Enterprise End-User (SSO)

This end-user guide was created for Enterprise customers who deploy Keeper through an existing Single Sign-On Identity Provider (IdP) such as Azure, ADFS or Okta.
Create Your Keeper Account
Your Keeper vault is easy to create, simple to use, and you’ll be up and running in just minutes. You can create and access your Keeper vault by either logging in directly from Keeper via an email invitation from your Keeper Administrator or from your SSO provider dashboard.
Create Your Account - Email Invitation
You may have received an email from your organization's Keeper Administrator inviting you to create a Keeper account with a subject line that reads: "Action Required >> Instructions for Your Keeper Security Account"
To create your Keeper account, click the yellow action button that by default says "Set Up Your Account Now", however, your organization may have chosen to customize the exact wording. 
Since your Keeper account is deployed through your Single Sign-On Identity Provider (IdP) integration, you will automatically be routed to authenticate against your IdP if a current SSO session is not active.
Once you have successfully authenticated to the IdP,  you will be routed to your Keeper vault.  Upon accessing your vault, you may receive a "Vault Transfer" acceptance dialog.
Next, you will be guided through a "Quick Start" walkthrough, that will help you either import passwords from your browser or other password manager (if enabled by your Keeper Admin) or manually create new records. 
Please note, the Quick Start module may be disabled by your Keeper Admin.
Create Your Account - SSO Dashboard
Alternatively, you can create your Keeper account by visiting your SSO provider dashboard. This is called "Identity Provider-initiated login". First, log in to your existing Single Sign-On identity provider as you normally do.
You will observe your Keeper administrator has integrated Keeper into your identity provider dashboard. Simply click the Keeper icon to launch the Keeper application. 
IdP-Initiated Login
You will be guided through a "Quick Start" walk through, that will help you either import passwords from your browser or other password manager (if enabled by your Keeper Admin) or manually create new records.
Please note, the Quick Start module may be disabled by your Keeper Admin.
Vault Overview
Login Flows
Once your Keeper account has been created, logging into your Keeper Vault is both easy and secure. Users can do so from either Keeper's vault login page or from their SSO provider dashboard.
Keeper Initiated Login
You can login to Keeper by entering either your email address or Enterprise Domain at Keeper's login page. 
Login to your Keeper Vault in your respective Data Center:
US: https://keepersecurity.com/vault​
EU: https://keepersecurity.eu/vault

