Keeper Automator Service
Automatic device approval service for SSO Connect Cloud environments

Overview

Keeper Automator is a lightweight Java-based application that can be deployed as a standalone service to any cloud or on-prem environment.
Keeper Automator performs instant device approvals without the need for the end-user to click "Keeper Push" or "Admin Approval". Once Automator is configured, users can login to Keeper on any device after a successful authentication with their identity provider.
Automator Video Overview

Requirements

The Automator service is be deployed as a standalone Java application that can run on any Linux, Windows or Mac environment.
Server Requirements:
  • Linux, Windows or Mac instance with 2GB memory
  • Java 11 (either Oracle or OpenJDK)
  • Inbound TCP port 8089 (default) however this can be changed to your preference
  • Public DNS entry that points to the server, e.g. automator.company.com. The name does not matter, as long as the name is owned by the customer and an SSL certificate can be generated.
  • SSL certificate private key in .pfx format, signed by a public certificate authority for the server.
Ensure that the SSL certificate created for your Automator instance is only used for this purpose. Do not use a wildcard certificate that is shared with other services.

Service Installation

In order to configure Automator, the service needs to be installed on a server. An example installation using a Linux instance in Amazon AWS can be found here:

Automator Configuration

Install Keeper Commander

Once the Automator service has been installed on a server, it can be remotely configured using Keeper Commander. On any workstation or your local computer, you can install Keeper Commander to perform the configuration.
See the Installation Instructions here: https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup You can simply install the binary versions of Commander for Mac/PC/Linux or use pip3.

Login to Commander

Now that Commander is installed, you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
If your account normally logs in using SSO, you may need to set a Master Password for the account by visiting the Web Vault > Settings > Set Master Password.
1
$ keeper shell
2
3
My Vault> login [email protected]
4
5
_ __
6
| |/ /___ ___ _ __ ___ _ _
7
| ' </ -_) -_) '_ \/ -_) '_|
8
|_|\_\___\___| .__/\___|_|
9
v16.1.10 |_|
10
11
password manager & digital vault
12
13
Logging in to Keeper Commander
14
15
SSO user detected. Attempting to authenticate with a master password.
16
(Note: SSO users can create a Master Password in Web Vault > Settings)
17
18
Enter password for [email protected]
19
Password:
20
Successfully authenticated with Master Password
21
Syncing...
22
Decrypted [58] record(s)
23
24
My Vault>
Copied!

Create Automator Instance

To create an Automator instance, use the automator create command. In the example below, the name of the Automator is "My Automator" and it's being added to the "Azure Cloud" node.
1
My Vault> automator create --name="My Automator" --node "Azure Cloud"
Copied!
The output of the command will display the Automator settings, including metadata from the identity provider. Note that the "URL" is not populated yet.
1
Automator ID: 1477468749948
2
Name: My Automator
3
URL:
4
Enabled: No
5
Initialized: No
6
Skills: Device Approval
7
8
Automator Settings
9
10
idp_public_certificate: xxx
11
idp_entity_id: idp_entity_id=https://xxx/
12
idp_metadata_xml: idp_metadata_xml=xxx
13
sso_entity_ID: sso_entity_ID=xxx
14
saml_email_mapping: saml_email_mapping=Email
15
email_domains: email_domains=
16
filter_by_email_domains: filter_by_email_domains=false
Copied!
The Node Name comes from the Admin Console UI as seen below.
Automator Create

Deploy the Automator Service

Steps:
(1) Download the Automator Service
Download and unzip Keeper Automator from: https://keepersecurity.com/automator/keeper-automator.zip
Or on your command line...
1
$ wget https://keepersecurity.com/automator/keeper-automator.zip
2
$ unzip keeper-automator.zip
Copied!
(2) Update the Properties file
The settings/keeper.properties file must be updated to include the following:
Setting
Value
ssl_certificate_file
Name of the .pfx certificate file
ssl_certificate_file_password
Certificate password, if any
ssl_certificate_key_password
Certificate Key password, if set
automator_host
Hostname of the server (e.g. automator.company.com)
automator_port
Port number of the service (defaults to 8089)
We recommend adding the certificate file to the settings folder. The SSL certificate file must be in PKCS12 format (.pfx or .p12).
(3) Run the service
To run the Java service, use the command below:
1
$ java -jar keeper-automator.jar
Copied!
(4) Test the Configuration
To check if the service is running, Access this URL in a browser, preferably from another machine:
https://automator.company.com:8089/api/rest/status
If the service is running, it will respond with a message containing the UTC time:
status! Mon Aug 02 23:38:40 UTC 2021
You can also run this query on the command line:
1
$ curl "https://automator.company.com:8089/api/rest/status"
Copied!
(5) Configure Automator URL in Commander
Now that the service is working, Commander must be configured with the service URL settings. This is done using the automator edit command. Note the ID of "1477468749948" specified, which is the Automator ID found in the output of the automator create command above.
1
My Vault> automator edit --url https://automator.company.com:8089 1477468749948
Copied!
(6) Run Automator Setup
This performs a key exchange between Keeper and the Automator instance.
1
My Vault> automator setup "My Automator"
2
3
Automator "My Automator" is setup
Copied!
(7) Run Automator Init and Enable
This sends the SAML service provider settings to the Automator instance and activates the instance.
1
My Vault> automator init "My Automator"
2
3
My Vault> automator enable "My Automator"
Copied!
At this point, you're ready to start testing the full integration!
Depending on the identity provider, you may need to update the Keeper metadata in your IdP configuration. In most cases, this is not required.
If you stop the Automator service, you will need to run the setup and init steps from step 6 and 7 after the next startup.

Testing the User Experience

Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

Service Restart

When you stop/start the Keeper Automator service, you'll need to use Keeper Commander to re-initialize the service endpoint.
1
My Vault> automator setup "My Automator"
2
3
My Vault> automator init "My Automator"
Copied!

Encryption and Security Notes

In order to preserve Zero Knowledge encryption, the Keeper Automator service is run by the Keeper Administrator in any cloud or on-prem server, with minimal requirements. Any small tier instance can easily handle millions of device approvals.
To protect your server, we recommend locking down all inbound Automator traffic over port 8089 to the list of Inbound IPs as documented on this page. End-users do NOT need to access the service directly - only traffic coming from Keeper's servers.
Last modified 1mo ago