# Device Approvals

<figure><img src="/files/oEwjUcw2KDFAxJfzStvX" alt=""><figcaption></figcaption></figure>

## Overview

Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.

For customers who authenticate with Keeper SSO Connect Cloud, device approval performs a key transfer, in which the user's encrypted data key is delivered to the device, which is then decrypted locally using their elliptic curve private key.&#x20;

### Technical Details

Keeper SSO Connect Cloud provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.

When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".

{% hint style="info" %}
Using Guest, Private or Incognito mode browser modes will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.
{% endhint %}

To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customer to host a service which performs the device approvals and key exchange automatically, without any user interaction.

### Approval Methods

Device approval methods include the following:

* [Keeper Push](/en/sso-connect-cloud/device-approvals/push-approvals.md) (using push notifications) to existing user devices
* [Admin Approval](/en/sso-connect-cloud/device-approvals/admin-approval.md) via the Keeper Admin Console
* Automatic approval via [Keeper Automator](/en/sso-connect-cloud/device-approvals/automator.md) service (preferred)
* Semi-automated Admin Approval via [Commander CLI](/en/sso-connect-cloud/device-approvals/commander-cli.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/sso-connect-cloud/device-approvals.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.