AU: https://keepersecurity.com.au/vault​
Email Address Login 
From the Keeper vault login page, enter your email address and click Next
You will automatically be routed to your Identity Provider to sign in. Once you have successfully authenticated to the IdP,  you will be routed to your Keeper vault. 
Enterprise Domain Login
From the Keeper vault login page, select Enterprise SSO Login > Enterprise Domain 
Enter your Enterprise Domain and click Connect
Please note, the Enterprise Domain is provided by your Keeper administrator.
You will automatically be routed to your Identity Provider to sign in. Once you have successfully authenticated to the IdP,  you will be routed to your Keeper vault.
SSO Initiated Login
Log in to your existing Single Sign-On identity provider as you normally do.
Simply click the Keeper icon to launch the Keeper application and you will be routed to your Keeper vault. 
Device Approvals 
If you sign into Keeper on a new platform, you may encounter a "device approval" request (SSO Cloud Users Only). If you are attempting to log in on an unrecognized device or browser, a device approval must take place before you can proceed to your Keeper vault. Users have two methods of approval to choose from, Keeper Push or Admin Approval.
Keeper Push is Keeper’s proprietary notification-based device approval system that sends a push notification to an existing, recognized device. This is a self-service process that allows users to handle the device approval on their own. 
Admin Approval will send a notification to your Keeper Admin requesting device approval.  If you do not have an existing, recognized device, this will be the only path gain access again.
If you select Keeper Push, a notification (push) will be appear in your vault at an approved device or browser. Select Yes to approve the new device. 
You must be actively logged into a different, recognized/approved device to receive the notification.
Alternatively, if you select Admin Approval, your Keeper Admin will receive notification for approval. Once the device has been approved, you will be able to proceed to your Keeper Vault.
Please note, your Keeper Admin may have configured automatic approvals, in which case the request is handled within 15 seconds.
Import Passwords
Upon logging into your Keeper vault, you'll be asked to import your existing passwords (if enabled by your Keeper Administrator). The video below highlights the password import process.
Click Next to install the Keeper import tool and begin the import process.
After installing the import tool, you'll be asked to copy-paste a code or "token" from the Vault into the import tool.
Keeper will report websites and their associated logins and passwords directly from your web browser. You can then scroll though the report and uncheck those you do not wish to import. Once you have finished reviewing the report, click Add to Keeper to import the selected password.
If you are using an existing password manager or if your passwords are stored in a text file (.csv), you can import those passwords by first selecting your import source from the list and then clicking View Import Instructions to follow the provided instructions.
Account Dropdown Menu > Settings > Import
Import instructions can also be found in the "Import Records" section located in the left column of our user guides.
After the import is complete, you are returned to your Keeper vault where the newly imported records will now appear.
Download Keeper Applications
​Download Keeper to access your Keeper Vault from any platform and be able to use it for native applications across all of your devices.
Visit: https://keepersecurity.com/download to download the Keeper App for all of your desktop and mobile devices.
Create Records
A Keeper record can be any password, file or other sensitive piece of information that is stored in your private, digital Vault and encrypted on your device using 256-bit AES. 
Follow the steps below to begin manually creating your vault records. Alternatively, if your Keeper Admin has enabled the import feature, you can import your passwords from web browsers, other password managers or from a text file (as described in the "Import Passwords" section above).
To begin, click + Create New > Record
Name Your Record
Enter Your Email or Username
Enter Your Password or Tap the Dice to Generate One (more on that here)
Enter the Website Address
Enter Additional Notes, Custom Fields, and Securely Add Files & Photos​
Click Save to Finish
Organization
Folders & Subfolders
Keeper allows you to organize your records into folders and subfolders. To create a folder, click on + Create New > Folder
To create a subfolder, right-click on the existing/parent folder and click New Folder
Managing Folders and Subfolders
Keeper's "Folders"  and "Subfolders" (nested folders) are created independently of records and are both powerful and flexible. This organizational system, provides users with the most secure encryption model while offering ease-of-use functionality such as drag-and-drop.
A folder can be made up of personal records, shared records or other subfolders
Subfolders can be either shared or personal
You can create an unlimited number of folders and shared folders
A shared folder can be made up of an unlimited number of subfolders, each subfolder beneath a shared folder retains the permissions of the parent
There is no limit to the folder tree depth
A folder is a container of records and record references (shortcuts)
A shared folder is a container of records, with flexible user and team sharing capability
Moving & Shortcuts
Drag-and-drop the record(s) you would like to store in a folder or subfolder and click Move or Create shortcut. To move multiple records, hold "shift" and click the items to drag-and-drop.
Shortcuts like alias files, can exist in two or more places and when edited, change together.
Moving and shortcuts can also be performed by right-clicking on a record or folder to generate a contextual options menu.
Favorites
By right-clicking on a record you can create a record "Favorite" (indicated by a star), used to easily identify your most frequently visited sites.
Secure File Storage
Keeper offers Secure File Storage to protect your confidential files, photos and videos. Secure File Storage feature is a secure and convenient method to upload and store the following:
SSH Keys, SSL certificates and other private keys
ID cards such as passports and drivers licenses
Private financial information
Confidential IT documentation
Banking information
and much more...
Files can either be added to an existing record or you can create a standalone record to store the file independently of other login information. 
Click  + Files or Photos to upload a file, or simply drag-and-drop the file directly into your Vault. 
By clicking the download icon next to the file or photo within a record, users have the option to quickly view or download it. 
To learn more about Secure File Storage, click here.
File Sharing
Users also have the ability to securely share files with other Keeper users via record sharing (or folder sharing), making Secure File Storage the best way to save and transfer the most sensitive of information. Within the record, click Options > Sharing then enter the email address(es) of the other Keeper users you would like to share the record with. 
