User Provisioning

Instructions on how to provision users with SSO Connect Cloud

Onboarding Users

There are several options for onboarding users who inside an SSO-provisioned node:

Option 1: Using SCIM Automated Provisioning

  • If your identity provider supports Automated Provisioning (using the SCIM protocol), users will be automatically provisioned with a Keeper Vault.

  • Follow our User and Team Provisioning guide for instructions on setting up SCIM with your identity provider, if you haven't done this.

  • Users who are provisioned through SCIM can simply type in their Email Address on the Vault Login screen and they will be automatically directed to the IdP login screen to complete the sign-in. Please makes sure that your email domain is reserved with Keeper so that we route your users to the IdP. Click here to learn about domain reservation.

  • After authentication to the IdP, the user will instantly be logged into their Vault on their first device. Subsequent devices will require Device Approval.

Option 2: Using Just-In-Time (JIT) Provisioning

If Just-In-Time (JIT) provisioning is activated on your SSO configuration, there are a few ways that users can access their vault:

(1) Direct your users to the identity provider dashboard to click on the Keeper icon (IdP-initiated Login).

(2) Provide users with a hyperlink to the Keeper application within the identity provider (see your IdP Application configuration screen for the correct URL).

(3) Send users to the Keeper Vault to simply enter their email address and click "Next".

Ensure that your domain has been reserved with Keeper for automatic routing.

JIT with Email Address

(4) If using the email address is not desired, users can also click on "Enterprise SSO Login" using the "Enterprise Domain" that you configured in the Admin Console for the SSO connection.

(5) Hyperlink users directly to the Enterprise Domain login screen on Keeper using the below format:

https://<domain>/vault/#provider_name/<name>
  • Replace <domain> with the endpoint of the data center where your Keeper tenant is hosted. This can be one of the following:

    • keepersecurity.com

    • keepersecurity.eu

    • keepersecurity.com.au

    • govcloud.keepersecurity.us

    • keepersecurity.jp

    • keepersecurity.ca

  • Replace <name> with the name of the Enterprise Domain that has been assigned in the Admin Console.

Option 3: Manually Inviting Users

If you prefer to manually invite users from the Admin Console instead of using Just-In-Time provisioning, follow these steps:

  • Login to the Keeper Admin Console

  • Open the node which is configured with your identity provider

  • Click on "Add Users" to invite the user manually

  • User can then simply type in their email from the Vault login screen to sign in

Note: Additional customization of the Email Invitation including graphics and content can be made by visiting the "Configuration" screen of the Admin Console.

Please make sure to test the configuration and onboarding process with non-admin test user accounts prior to deploying Keeper to real users in the organization.

Please don't use SSO with your Keeper Administrator account for testing. We recommend that the Keeper Administrator exists at the root node of the Admin Console and uses Master Password login. This ensures you can always have access to manage your users if the identity provider is unavailable (e.g. if Microsoft goes down).

Move existing users/initial admin to SSO authentication

Users created in the root node (top level) will need to be migrated to the sub node that the SSO integration was configured on. If users remain in the root node, they will be prompted for the master password when accessing the vault and/or admin console.

An admin can not move themselves to the SSO enabled node. It requires a another admin to perform this action.

Last updated