Enterprise End-User (SSO)

This end-user guide was created for Enterprise customers who deploy Keeper through an existing Single Sign-On Identity Provider (IdP) such as Azure, ADFS or Okta.

Create Your Keeper Account

Your Keeper vault is easy to create, simple to use, and you’ll be up and running in just minutes. You can create and access your Keeper vault by either logging in directly from Keeper via an email invitation from your Keeper Administrator or from your SSO provider dashboard.

Create Your Account - Email Invitation

You may have received an email from your organization's Keeper Administrator inviting you to create a Keeper account with a subject line that reads: "Action Required >> Instructions for Your Keeper Security Account"
To create your Keeper account, click the yellow action button that by default says "Set Up Your Account Now", however, your organization may have chosen to customize the exact wording.
Since your Keeper account is deployed through your Single Sign-On Identity Provider (IdP) integration, you will automatically be routed to authenticate against your IdP if a current SSO session is not active.
Once you have successfully authenticated to the IdP, you will be routed to your Keeper vault. Upon accessing your vault, you may receive a "Vault Transfer" acceptance dialog.
Next, you will be guided through a "Quick Start" walkthrough, that will help you either import passwords from your browser or other password manager (if enabled by your Keeper Admin) or manually create new records.
Please note, the Quick Start module may be disabled by your Keeper Admin.

Create Your Account - SSO Dashboard

Alternatively, you can create your Keeper account by visiting your SSO provider dashboard. This is called "Identity Provider-initiated login". First, log in to your existing Single Sign-On identity provider as you normally do.
You will observe your Keeper administrator has integrated Keeper into your identity provider dashboard. Simply click the Keeper icon to launch the Keeper application.
IdP-Initiated Login
You will be guided through a "Quick Start" walk through, that will help you either import passwords from your browser or other password manager (if enabled by your Keeper Admin) or manually create new records.
Please note, the Quick Start module may be disabled by your Keeper Admin.

Vault Overview

Keeper Vault

Login Flows

Once your Keeper account has been created, logging into your Keeper Vault is both easy and secure. Users can do so from either Keeper's vault login page or from their SSO provider dashboard.

Keeper Initiated Login

You can login to Keeper by entering either your email address or Enterprise Domain at Keeper's login page.
Login to your Keeper Vault in your respective Data Center:

Email Address Login

From the Keeper vault login page, enter your email address and click Next
You will automatically be routed to your Identity Provider to sign in. Once you have successfully authenticated to the IdP, you will be routed to your Keeper vault.

Enterprise Domain Login

From the Keeper vault login page, select Enterprise SSO Login > Enterprise Domain
Enter your Enterprise Domain and click Connect
Please note, the Enterprise Domain is provided by your Keeper administrator.
You will automatically be routed to your Identity Provider to sign in. Once you have successfully authenticated to the IdP, you will be routed to your Keeper vault.

SSO Initiated Login

Log in to your existing Single Sign-On identity provider as you normally do.
Simply click the Keeper icon to launch the Keeper application and you will be routed to your Keeper vault.

Device Approvals

If you sign into Keeper on a new platform, you may encounter a "device approval" request (SSO Cloud Users Only). If you are attempting to log in on an unrecognized device or browser, a device approval must take place before you can proceed to your Keeper vault. Users have two methods of approval to choose from, Keeper Push or Admin Approval.
Keeper Push is Keeper’s proprietary notification-based device approval system that sends a push notification to an existing, recognized device. This is a self-service process that allows users to handle the device approval on their own.
Admin Approval will send a notification to your Keeper Admin requesting device approval. If you do not have an existing, recognized device, this will be the only path gain access again.
If you select Keeper Push, a notification (push) will be appear in your vault at an approved device or browser. Select Yes to approve the new device.
You must be actively logged into a different, recognized/approved device to receive the notification.
Alternatively, if you select Admin Approval, your Keeper Admin will receive notification for approval. Once the device has been approved, you will be able to proceed to your Keeper Vault.
Please note, your Keeper Admin may have configured automatic approvals, in which case the request is handled within 15 seconds.