Sharing features may be disabled by your Keeper Administrator and are controlled as role-based enforcement policies.
Benefits & Features
Just like our password encryption technology, Keeper protects your confidential files with 256-bit AES encryption using record-level keys.
Secure file storage is available across all of your devices including iOS, Android, Web Vault, and Desktop App.
Files can be easily and securely shared with other Keeper users, from vault-to-vault. 
Like your other Keeper records, you can set sharing permissions for records that contain your secure files (can edit, can share, can edit & share, and read only).
File sizes are supported up to 5GB for Desktop App, 100GB for iOS, 100GB Android, 100MB for Web Vault.
To learn more about file sharing, click here.
Sharing
With Keeper's seamless sharing features, you can securely create, manage and share records and folders with your colleagues (must be existing Keeper users).
Share a Record
While viewing a record click Options > Sharing
Enter the email(s) of the Keeper users then choose their permission type from the dropdown menu.
Permission Type
Permission Level
Can Edit
Users in folder can edit this record
Can Share
Users in folder can share this record
Can Edit & Share
Users in folder can edit and share this record
Read Only
Users can only view the record
Transfer Ownership
User will own the record and control the sharing permissions
Share Folders & Subfolders
Folders
A shared folder can be shared with an individual Keeper user or to a Keeper Team. Shared Folder permissions can be applied to Users, Teams and Records. 
Alternatively, when a user is provisioned to a Team, the user will instantly receive the shared folders for that team, and the records associated with those shared folders. When the user is removed from a team, their access is revoked from any shared folders and those folders are immediately removed from their vault. 
Subfolders
Both personal and shared folders can be nested and contain an unlimited number of records or subfolders. Each subfolder inherits the same permissions structure as the parent folder.
If the parent folder is a shared folder and you move a personal folder into it, the personal folder will now inherit the permissions set from the shared folder, including the users that have permission to view and edit that folder and its records.
Click Create New > Shared Folder
Click the dropdown to select where you would like to nest the shared folder. Click Edit to add record(s), user(s), set permission types and default folder settings. 
Default Folder Settings
Permission Type
Description
Can Manage Users
Users or teams added to the shared folder can add and remove other users and teams from the folder.
Can Manage Records
Users or teams added to the shared folder can add and remove records from the folder.
Can Edit Record
Users or teams added to the shared folder can edit the record contents.
Can Share Record
Users or teams added to the shared folder can share the individual records in a different shared folder or with another individual.
Changing the default folder settings only applies to new users and records added moving forward. Therefore we recommend always setting default folder permissions when creating a new shared folder.
KeeperFill
With the KeeperFill browser extension, you can autofill your passwords and save new login credentials to your vault. KeeperFill is available for every web browser (Chrome, Firefox, Safari, IE, Edge, and Opera).
When you click on the Website Address field of a Keeper record, you'll be prompted to install the KeeperFill browser extension. The KeeperFill Extension allows you to login to websites and create new passwords automatically.
When you attempt to log into a site, Keeper will appear (if logged into the browser extension).  Visit the browser toolbar to configure your settings and preferences for the KeeperFill features.
The "Website Address" in your Keeper record must match the website domain in order to autofill it.
Download & Setup
All downloads are available at the link below:
​https://keepersecurity.com/download​
To make the most of Keeper's Browser Extension, we recommend that you disable your browser's built-in password saving features. Keeper provides a much more secure and seamless solution to save and autofill your passwords across all browsers, devices and computers.
For browser-specific setup and usage instructions, click here.
Autofill with KeeperFill
Once downloaded, the KeeperFill browser extension will appear in the upper-right corner of your browser window (for Safari, it will appear left of center).
You will be automatically logged into the KeeperFill Browser Extension upon signing into the Keeper Web Vault or you can log in by clicking the Keeper icon located in your browser toolbar and entering your email address and Master Password.
If this is your first time logging into a site while logged into KeeperFill, you will be asked if you would like to auto-fill your login, to do so, click Yes
Alternatively, clicking on the Keeper lock in a login field allows you to view and edit the record match (or create a new one). Click the fill button to fill your login credentials or click Show More to view/fill individual fields.
KeeperFill's easily accessible search bar, allows you to search within your vault to quickly locate and fill the desired login credentials, payment cards and personal info such as addresses.
​
Watch the video below to learn how to autofill with KeeperFill. 
Autofill with KeeperFill
Create New Records
Keeper recognizes when you are at a site's login form and will prompt you to create a record if one has not yet been created.
Click + Create New Record
Review and edit the details of the Keeper generated record and click the check mark to fill and save the record to your Keeper vault.
Keyboard Shortcuts 
If you prefer to use keyboard shortcuts instead of mouse clicks to autofill your passwords, follow the steps below:
1.
Navigate to the site you would like to log into.
2.
Type command+shift+k (for Mac OS) or alt+k (for Windows).
3.
In the field provided, begin typing your search terms.
4.
Use the up and down arrows on your keyboard to find and highlight the record you are searching for.
5.
Use the enter key to quickly fill and log in to the site.
Changing Passwords
KeeperFill makes it easy to change your passwords. When visiting a site's "Change Password" form, you will receive a prompt from Keeper asking if you would like help changing your password. By clicking Yes Keeper will walk you through a few quick steps to change your password and simultaneously update the record in your vault. These steps will include a series of prompts detailing the following actions:
Autofill your old/current password
Automatically generate and autofill a new secure password
Confirm the changes and save them to your vault
KeeperFill's Prompt to Change a PasswordKeeperFill's Prompt to Change a Password
Watch the video below to learn more how to change your passwords with Keeper.
Changing Your Passwords
KeeperFill Login
Users are also able to login to their vaults and select a device approval method (if applicable) directly from the KeeperFill Browser Extension window. The same paths exist to authenticate to the browser extension, email address or Enterprise Domain (as described in the "Login Flows" section above). 
Key Features
