Enterprise End-User (SSO)
This end-user guide was created for Enterprise customers who deploy Keeper through an existing Single Sign-On Identity Provider (IdP) such as Azure, ADFS or Okta.
Last updated
Was this helpful?
This end-user guide was created for Enterprise customers who deploy Keeper through an existing Single Sign-On Identity Provider (IdP) such as Azure, ADFS or Okta.
Last updated
Was this helpful?
Keeper is simple to install, easy to use and you’ll be up and running in just minutes. You can create your Keeper account using either one of the methods below.
Option 1: Click the Set Up Your Account Now button located in the email invitation sent by your Keeper Administrator. Since your Keeper account is deployed through Single Sign-On (SSO) you will automatically be routed to authenticate with your SSO provider to launch your Keeper Vault.
Option 2: Log in to your existing SSO provider dashboard as you normally do and click the Keeper icon to launch your Keeper Vault.
Two-Factor Authentication (2FA) adds an extra layer of security to your vault by requiring a second passcode upon logging in. Some 2FA methods like Duo or RSA, require admin configuration. Others, like the Google or Microsoft Authenticator Apps, can be set up by individual end-users.
Click the Account Dropdown Menu (your email address) then click Settings > Security to enable 2FA for your vault.
To begin the import process, click the Account Dropdown Menu (your email address), then click Settings > Import.
The next time you log in to your Keeper Vault, you can either visit the Keeper Vault Login page or your SSO provider dashboard. Both options are described below. To access the Keeper Web Vault Login page, visit:
Download the Keeper Desktop and Mobile Apps to access your Keeper Vault from any platform and use it for native applications across all of your devices.
Supported Platforms:
PC, Mac and Linux desktops
Chrome, Firefox, Safari, Edge and IE11 Web Browsers
iOS (iPhone & iPad)
Android (Phones & Tablets)
Enter your email address at Keeper's Vault login page and click Next. You will then be routed to authenticate through your SSO Provider.
From Keeper's Vault Login page, click on the Enterprise SSO Login dropdown menu and select Enterprise Domain and enter your Enterprise Domain (provided by your Keeper Administrator). You will then be routed to authenticate through your SSO Provider.
Keeper provides two ways of authenticating into the Keeper Desktop application with SSO identity providers. By default, the Keeper Desktop app will open the identity provider login screen in a popup window as seen below.
This popup window is part of the Keeper Desktop application and will work for most scenarios. However, if your identity provider requires the use of a FIDO2 WebAuthn device or Passkey for authentication, using the desktop web browser method may be the best option.
To use the web browser on the device for SSO login with the Keeper Desktop app, open the Keeper menu and select "Use Default Browser for SSO".
When this option is selected, clicking "Next" will route you to the desktop web browser. After logging into your SSO provider (or if you already have an active SSO session), the web browser will redirect you back to Keeper Desktop and complete the login process.
Keeper supports IdP-initiated login from the SSO identity provider dashboard (if enabled by your Keeper administrator). Log in to your existing SSO as you normally do then from your SSO dashboard, click the Keeper icon to launch your Keeper Vault.
If you are attempting to log in on an unrecognized device or browser, a device approval must take place before you can proceed to your Keeper Vault. Users have two methods of approval to choose from, "Keeper Push" or "Admin Approval".
Keeper Push is Keeper’s proprietary notification-based device approval system that sends a push notification to an existing, recognized device. This is a self-service process that allows users to handle the device approval on their own.
If you select Keeper Push, a notification (push) will be appear in your vault at an approved device or browser. Select Yes to approve the new device. Once the device has been approved, you will be able to proceed to your Keeper Vault.
You must be actively logged into a different, recognized/approved device to receive the notification.
Admin Approval will send a notification to your Keeper Admin requesting device approval. If you do not have an existing, recognized device, this will be the only path gain access again.
if you select Admin Approval, your Keeper Admin will receive notification for approval. Once the device has been approved, you will be able to proceed to your Keeper Vault.
Keeper's platform supports automated device approvals through a product called the Keeper Automator service. If your Keeper Administrator has configured this service, device approvals will occur automatically upon successfully logging into your SSO identity provider.
Your passwords, databases, SSH keys, bank accounts and other sensitive data are saved in your private digital Keeper Vault (as "Records") and are encrypted on your device using 256-bit AES.
To begin, click + Create New > Record.
Enter a name for the Record and click Next
Enter the Login (Username or Email)
Enter the Website Address
Click Save to finish
Records appear directly on the home screen as a list, with “Suggested Records” at the top to easily fill the credentials that match the website you're on. Select the record, then click Autofill to fill the credentials into the site's log in form.
When you log into your vault for a second time, you'll be prompted to set up a 24-word recovery phrase. If you forget your Master Password, this feature will help you quickly regain access.
Once your recovery phrase has been generated, be sure to store it in a safe place. For added convenience, you will be given the option to copy or download it.
Keeper Business and Enterprise users can create a free, Keeper Family Plan for up to 5 family members with unlimited devices. Once the user sets up the Family Plan, each family member receives their own vault. They can also share passwords between family members using either Shared Folders or individual record sharing.
Log in to your Keeper Business or Enterprise Web or Desktop Vault.
Click on your email address in the upper-right corner.
Select Account from the dropdown menu.
Enter your personal email in the "Keeper Family License for Personal Use" section.
Click Send Email.
This will create a separate, non-enterprise managed vault which will be associated with your personal email address.
This vault is intended for personal use only. All business-related credentials must be stored within your company issued vault.
(2) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Desktop App From the Desktop App, simply click on Settings > Import > click "Import" to begin the import process.
For additional information, please see our comprehensive library of end-user guides in the left column of this page.
You can either manually enter your existing logins and passwords into your vault or Keeper can import your existing passwords directly from your (e.g. Safari, Chrome, Firefox), another , or from a (.csv).
US Data Center:
US Public Sector / GovCloud:
EU Data Center: AU Data Center: CA Data Center:
JP Data Center:
Visit: to download the Keeper App for all of your desktop and mobile devices.
about the Keeper Automator service.
Choose a from the dropdown menu ("Login" is the default type)
Enter the Password or click the dice icon to generate one (more on that )
Enter Notes, add , a and
For more information, please see our comprehensive .
Keeper's Browser Extension called KeeperFill, autofills your logins and passwords into websites and apps. To download KeeperFill for your browser, visit . KeeperFill is available for every web browser.
Keeper provides several methods of importing data into the vault. Each method is fully documented with screenshots and example data. (1) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Web Vault
(3) Import from .CSV file
(4) Import from a structured .JSON file
(5) Import from LastPass (Fully Automated)
(6) Import from 1Password
(7) Import from Dashlane (8) Import from Encrypted KeePass (.kdbx) Files
(9) Import using the Commander CLI
(10) Custom import coding using the Keeper Commander SDK
More videos are available at: .