Import Passwords

Upon logging into your Keeper vault, you'll be asked to import your existing passwords (if enabled by your Keeper Administrator). The video below highlights the password import process.
Click Next to install the Keeper import tool and begin the import process.
After installing the import tool, you'll be asked to copy-paste a code or "token" from the Vault into the import tool.
Keeper will report websites and their associated logins and passwords directly from your web browser. You can then scroll though the report and uncheck those you do not wish to import. Once you have finished reviewing the report, click Add to Keeper to import the selected password.
If you are using an existing password manager or if your passwords are stored in a text file (.csv), you can import those passwords by first selecting your import source from the list and then clicking View Import Instructions to follow the provided instructions.
Account Dropdown Menu > Settings > Import
Import instructions can also be found in the "Import Records" section located in the left column of our user guides.
After the import is complete, you are returned to your Keeper vault where the newly imported records will now appear.

Download Keeper Applications

Download Keeper to access your Keeper Vault from any platform and be able to use it for native applications across all of your devices.
Visit: to download the Keeper App for all of your desktop and mobile devices.
Keeper Download Page

Create Records

A Keeper record can be any password, file or other sensitive piece of information that is stored in your private, digital Vault and encrypted on your device using 256-bit AES.
Follow the steps below to begin manually creating your vault records. Alternatively, if your Keeper Admin has enabled the import feature, you can import your passwords from web browsers, other password managers or from a text file (as described in the "Import Passwords" section above).
To begin, click + Create New > Record
  • Choose a Record Type from the dropdown menu ("Login" is the default type)
  • Name Your Record
  • Enter Your Email or Username
  • Enter Your Password or Tap the Dice to Generate One (more on that here)
  • Enter the Website Address
  • Enter Additional Notes, Custom Fields, and Securely Add Files & Photos
  • Click Save to Finish


Folders & Subfolders

Keeper allows you to organize your records into folders and subfolders. To create a folder, click on + Create New > Folder
To create a subfolder, right-click on the existing/parent folder and click New Folder

Managing Folders and Subfolders

Keeper's "Folders" and "Subfolders" (nested folders) are created independently of records and are both powerful and flexible. This organizational system, provides users with the most secure encryption model while offering ease-of-use functionality such as drag-and-drop.
  • A folder can be made up of personal records, shared records or other subfolders
  • Subfolders can be either shared or personal
  • You can create an unlimited number of folders and shared folders
  • A shared folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent
  • There is no limit to the folder tree depth
  • A folder is a container of records and record references (shortcuts)
  • A shared folder is a container of records, with flexible user and team sharing capability

Moving & Shortcuts

Drag-and-drop the record(s) you would like to store in a folder or subfolder and click Move or Create shortcut. To move multiple records, hold "shift" and click the items to drag-and-drop.
Shortcuts like alias files, can exist in two or more places and when edited, change together.
Move Records with Drag-and-Drop
Moving and shortcuts can also be performed by right-clicking on a record or folder to generate a contextual options menu.


By right-clicking on a record you can create a record "Favorite" (indicated by a star), used to easily identify your most frequently visited sites.

Secure File Storage

Keeper offers Secure File Storage to protect your confidential files, photos and videos. Secure File Storage feature is a secure and convenient method to upload and store the following:
  • SSH Keys, SSL certificates and other private keys
  • ID cards such as passports and drivers licenses
  • Private financial information
  • Confidential IT documentation
  • Banking information
  • and much more...
Files can either be added to an existing record or you can create a standalone record to store the file independently of other login information.
While creating a record, click Files or Photos to upload a file, or simply drag-and-drop the file directly into your vault.
By clicking the download icon next to the file or photo within a record, users have the option to quickly view or download it.
To learn more about Secure File Storage, click here.

File Sharing

Users also have the ability to securely share files with other Keeper users via record sharing (or folder sharing), making Secure File Storage the best way to save and transfer the most sensitive of information. Within the record, click Options > Sharing then enter the email address(es) of the other Keeper users you would like to share the record with.
Sharing features may be disabled by your Keeper Administrator and are controlled as role-based enforcement policies.