Password Generator
Long, random passwords that are created for each login help protect your information and reduce your exposure to data breaches. Keeper generates and securely stores strong, random passwords for all of your sites and apps with the click of the dice.
This will NOT automatically change the website's existing login password. You must still visit the corresponding website's "Change Password" form to update the old password to match the new, stronger password. Click here to learn how to easily change your password with KeeperFill.
Custom Fields
Custom Fields allow you to store additional important data, like the answer to a site's security question or account number. Custom fields are created in pairs: a "Custom Field Name" and a "Custom Field Value".
Auto-Launch
Auto-launch allows you securely and quickly navigate to your favorite websites. Simply click a record's Website URL or launch icon to simultaneously launch and login with Keeper in a new window.
2FA for Websites & Apps
The video below highlights the process of adding a Two-Factor code to a Keeper record.
(1) At your target website, visit the two-factor authentication screen which is usually located within security settings. It is sometimes referred to as "login verification" or "two-step verification". Screengrab the QR pattern or copy the secret code to clipboard.
(2) Within a Keeper record, select Edit > Add Two-Factor Code
(3) Upload the screenshot of the Two-Factor QR pattern (with security key) associated with the site or application. If there isn't a QR pattern, use the manual entry method. Enter the code given under “Secret Key”, often a 32-digit code and fill out the rest of the fields.
(4) After adding the security key to the vault record a Two-Factor Code field will be generated inside the record. Click Save to finish.
(5) The two-factor code will be regenerated frequently and can then be filled into the site or app that will prompt for it after logging in with a username and password.
Security
Security Audit
Security Audit gives your passwords an overall security score and lets you clearly see what passwords are weak from a password strength visual (red being the weakest, green being the strongest).
You can edit a record's password by clicking on the record from the provided list (you will still need to update the password at the record's website to match the new password in your Vault).
BreachWatch
BreachWatch is a powerful secure add-on feature that monitors the internet and dark web for breached accounts matching records stored within your Keeper vault. BreachWatch alerts you so that you can take immediate action to protect yourself against hackers. Once activated, BreachWatch continuously monitors for compromised credentials and notifies you if any of your records are at risk. 
To start your BreachWatch scan, from the left navigation menu, click BreachWatch > Let's Begin 
BreachWatch will then scan your records and report any risks associated with them. Clicking each record listed will allow you view the steps needed to resolve each risk. 
Resolving the risk requires you to change the password at the affected website. Once you have done that, be sure to update the corresponding record in your Keeper Vault with the same password. 
If you click Ignore, then that record will be skipped on future scans until the password is reset. You may also do nothing (deferring a response) and leave the risky password unchanged and thus still at risk.
To learn more about BreachWatch, click here.
Two-Factor Authentication Setup
Two-Factor Authentication (2FA) provides an extra layer of security when logging into your Keeper Vault by requiring a secondary passcode upon logging in.   
To enable 2FA for your Keeper vault, from the Account Dropdown Menu, click Settings > Security , toggle "Two-Factor Authentication" on and select your 2FA method.
Text Message Setup:
(1) The Text Message toggle is on by default. Select a Region from the dropdown (US+1 by default), enter your 10 digit phone number including your area code and click Next
(2) To verify that you trust this number and device, enter the Keeper Web code that was sent to the phone number you provided. Select your 2FA code duration from the dropdown menu and click Next
You will be prompted for 2FA every time you login to your Vault unless you select an alternative code duration. Business customers may be required to enter the code every login as determined by their Keeper Administrator.
Codes will only last for a minute; if you need another code sent, click Send a new code
(3) Backup codes will be shown next. If you are unable to receive Two-Factor codes via the phone number you entered, you can enter one of the codes listed instead. Click I have written these codes downto finish.
If you are NOT receiving SMS messages from Keeper, please use the TOTP method or contact [email protected] to troubleshoot the issue.
Google and Microsoft Authenticator (TOTP) Setup:
(1) Toggle "Google and Microsoft Authenticator (TOTP)" on and click Next
(2) Using the device that runs the Google or Microsoft Authenticator App, scan the QR code provided. The app will then acknowledge the QR code and produce a verification code. 
(3) Enter that verification code and click Next
You will be prompted for 2FA every time you login to your Vault unless you select an alternative  code duration. Business customers may be required to enter the code every login as determined by their Keeper Administrator.
(4) Backup codes will be shown next. If you are unable to receive Two-Factor codes via the phone number you entered, you can enter one of the codes listed instead. Click I have written these codes down to finish.
In order for Azure MFA (using the Microsoft Authenticator app.) to be utilized as a TOTP,  the Azure administrator needs to allow the verification method "Verification code from mobile app or hardware token" when setting up MFA in Azure.  Learn more.
KeeperDNA Setup:
Keeper DNA is a Two-Factor Authentication method that uses your smart watch as your second factor.
To use this feature, toggle the switch next to Keeper DNA, then follow these links to set up KeeperDNA on your preferred platform:
​Keeper DNA for iOS and Apple Watch​
​Keeper DNA for Android and Wear Devices​
Settings
Users can change specific features like language, theme and Two-Factor Authentication in the Settings menu. You can access the Settings menu from the Account Dropdown Menu.
Account Dropdown Menu > Settings > General
Account Dropdown Menu > Settings > Security
General
Choose a New Color Theme
Set Clipboard Expiration
Choose another language: English US & UK, Spanish, Japanese, Romanian, Chinese Simplified & Traditional, French, Korean, Russian, Arabic, Greek, Dutch, Slovak, Brazilian Portuguese, Hebrew, Polish, German, Italian, and Portuguese
Reset Master Password
Reset Security Question
Change Email Address
Locate and Delete Duplicate Records
Delete All Owned Records
Security
Enable Auto-Logout
Enable Stay Logged In (Desktop App)
Enable Self-Destruct
Setup Two-Factor Authentication​
Setup Security Keys​
​Windows Hello Login (PC Only)​
Adjust PBKDF2 Iterations
KeeperFill
​KeeperFill for Apps​
​KeeperFill Browser Extension​
Importing Data from Other Sources
Keeper provides several methods of importing data into the vault.  Each method is fully documented with screenshots and example data.

