Keeper Automator Service

Automatic device approval service based on authentication using SSO Connect Cloud environments


The Keeper Automator service performs instant device approvals upon a successful login from the SSO identity provider. Once Automator is running, users can seamlessly access Keeper on a new (not previously approved) device after a successful authentication with your identity provider, without any further approval steps.
Keeper Automator is a lightweight service that can be deployed to Azure Container Instances, Docker Compose or a Windows Service.
Automator Video Overview

Why is this needed?

Keeper SSO Connect provides seamless authentication into the Keeper vault using your identity provider. Normally a user must a approve their new device, or an Admin can approve a new device for a user. The Automator service is totally optional, created for Admins who want to remove any friction associated with device approvals.
To preserve Zero Knowledge and automate the transfer of the Encrypted Data Key (EDK) to the user's device, a service must be run which is operated by the Enterprise (instead of hosted by Keeper). The service can be run several different ways, either in the cloud or self-hosted.
An in-depth explanation of SSO Connect encryption model is documented here.


Before you install Automator, a few high level requirements:
  • An Azure account, Azure cloud instance or on-prem instance to run the container or service. The process is very lightweight and can easily run on any sized container with at least 1GB RAM.
  • Inbound port open to the Keeper backend is required. It defaults to port 443 but it can be configured to any port (prior versions used port 8089). This communications channel between Keeper and the Automator is used for performing the key exchange, SAML processing and crypto work.
  • Public DNS entry that points to the service, e.g. The name does not matter, as long as the name is owned by the customer and an SSL certificate can be generated. See the Network Config page to review the recommended configuration.
  • SSL certificate private key in .pfx format, signed by a public certificate authority for the server. The domain name doesn't matter, as long as it is a trusted cert signed by a public authority.
  • Keeper Commander must be installed somewhere just for the initial setup. It can be installed on any local workstation. Commander is not required to run all the time, just to run a few setup steps.

Certificate Generation

Before installing Commander, please create a SSL certificate following the Create Certificate instructions page.

Service Installation

Automator can be installed in a few different ways. We recommend using the Azure Cloud Service, Docker Compose method or Windows Service method, depending on your environment and requirements.

Installation Method: Docker Compose

Installation Method: Windows Service

Installation Method: Docker

Installation Method: Standalone Java