High level overview of Keeper SSO Connect™ Cloud

Keeper SSO Connect™ Cloud provides zero-knowledge security without the need for the customer to host or manage any application services.

This service does not require any on-premises or customer cloud-hosted services and there are no Master Passwords. Configuration is done directly between the IdP and Keeper's Admin Console.

To preserve Zero Knowledge, an Elliptic Curve public/private key pair is generated for each device. The private key on the device encrypts and decrypts the user's vault. Signing into a new device requires a key exchange that is processed by the new Keeper Push feature or approved by a designated Admin.


At a high level, setting up Keeper SSO Connect Cloud can be accomplished in 3 easy steps: 1. Enable Account Transfer * 2. Configure SSO Connect on the Keeper Admin Console. 3. Enable and configure the Keeper Application within the IdP.

  • Failure to enable Account Transfer may result in an orphaned vault if the last vault instance is deleted without approving access on a new device.

  • A new Admin Permission called "Approve Devices" is in place which allows an Administrator with limited permission to be able to perform device approvals as needed.


From an administrator's perspective, the cost, risk & labor saving benefits are significant:

1) Easy setup, all in one place in Keeper’s existing Admin Console.

2) No hosted software to integrate with their IdP

3) No additional server costs

4) No patching software

5) Eliminates a potential single point of failure

6) Available 24/7/365 on Keeper’s high availability systems