Keeper's Cloud architecture is Zero Knowledge (more information about our security model is here).
For security reasons, Keeper's Enterprise tenants are restricted to inviting and creating end-user accounts within certain email domains. When you sign up for a Keeper Business or Enterprise account, you are required to use a business email domain, e.g. mycompany.com.
If you sign up for the Enterprise account using @mycompany.com for your email address, this domain will be reserved to your tenant.
Keeper's architecture requires a domain to be reserved before it can be used by the Enterprise. This serves several purposes:
Ensures that end-users cannot create "rogue" accounts without being explicitly invited or provisioned by the Enterprise Admin.
Reduces administrative burden in locating free or personal accounts associated with a domain
Prevents a malicious user from creating a Keeper account with a domain reserved by an Enterprise customer.
If you require additional email domains (e.g. us.company1.com and eu.company2.com), please open a support ticket with the Keeper team and we will assist you in reserving the domain.
Keeper maintains a list of "personal" domains, for example gmail.com and yahoo.com which cannot be reserved and allow the general public to create Keeper accounts with those domains, with a verified email.
If you would like to allow end-users to create personal or Enterprise accounts with your reserved domain outside of your enterprise tenant, please contact the Keeper support team and we can unlock this domain for you.
If you are using Keeper SSO Connect Cloud or Keeper SSO Connect On-Prem, you can enable Just-In-Time Provisioning. If Just-In-Time provisioning is enabled, you can automatically route users to the identity provider when the user types in their email and clicks "Next" from the Vault login screen. This applies to all devices including Web Vault, Desktop App, Browser Extensions, iOS and Android apps.