SSO JIT (Just-in-Time) Provisioning

Overview of SSO - JIT Provisioning and Authentication

Keeper SSO Connect® Cloud leverages Keeper’s zero-knowledge security architecture to securely and seamlessly authenticate users into their Keeper Vault and dynamically provision user vaults to the platform. Keeper supports all popular SSO IdP platforms such as Okta, Microsoft Entra ID / Azure AD, Google Workspace, Centrify, Duo, OneLogin, Ping Identity, JumpCloud and many more.

Keeper supports both IdP-initiated login flows and SP-initiated flows. Just-in-time provisioning allows admins to quickly and easily roll out Keeper to users using a few simple steps:

1. Configure the SAML 2.0 connection with "Enable Just-In-Time Provisioning" selected

2. Assign your users to the Keeper application in your identity provider

3. Direct your users to simply login to Keeper with their email address or SSO domain.

If your domain is reserved to your Keeper tenant, users will be automatically routed through your identity provider as seen in the below screenshots.

Any user who is provisioned through JIT will be assigned to the default role enforcement policies for the node which they are provisioned in.

The user's vault will be immediately provisioned and the user will be walked through the onboarding process which can include importing passwords, installing the KeeperFill browser extension and setting up two-factor authentication.

The exact steps of the onboarding process depend on the user's assigned role enforcement policy. Onboarding can also be disabled completely.

After the onboarding is complete, users can begin using Keeper and managing their vault.

For a full step by step guide on setting up your SSO Connect Cloud environment, see the SSO Connect Cloud guide.