Benefits & Features

  • Just like our password encryption technology, Keeper protects your confidential files with 256-bit AES encryption using record-level keys.
  • Secure file storage is available across all of your devices including iOS, Android, Web Vault, and Desktop App.
  • Files can be easily and securely shared with other Keeper users, from vault-to-vault.
  • Like your other Keeper records, you can set sharing permissions for records that contain your secure files (can edit, can share, can edit & share, and read only).
  • File sizes are supported up to 5GB for Desktop App, 100GB for iOS, 100GB Android, 100MB for Web Vault.
To learn more about file sharing, click here.


With Keeper's seamless sharing features, you can securely create, manage and share records and folders with your colleagues (must be existing Keeper users).

Share a Record

To share a record click Options > Sharing.
Record Options > Sharing
From the "Add People" tab, click within the email address field and enter the email address of the Keeper user you would like to share the record with.
Click the dropdown arrow to set their permission level (can edit, share, edit & share, view only and transfer ownership) and click Add.
To learn more about sharing a record, click here.

Share Folders & Subfolders


A shared folder can be shared with an individual Keeper user or to a Keeper Team. Shared Folder permissions can be applied to Users, Teams and Records.
Alternatively, when a user is provisioned to a Team, the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, their access is revoked from any shared folders and those folders are immediately removed from their vault.


Both personal and shared folders can be nested and contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent folder.
If the parent folder is a shared folder and you move a personal folder into it, the personal folder will now inherit the permissions set from the shared folder, including the users that have permission to view and edit that folder and its records.
To create a Shared Folder, click Create New > Shared Folder.
Create New > Shared Folder
Choose where you would like to nest the folder using the dropdown menu and enter a name for the folder. Set the User and Folder Permissions and click Create.
New Shared Folder Creation
To learn more about Sharing Folders, click here.


With the KeeperFill browser extension, you can autofill your passwords and save new login credentials to your vault. KeeperFill is available for every web browser (Chrome, Firefox, Safari, IE, Edge, and Opera).
When you click on the Website Address field of a Keeper record, you'll be prompted to install the KeeperFill Browser Extension. KeeperFill allows you to login to websites and create new passwords automatically.
When you attempt to log into a site, Keeper will appear (if logged into the browser extension). Visit the browser toolbar to configure your settings and preferences for the KeeperFill features.
The "Website Address" in your Keeper record must match the website domain in order to autofill it.

Download & Setup

To make the most of Keeper's Browser Extension, we recommend that you disable your browser's built-in password saving features. Keeper provides a much more secure and seamless solution to save and autofill your passwords across all browsers, devices and computers.
For browser-specific setup and usage instructions, click here.

Autofill with KeeperFill

Once downloaded, the KeeperFill browser extension will appear in the upper-right corner of your browser window (for Safari, it will appear left of center).
You will be automatically logged into the KeeperFill Browser Extension upon signing into the Keeper Web Vault or you can log in by clicking the Keeper icon located in your browser toolbar and entering your email address and Master Password.
If this is your first time logging into a site while logged into KeeperFill, you will be asked if you would like to auto-fill your login, click Yes.
Alternatively, clicking on the Keeper lock in a login field allows you to view, fill or edit the record match (or create a new one). Click Fill Record to fill your login credentials or click Show More to view/fill individual fields.
KeeperFill's easily accessible search bar, allows you to search within your vault to quickly locate and fill the desired login credentials, payment cards and personal info such as addresses.
Watch the video below to learn how to autofill with KeeperFill.
Autofill with KeeperFill

Create New Records

Keeper recognizes when you are at a site's login form and will prompt you to create a record if one has not yet been created.
First select a login from the list of recognized emails or click Add Login to enter a new one.
Now enter your existing password for the site (or let Keeper help you create one) and click Yes to save the password and create a new record.
A preview of your new record will appear. Review the details and click OK or make changes as needed and click Save.
Clicking the Keeper Lock in a site's login field will also give you the option to create a new record (if there are currently no records in your vault with a website address matching the site).

