# SaaS Configuration

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FVigI4XWYFOUI8Jxor8Uc%2Fimage%20(2).png?alt=media&#x26;token=c939fde1-399b-4857-85e7-b9e3a8173912" alt=""><figcaption></figcaption></figure>

## Overview

**SaaS Configuration** enables users to automate password rotations for cloud-based services. By rotating passwords and secrets on a defined schedule (or on-demand), you can strengthen security, reduce risk from credential exposure, and support compliance requirements.

With SaaS Configurations, you can:

* Automatically rotate passwords/secrets for built-in services
* Build your own SaaS rotation plugins
* Use one of the community plugins (catalog)
* Define rotation frequency and criteria
* Trigger rotation manually when needed

## Supported Services

This system supports password rotation for various SaaS platforms, including:

* AWS Access Key (Built-in)
* AWS Cognito (Catalog)
* Azure Client Secret (Built-in)
* Cisco APIC (Catalog)
* Cisco IOS XE (Built-in)
* Cisco Meraki (Built-in)
* Dummy (Catalog)
* Elasticsearch API Key (Catalog)
* Elasticsearch Service Account Token (Catalog)
* Elasticsearch User (Catalog)
* JFrog Access Token (Catalog)
* JFrog User Password Rotation (Catalog)
* Okta (Built-in)
* OpenSearch User (Catalog)
* Oracle Identity Domain User (Catalog)
* REST (Built-in)
* ServiceNow User (Catalog)
* Snowflake (Built-in)
* Splunk Token Rotation (Catalog)
* Splunk User Password Rotation (Catalog)

Each service has specific setup requirements (such as API permissions, tokens, or secret formats). Ensure your service account is configured correctly before enabling rotation.

## Requirements

To use SaaS Configuration Password Rotation, the following requirements must be met:

#### Gateway Requirements

* **PAM Gateway version 1.6 or newer**
* The **Gateway must be online** to select it during setup
* Vault version 17.6 (Go-live: Feb 2026)

#### Folder Requirements

* The **SaaS Configuration record must be stored in the Shared Folder(s)** assigned to the selected Gateway (This ensures the Gateway can access and rotate the credential.)

## How It Works

SaaS Configuration uses your selected **PAM Gateway** to securely connect to the target service and update the password/secret. When rotation completes, Keeper updates the stored credential to keep your Vault up to date.

Rotation can be triggered by:

* **Time-based rotation** (scheduled)
* **Manual rotation** (run on demand)

## Create & Configure SaaS Configuration

This guide walks you through creating a SaaS Configuration record and applying it to a **PAM User** for automated password rotation.

#### Step 1: Create a SaaS Configuration Record

From the Keeper Vault, click **Create New** and Select **SaaS Configuration**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FeLWEEFsREbPTKSWtmIWY%2FScreenshot%202026-03-25%20at%205.57.03%E2%80%AFPM.png?alt=media&#x26;token=d1498f06-88ed-4917-a6f7-a3659952f0f9" alt=""><figcaption></figcaption></figure>

* **Choose where to save the Record -** The SaaS rotation record must be saved in a Shared Folder associated with the selected PAM Configuration.
* **Select a PAM Configuration -** The Gateways associated with that PAM Configuration must be **online** before the user can select a plugin for setup.
* **Select a Plugin -** The available plugins shown are based on the Gateway you selected. If you don’t see the plugin you need, you may need to *create or enable the plugin first*.

Click **Next**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fd2JVIVsRD0ctx4j8mpZ8%2FScreenshot%202026-03-25%20at%206.10.35%E2%80%AFPM.png?alt=media&#x26;token=c7bd03aa-a2eb-4297-abe5-99c71c38dc9e" alt=""><figcaption></figcaption></figure>

This will open the record in edit mode, allowing you to add the required information to perform the associated actions. Once the record has been updated, click **Save**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FeueZioDE1Q4YO0KYcRVA%2FScreenshot%202026-03-25%20at%206.15.39%E2%80%AFPM.png?alt=media&#x26;token=933c7bf7-df65-4605-bb2e-6f8cef765c94" alt=""><figcaption></figcaption></figure>

#### Step 2: Assign the SaaS Configuration to a PAM User

Open the target **PAM User** **record** and select the **Edit icon**.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FG20YubXLelhnatg9Pj5b%2FScreenshot%202026-03-26%20at%209.02.17%E2%80%AFAM.png?alt=media&#x26;token=cdb103e6-0c72-4083-b8d0-6c036a6602f1" alt=""><figcaption></figcaption></figure>

Navigate to "Rotation Profile" and select the **SaaS Account** where you will then select your **SaaS Configuration**.&#x20;

Within the "Rotation Settings", you can schedule password rotations. Once assigned, Keeper will use that SaaS Configuration whenever the user’s password rotation is executed. Click **Save** to complete the configuration.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FOHVXxZjfFSDDIQ3t54jV%2FScreenshot%202026-03-26%20at%209.01.07%E2%80%AFAM.png?alt=media&#x26;token=6374b1d8-459f-4298-9380-51f7acb39bf6" alt=""><figcaption></figcaption></figure>

***

#### **Configuration Using Keeper Commander**

If you prefer using a command-line interface, refer to the [**Keeper Commander – SaaS Rotations**](https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins) documentation.