note that the "URL" is not populated yet. Edit the URL with the FQDN you selected.

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).

automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

automator setup "My Automator"

Initialize the Automator with the new configuration

automator init "My Automator"

Enable the service

automator enable "My Automator"

At this point, the configuration is complete.

For automated health checks, you can use the below URL:

https://<server>/health

Example:

$ curl https://automator.lurey.com/health
OK

Monitoring Logs

The Automator logs can be monitored by using the Docker Compose command:

docker compose logs -f

For environments using AD FS ...

When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:

  • Login to the Keeper Admin Console

  • Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.

  • Click on "Export SP Cert".

  • In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.

  • On the "Encryption" tab, replace the old certificate with this new cert.

  • On the "Signature" tab, Add/Replace the new SP certificate with this new cert.

Securing the Service

Updating

When a new version of Automator is available, updating the container is the only requirement.

docker compose pull
docker compose up -d

Testing the User Experience

Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.

The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

(4) Copy the SSL Certificate and password file created from page

On your workstation, server or any computer, install the Keeper Commander CLI. This is just used for initial setup. The installation instructions including binary installers are here: After Commander is installed, you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.

We recommend restricting network access to the service. Please see the section for a list of IP addresses to allow.

https://docs.docker.com/compose/install/
Installing Docker on Linux
Custom SSL Certificate
Installing Keeper Commander
Ingress Requirements
Create SSL Certificate
Automator Create