Keyboard Shortcuts

If you prefer to use keyboard shortcuts instead of mouse clicks to autofill your passwords, follow the steps below:
  1. 1.
    Navigate to the site you would like to log into.
  2. 2.
    Type command+shift+k (for Mac OS) or alt+k (for Windows).
  3. 3.
    In the field provided, begin typing your search terms.
  4. 4.
    Use the up and down arrows on your keyboard to find and highlight the record you are searching for.
  5. 5.
    Use the enter key to quickly fill and log in to the site.

Changing Passwords

KeeperFill makes it easy to change your passwords. When visiting a site's "Change Password" form, you will receive a prompt from Keeper asking if you would like help changing your password. By clicking Yes Keeper will walk you through a few quick steps to change your password and simultaneously update the record in your vault. These steps will include a series of prompts detailing the following actions:
  • Autofill your old/current password
  • Automatically generate and autofill a new secure password
  • Confirm the changes and save them to your vault
KeeperFill's Prompt to Change a PasswordKeeperFill's Prompt to Change a Password
Watch the video below to learn more how to change your passwords with Keeper.
Changing Your Passwords

KeeperFill Login

Users are also able to login to their vaults and select a device approval method (if applicable) directly from the KeeperFill Browser Extension window. The same paths exist to authenticate to the browser extension, email address or Enterprise Domain (as described in the "Login Flows" section above).

Key Features

Password Generator

Long, random passwords that are created for each login help protect your information and reduce your exposure to data breaches. Keeper generates and securely stores strong, random passwords for all of your sites and apps with the click of the dice.
This will NOT automatically change the website's existing login password. You must still visit the corresponding website's "Change Password" form to update the old password to match the new, stronger password. Click here to learn how to easily change your password with KeeperFill.

Custom Fields

Custom Fields allow you to store additional data within a record, such as the answer to a site's security question or a passport number. Any record created with one of Keeper's new Record Types, can be further enhanced with various custom field options.
Custom field labels can be edited and if you are creating multiple custom fields, you can drag and drop them in your preferred order.
To learn more about Record Types, click here.
Custom Fields
Please note, some custom field types and features may be restricted by your Keeper Admin.

"General" Record Types (Keeper's Legacy Record Version)

Within a "general" record type, custom fields can be created in pairs: a "Custom Field Name" and a "Custom Field Value".
Please note, masked custom field values are only available for Keeper Enterprise customers.


Auto-launch allows you securely and quickly navigate to your favorite websites. Simply click a record's Website Address or launch icon to simultaneously launch and login with Keeper in a new window.

2FA for Websites & Apps

The video below highlights the process of adding a Two-Factor code to a Keeper record.
(1) At your target website, visit the two-factor authentication screen which is usually located within security settings. It is sometimes referred to as "login verification" or "two-step verification". Screengrab the QR pattern or copy the secret code to clipboard.
(2) Within a Keeper record, select Edit > Add Two-Factor Code.
(3) Upload the screenshot of the Two-Factor QR pattern (with security key) associated with the site or application. If there isn't a QR pattern, use the manual entry method. Enter the code given under “Secret Key”, often a 32-digit code and fill out the rest of the fields.
(4) After adding the security key to the vault record a Two-Factor Code field will be generated inside the record. Click Save to finish.
(5) The two-factor code will be regenerated frequently and can then be filled into the site or app that will prompt for it after logging in with a username and password.


Security Audit

Security Audit gives your passwords an overall security score and lets you clearly see what passwords are weak from a password strength visual (red being the weakest, green being the strongest).
You can edit a record's password by clicking on the record from the provided list (you will still need to update the password at the record's website to match the new password in your Vault).


