Enterprise End-User (SSO)

This end-user guide was created for Enterprise customers who deploy Keeper through an existing Single Sign-On Identity Provider (IdP) such as Azure, ADFS or Okta.

PreviousEnterprise End-User NextWeb Vault & Desktop App

Last updated 1 month ago

Was this helpful?

Enterprise End-User (SSO)

This end-user guide was created for Enterprise customers who deploy Keeper through an existing Single Sign-On Identity Provider (IdP) such as Azure, ADFS or Okta.

Account Creation & Setup

Keeper is simple to install, easy to use and you’ll be up and running in just minutes. You can create your Keeper account using either one of the methods below.

Option 1: Click the Set Up Your Account Now button located in the email invitation sent by your Keeper Administrator. Since your Keeper account is deployed through Single Sign-On (SSO) you will automatically be routed to authenticate with your SSO provider to launch your Keeper Vault.

Option 2: Log in to your existing SSO provider dashboard as you normally do and click the Keeper icon to launch your Keeper Vault.

Enable Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) adds an extra layer of security to your vault by requiring a second passcode upon logging in. Some 2FA methods like Duo or RSA, require admin configuration. Others, like the Google or Microsoft Authenticator Apps, can be set up by individual end-users.

Click the Account Dropdown Menu (your email address) then click Settings > Security to enable 2FA for your vault.

Import Passwords

To begin the import process, click the Account Dropdown Menu (your email address), then click Settings > Import.

The next time you log in to your Keeper Vault, you can either visit the Keeper Vault Login page or your SSO provider dashboard. Both options are described below. To access the Keeper Web Vault Login page, visit:

Keeper Application Download

Download the Keeper Desktop and Mobile Apps to access your Keeper Vault from any platform and use it for native applications across all of your devices.

Supported Platforms:

PC, Mac and Linux desktops
Chrome, Firefox, Safari, Edge and IE11 Web Browsers
iOS (iPhone & iPad)
Android (Phones & Tablets)

Enter your email address at Keeper's Vault login page and click Next. You will then be routed to authenticate through your SSO Provider.

From Keeper's Vault Login page, click on the Enterprise SSO Login dropdown menu and select Enterprise Domain and enter your Enterprise Domain (provided by your Keeper Administrator). You will then be routed to authenticate through your SSO Provider.

Keeper provides two ways of authenticating into the Keeper Desktop application with SSO identity providers. By default, the Keeper Desktop app will open the identity provider login screen in a popup window as seen below.

This popup window is part of the Keeper Desktop application and will work for most scenarios. However, if your identity provider requires the use of a FIDO2 WebAuthn device or Passkey for authentication, using the desktop web browser method may be the best option.

Using Default Browser for SSO

To use the web browser on the device for SSO login with the Keeper Desktop app, open the Keeper menu and select "Use Default Browser for SSO".

When this option is selected, clicking "Next" will route you to the desktop web browser. After logging into your SSO provider (or if you already have an active SSO session), the web browser will redirect you back to Keeper Desktop and complete the login process.

Keeper supports IdP-initiated login from the SSO identity provider dashboard (if enabled by your Keeper administrator). Log in to your existing SSO as you normally do then from your SSO dashboard, click the Keeper icon to launch your Keeper Vault.

If you sign into Keeper on a new platform, you may encounter a "device approval" request (SSO Cloud Users Only). Please read the section below - "Device Approvals" for instructions on how to proceed.

Device Approvals

If you are attempting to log in on an unrecognized device or browser, a device approval must take place before you can proceed to your Keeper Vault. Users have two methods of approval to choose from, "Keeper Push" or "Admin Approval".

Keeper Push

Keeper Push is Keeper’s proprietary notification-based device approval system that sends a push notification to an existing, recognized device. This is a self-service process that allows users to handle the device approval on their own.

If you select Keeper Push, a notification (push) will be appear in your vault at an approved device or browser. Select Yes to approve the new device. Once the device has been approved, you will be able to proceed to your Keeper Vault.

You must be actively logged into a different, recognized/approved device to receive the notification.

Admin Approval

Admin Approval will send a notification to your Keeper Admin requesting device approval. If you do not have an existing, recognized device, this will be the only path gain access again.

if you select Admin Approval, your Keeper Admin will receive notification for approval. Once the device has been approved, you will be able to proceed to your Keeper Vault.

Automated Device Approvals

Keeper's platform supports automated device approvals through a product called the Keeper Automator service. If your Keeper Administrator has configured this service, device approvals will occur automatically upon successfully logging into your SSO identity provider.

Create a Record

Your passwords, databases, SSH keys, bank accounts and other sensitive data are saved in your private digital Keeper Vault (as "Records") and are encrypted on your device using 256-bit AES.

To begin, click + Create New > Record.

Enter a name for the Record and click Next
Enter the Login (Username or Email)
Enter the Website Address
Click Save to finish

Autofill With KeeperFill

Records appear directly on the home screen as a list, with “Suggested Records” at the top to easily fill the credentials that match the website you're on. Select the record, then click Autofill to fill the credentials into the site's log in form.

Account Recovery

When you log into your vault for a second time, you'll be prompted to set up a 24-word recovery phrase. If you forget your Master Password, this feature will help you quickly regain access.

Once your recovery phrase has been generated, be sure to store it in a safe place. For added convenience, you will be given the option to copy or download it.

If Account Recovery is not available, your Keeper Administrator may be able to transfer your vault to another Keeper account.

Create a Personal Vault (via Business or Enterprise Account)

Keeper Business and Enterprise users can create a free, Keeper Family Plan for up to 5 family members with unlimited devices. Once the user sets up the Family Plan, each family member receives their own vault. They can also share passwords between family members using either Shared Folders or individual record sharing.

Log in to your Keeper Business or Enterprise Web or Desktop Vault.
Click on your email address in the upper-right corner.
Select Account from the dropdown menu.
Enter your personal email in the "Keeper Family License for Personal Use" section.
Click Send Email.
This will create a separate, non-enterprise managed vault which will be associated with your personal email address.

This vault is intended for personal use only. All business-related credentials must be stored within your company issued vault.

Importing Data from Other Sources

(2) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Desktop App From the Desktop App, simply click on Settings > Import > click "Import" to begin the import process.