LogoLogo
SSO Connect Cloud
SSO Connect Cloud
  • Keeper SSO Connect Cloud
  • Overview
  • Admin Console Configuration
  • SSO Identity Providers
    • Amazon AWS
    • Auth0
    • Centrify
    • CloudGate UNO
    • DUO SSO
    • Entra ID (Azure AD)
    • F5
    • Google Workspace
      • Google Workspace User and Group Provisioning with Cloud Function
      • Google Workspace User Provisioning with SCIM
    • HENNGE
    • Imprivata
    • JumpCloud
    • Microsoft AD FS
    • Okta
    • OneLogin
    • Ping Identity
    • PingOne
    • Rippling
    • RSA SecurID Access
    • SecureAuth
    • Shibboleth
    • Other SAML 2.0 Providers
  • Passwordless Providers
    • Traitware
    • Trusona
    • Veridium
    • Beyond Identity
  • Device Approvals
    • Keeper Push
    • Admin Approval
    • Keeper Automator Service
      • Version 17.0 Overview
      • Ingress Requirements
      • Azure Container App
      • Azure App Services
      • Azure App Gateway (Advanced)
      • AWS Elastic Container Service
      • AWS Elastic Container Service with KSM (Advanced)
      • Java on Linux
      • Docker on Linux
      • Docker Compose
      • Google Cloud with GCP Cloud Run
      • Kubernetes Service
      • Windows Service
      • Multi-Tenant Mode
      • Custom SSL Certificate
      • Advanced Settings
      • Troubleshooting
    • CLI Approvals
  • Certificate Renewal
  • Logout Configuration
  • User Provisioning
  • System Architecture
  • Security and User Flow
  • Migrate from OnPrem
  • Graphic Assets
  • Links & Resources
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Team User approvals
  • Team Approvals
  • All settings can be configured as environment variables
  • Advanced Features

Was this helpful?

Export as PDF
  1. Device Approvals
  2. Keeper Automator Service

Version 17.0 Overview

Instructions for upgrading your Automator instance to v17.0

PreviousKeeper Automator ServiceNextIngress Requirements

Last updated 3 months ago

Was this helpful?

Overview

Version v17.0+ incorporated several new features:

  • Team Approvals (Team Creation)

  • Team User Approvals (Assigning Users to Teams)

  • All settings can be configured as environment variables

  • Support for simplified deployment

  • Support for simplified deployment

  • HSTS is enabled for improved HTTPS security

  • IP address filtering for device approval and team approval

  • Optional rate limiting for all APIs

  • Optional filtering by email domain

  • Optional binding to specific network IPs

Team User approvals

Teams and users who are provisioned through SCIM can be immediately processed by the Automator service (instead of waiting for the admin to login to the console).

To activate this new feature:

  • Update your Automator container or .zip file to the latest version

  • Use the automator edit command in Keeper Commander to instruct the service to perform device approvals and also perform Team User approvals:

Example:

automator edit --skill=team --skill=team_for_user --skill=device "My Automator"
automator setup "My Automator"
automator init "My Automator"
automator enable "My Automator"

With the skill enabled, automator is triggered to approve team users when the user logs into their vault

Team Approvals

When team creation is requested by the identity provider via SCIM messaging, the request is not fully processed until someone can generate an encryption key (to preserve Zero Knowledge). This is normally processed when an admin logs into the Keeper Admin Console.

When team approvals is activated on the Keeper Automator service, teams are now created automatically when any assigned user from the team logs in successfully to the Keeper Vault. Therefore, teams will not appear in the environment until at least one user from that team logs into their vault.

Teams will not appear in the environment until at least one user from that team logs into their vault.

All settings can be configured as environment variables

This makes configuration easier when installing Automator in Azure Containers or other Docker-like containers where access to the settings file is difficult.

In Docker, Azure Containers, or other environments that use the docker-compose.yml file, you can set environment variables in the docker compose file, for example:

services:
  automator:
    container_name: "az-autodock"
    environment:
      - AUTOMATOR_PORT=8090
      - AUTOMATOR_HOST=10.0.0.4
      - DISABLE_SNI_CHECK=true

After editing the docker-compose.yml file, you will need to rebuild the container if the environment variables have changed. Just restarting the container will not incorporate the changes.

Advanced Features

for all of the new and advanced features / settings for the Automator service.

Azure Container App
AWS ECS Service
See this page