BreachWatch is a powerful secure add-on feature that monitors the internet and dark web for breached accounts matching records stored within your Keeper vault. BreachWatch alerts you so that you can take immediate action to protect yourself against hackers. Once activated, BreachWatch continuously monitors for compromised credentials and notifies you if any of your records are at risk.
To start your BreachWatch scan, from the left navigation menu, click BreachWatch > Let's Begin .
BreachWatch will then scan your records and report any risks associated with them. Clicking each record listed will allow you view the steps needed to resolve each risk.
Resolving the risk requires you to change the password at the affected website. Once you have done that, be sure to update the corresponding record in your Keeper Vault with the same password.
If you click Ignore, then that record will be skipped on future scans until the password is reset. You may also do nothing (deferring a response) and leave the risky password unchanged and thus still at risk.
To learn more about BreachWatch, click here.

Two-Factor Authentication Setup

Two-Factor Authentication (2FA) provides an extra layer of security when logging into your Keeper Vault by requiring a secondary passcode upon logging in.
To enable 2FA for your Keeper vault, from the Account Dropdown Menu, click Settings > Security , toggle "Two-Factor Authentication" on and select your 2FA method.

Text Message Setup:

(1) The Text Message toggle is on by default. Select a Region from the dropdown (US+1 by default), enter your 10 digit phone number including your area code and click Next.
(2) To verify that you trust this number and device, enter the Keeper Web code that was sent to the phone number you provided. Select your 2FA code duration from the dropdown menu and click Next.
You will be prompted for 2FA every time you login to your Vault unless you select an alternative code duration. Business customers may be required to enter the code every login as determined by their Keeper Administrator.
Codes will only last for a minute; if you need another code sent, click Send a new code.
(3) Backup codes will be shown next. If you are unable to receive Two-Factor codes via the phone number you entered, you can enter one of the codes listed instead. Click I have written these codes downto finish.
If you are NOT receiving SMS messages from Keeper, please use the TOTP method or contact [email protected] to troubleshoot the issue.

Google and Microsoft Authenticator (TOTP) Setup:

(1) Toggle "Google and Microsoft Authenticator (TOTP)" on and click Next.
(2) Using the device that runs the Google or Microsoft Authenticator App, scan the QR code provided. The app will then acknowledge the QR code and produce a verification code.
(3) Enter that verification code and click Next.
You will be prompted for 2FA every time you login to your Vault unless you select an alternative code duration. Business customers may be required to enter the code every login as determined by their Keeper Administrator.
(4) Backup codes will be shown next. If you are unable to receive Two-Factor codes via the phone number you entered, you can enter one of the codes listed instead. Click I have written these codes down to finish.
In order for Azure MFA (using the Microsoft Authenticator app.) to be utilized as a TOTP, the Azure administrator needs to allow the verification method "Verification code from mobile app or hardware token" when setting up MFA in Azure. Learn more.

KeeperDNA Setup:

Keeper DNA is a Two-Factor Authentication method that uses your smart watch as your second factor.
To use this feature, toggle the switch next to Keeper DNA, then follow these links to set up KeeperDNA on your preferred platform:


Users can change specific features like language, theme and Two-Factor Authentication in the Settings menu. You can access the Settings menu from the Account Dropdown Menu.
Account Dropdown Menu > Settings > General
Account Dropdown Menu > Settings > Security


  • Choose a New Color Theme
  • Choose another language: English US & UK, Spanish, Japanese, Romanian, Chinese Simplified & Traditional, French, Korean, Russian, Arabic, Greek, Dutch, Slovak, Brazilian Portuguese, Hebrew, Polish, German, Italian, and Portuguese
  • Record Type Sorting
  • Reset Master Password
  • Reset Security Question
  • Change Email Address
  • Locate and Delete Duplicate Records
  • Delete All Owned Records



Importing Data from Other Sources

Keeper provides several methods of importing data into the vault. Each method is fully documented with screenshots and example data. (1) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Web Vault
(2) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Desktop App From the Desktop App, simply click on Settings > Import > click "Import" to begin the import process.
(10) Custom import coding using the Keeper Commander SDK

Other Helpful Videos

iOS (iPhone, iPad)

Keeper iOS Overview

Android (Phones and Tablets)

Keeper Android Overview

KeeperFill Browser Extension (Chrome, Safari, Firefox, Edge & Internet Explorer)

KeeperFill for Chrome Overview
More videos are available at: