Feature: Break Glass Account

Ensure access to Keeper when primary authentication is unavailable

A break glass account provides a secure, non-SSO fallback that ensures your users can always access Keeper, even if your identity provider, SSO flow or other authentication systems are unavailable.

Start Free Trial

Keeper Vault login screen showing email field, master password input, and Login button.

Guaranteed access when SSO or IdP is down

What is a break glass account?

A break glass account is a dedicated Keeper administrator account that is intentionally not tied to SSO, IdP integrations, directory sync or other external dependencies. This account is protected with a strong master password and MFA, allowing designated administrators to sign in directly to Keeper during emergency situations such as:

Identity provider outages
SSO misconfigurations
Network or VPN failures
Infrastructure or directory synchronization disruptions

How a break glass account works

Create a dedicated admin account

An administrator manually creates a separate Keeper account that is not enrolled in SSO and uses a strong master password with MFA enabled.

Use only in emergencies

If SSO or infrastructure issues prevent standard admin login, authorized staff authenticate directly with the master password and MFA.

Access vault data and critical systems

The break glass admin can access designated vault records, restore or modify SSO configurations, launch sessions via Keeper Connection Manager (if permitted) and perform administrative recovery or emergency operations.

Full auditing and visibility

All actions taken are logged, including vault actions, role or policy changes, secrets access and session launches

Why use a Keeper break glass account?

Guaranteed access when SSO or IdP is down

Administrators can authenticate directly with a master password and MFA, without relying on identity providers or directory sync.

Password details screen showing masked password, rotation schedule, Rotate Now button, and PAM gateway status online.

No credential exposure

With Keeper Secrets Manager and Keeper Connection Manager, credentials can be injected at launch so passwords are never revealed.

Full auditability

All use of the break glass account is logged and can include session recordings and RBAC-controlled permissions.

Events dashboard listing activity types with checkboxes and counts, including logins, added records, and access events.

Deployable in any environment

Keeper Connection Manager supports on-prem deployments to maintain access continuity.

Frequently asked questions

Who should have access to the break glass account?

Only a small number of trusted administrators should have access. Enforce MFA and strong master password through role-based enforcement policies.

What if our identity provider or SSO is down?

Admins can sign in using the break glass account's master password and MFA, bypassing SSO.

Can we limit what the break glass admin can access?

Yes, Role-Based Access Controls (RBAC) define exactly what systems or records this account can access.

Does a break glass account require special licensing?

No, a break glass account is simply an admin user you create. Advanced capabilities (session launch, credential injection, session recording) require Keeper Connection Manager and Keeper Secrets Manager.