Device Approvals

Description of Device Approvals and Approval Queue for SSO Connect Cloud

Device Approvals are a key component of the SSO Connect Cloud platform. They can be performed by users, admins, or automatically using Keeper Commander or Azure function.

Device Approval Overview

Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

When a user attempts to login on a device that has never been used prior, a device approval must take place. Part of this device approval process involves the transfer of an Elliptic-Curve encryption key.

To preserve Zero Knowledge, Keeper cannot simply use an email confirmation link (like the Master Password login flow) because Keeper's servers are restricted from accessing the user's private key. To solve this, we developed a Push-based approval system that can be performed by either the user or the designated Administrator who has "Approve Device" permissions. Keeper also supports several automated approval methods described in the next section.

When logging into a new or unrecognized device, the user has two options:

  • Keeper Push (using their own devices)

  • Admin Approval (request administrator approval)

Keeper Push - Device Approval

Device Approval Methods

Keeper SSO Connect Cloud supports 4 different device approval methods:

1) Keeper Push

2) Admin Approval via the Keeper Admin Console

3) Automatic Admin Approval via Commander CLI

4) Automatic Admin Approval via Azure Function

Important Note about Private Browsing Mode

Web browsers in "Incognito" or "Private Browsing" mode will be treated as a new / unrecognized device and will require device approval every time the browser window is closed. This could cause confusion for your users if they don't have another device (such as a mobile phone or another computer/browser that is actively being used). To mitigate confusion, you can configure automated approvals as described in the "Using Commander..." section below.

Approve Devices Role Permission

A special role permission called "Approve Devices" provides a Keeper Administrator the ability to approve a device.

(1) Go to Roles within the root node or the SSO node

(2) Select the gear icon to control the Admin Permissions for the selected role.

(3) Assign "Approve Devices" permission

Now, any user added to this role is able to login to the Admin Console or Commander to perform device approvals.