Device Approvals
Description of Device Approvals and Approval Queue for SSO Connect Cloud
Device Approvals are a key component of the SSO Connect Cloud platform. They can be performed by users, admins, or automatically using the Keeper Automator service.

Device Approval Overview

Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.
When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".
To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customer to host a service which performs the device approvals and key exchange automatically, without any user interaction.
When logging into a new or unrecognized device, the user has two options:
    Keeper Push (using their own devices)
    Admin Approval (request administrator approval)
You can skip this step completely using the Automator service.
Keeper Push - Device Approval

Important Note about Private Browsing Mode

Web browsers in "Incognito" or "Private Browsing" mode will be treated as a new / unrecognized device and will require device approval every time the browser window is closed. This could cause confusion for your users if they don't have another device (such as a mobile phone or another computer/browser that is actively being used). To mitigate confusion, you can configure automated approvals as described in the "Using Commander..." section below.

Approve Devices Role Permission

A special role permission called "Approve Devices" provides a Keeper Administrator the ability to approve a device.
(1) Go to Roles within the root node or the SSO node
(2) Select the gear icon to control the Admin Permissions for the selected role.
(3) Assign "Approve Devices" permission
Now, any user added to this role is able to login to the Admin Console to perform device approvals.
Last modified 1mo ago