(1) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Web Vault
https://docs.keeper.io/user-guides/import-records-1/import-from-chrome-firefox-ie-edge-and-opera​

(2) Import from Chrome, Firefox, IE, Edge, Safari and Opera using the Desktop App
From the Desktop App, simply click on Settings > Import > click "Import" to begin the import process.

(3) Import from .CSV file
https://docs.keeper.io/user-guides/import-records-1/import-a-.csv-file

(4) Import from a structured .JSON file
https://docs.keeper.io/user-guides/import-records-1/import-json

(5) Import from LastPass (Fully Automated)
https://docs.keeper.io/user-guides/import-records-1/import-from-lastpass

(6) Import from 1Password
https://docs.keeper.io/user-guides/import-records-1/import-from-1password

(7) Import from Dashlane
https://docs.keeper.io/user-guides/import-records-1/import-from-dashlane


(8) Import from Encrypted KeePass (.kdbx) Files
https://docs.keeper.io/user-guides/import-records-1/import-from-keepass-kdbx​
 
(9) Import using the Commander CLI
https://github.com/Keeper-Security/commander#importing-records-into-keeper

(10) Custom import coding using the Keeper Commander SDK
https://github.com/Keeper-Security/commander​
Other Helpful Videos
iOS (iPhone, iPad)
Keeper iOS Overview
Android (Phones and Tablets)
Keeper Android Overview
KeeperFill Browser Extension (Chrome, Safari, Firefox, Edge & Internet Explorer)
KeeperFill for Chrome Overview
More videos are available at: https://keepersecurity.com/support​