User Provisioning

Instructions on how to provision users with SSO Connect Cloud

Onboarding Users

There are several options for onboarding users who inside an SSO-provisioned node:

Option 1: Using Just-In-Time (JIT) Provisioning

If Just-In-Time (JIT) provisioning is activated on your SSO configuration, there are a few ways that users can access their vault:

(1) Direct your users to the identity provider dashboard to click on the Keeper icon.

(2) Provide users with a hyperlink to the Keeper application within the identity provider (see your IdP Application configuration screen for the correct URL).

(3) Send users to the Keeper Vault to click on "Enterprise SSO Login" using the "Enterprise Domain" that you configured in Keeper.

Enterprise Domain Login

(4) Hyperlink users directly to the Enterprise Domain login screen on Keeper using the below format:

  • Replace xxxxx with the name of the Enterprise Domain that has been assigned in the Admin Console.

  • Use .eu or .com in the URL depending on the location of your environment (e.g. or

Option 2: Using SCIM (Automated Provisioning)

  • If your identity provider supports Automated Provisioning (using the SCIM protocol), users will be automatically provisioned with a Keeper Vault.

  • Follow our User and Team Provisioning guide for instructions on setting up your preferred method.

  • Users who are provisioned through SCIM can simply type in their Email Address on the Vault Login screen and they will be automatically directed to the IdP login screen.

Option 3: Manually Inviting Users

If you prefer to manually invite users from the Admin Console instead of using Just-In-Time provisioning, follow these steps:

  • Login to the Keeper Admin Console

  • Open the node which is configured with your identity provider

  • Click on "Add Users" to invite the user manually.

Note: Additional customization of the Email Invitation including graphics and content can be made by visiting the "Configuration" screen of the Admin Console.