Keeper Automator Service
Automatic device approval service based on authentication using SSO Connect Cloud environments

Overview

Keeper Automator performs instant device approvals without the need for the end-user to click "Keeper Push" or "Admin Approval". Once Automator is configured, users can access Keeper on a new (not previously approved) device after a successful authentication with your identity provider.
Keeper Automator is a lightweight service that can be deployed as a Docker container or a standalone service to any cloud or on-prem environment.
Automator Video Overview

Why is this needed?

Keeper SSO Connect provides seamless authentication into the Keeper vault using your identity provider. To preserve Zero Knowledge and automate the transfer of the Encrypted Data Key (EDK) to the user's device, a service must be run which is operated by the Enterprise (instead of hosted by Keeper).
An in-depth explanation of SSO Connect encryption model is documented here.
To protect your server, we recommend locking down all inbound Automator traffic over port 8089 to the list of Inbound IPs as documented on the SIEM and Automator IPs listed on this page. End-users do NOT need to access the service directly - only traffic coming from Keeper's servers.

Prerequisites

Before you install Automator, a few high level requirements:
  • An instance to run the container or service. This can be hosted in any cloud or on-prem environment. The process is very lightweight and can easily run on any sized instance with at least 2GB RAM.
  • Inbound port open to the Keeper backend is required. It defaults to port 8089 but it can be configured to any port. This communications channel between Keeper and the Automator is used for performing the key exchange, SAML processing and crypto work.
  • Public DNS entry that points to the server, e.g. automator.company.com. The name does not matter, as long as the name is owned by the customer and an SSL certificate can be generated.
  • SSL certificate private key in .pfx format, signed by a public certificate authority for the server.
  • Keeper Commander installed somewhere (can be any workstation) which will help perform some of the setup and configuration steps.

Installation

Automator can be installed in a few different ways. We recommend using the Docker container method due to ease of use, and it maintains state between system restarts.

Installation Method: Docker

Installation Method: Linux service

Installation Method: Windows service