Keeper Automator Service
Automatic device approval service based on authentication using SSO Connect Cloud environments

The Keeper Automator service performs instant device approvals upon a successful login from the SSO identity provider. Once Automator is running, users can seamlessly access Keeper on a new (not previously approved) device after a successful authentication with your identity provider, without any further approval steps.
Keeper Automator is a lightweight service that can be deployed to Azure Container Instances, Docker Compose or a Windows Service.
Automator Video Overview
Keeper SSO Connect provides seamless authentication into the Keeper vault using your identity provider. Normally a user must a approve their new device, or an Admin can approve a new device for a user. The Automator service is totally optional, created for Admins who want to remove any friction associated with device approvals.
To preserve Zero Knowledge and automate the transfer of the Encrypted Data Key (EDK) to the user's device, a service must be run which is operated by the Enterprise (instead of hosted by Keeper). The service can be run several different ways, either in the cloud or self-hosted.
Before you install Automator, a few high level requirements:
- An Azure account, Azure cloud instance or on-prem instance to run the container or service. The process is very lightweight and can easily run on any sized container with at least 1GB RAM.
- Inbound port open to the Keeper backend is required. It defaults to port 443 but it can be configured to any port (prior versions used port 8089). This communications channel between Keeper and the Automator is used for performing the key exchange, SAML processing and crypto work.
- Public DNS entry that points to the service, e.g. automator.company.com. The name does not matter, as long as the name is owned by the customer and an SSL certificate can be generated. See the Network Config page to review the recommended configuration.
- SSL certificate private key in
.pfx
format, signed by a public certificate authority for the server. The domain name doesn't matter, as long as it is a trusted cert signed by a public authority. - Keeper Commander must be installed somewhere just for the initial setup. It can be installed on any local workstation. Commander is not required to run all the time, just to run a few setup steps.
Before installing Commander, please create a SSL certificate following the Create Certificate instructions page.