SaaS Configuration

Overview

SaaS Configuration enables users to automate password rotations for cloud-based services. By rotating passwords and secrets on a defined schedule (or on-demand), you can strengthen security, reduce risk from credential exposure, and support compliance requirements.

With SaaS Configurations, you can:

• Automatically rotate passwords/secrets for built-in services

• Build your own SaaS rotation plugins

• Use one of the community plugins (catalog)

• Define rotation frequency and criteria

• Trigger rotation manually when needed

Supported Services

This system supports password rotation for various SaaS platforms, including:

• AWS Access Key (Built-in)

• AWS Cognito (Catalog)

• Azure Client Secret (Built-in)

• Cisco APIC (Catalog)

• Cisco IOS XE (Built-in)

• Cisco Meraki (Built-in)

• Dummy (Catalog)

• Elasticsearch API Key (Catalog)

• Elasticsearch Service Account Token (Catalog)

• Elasticsearch User (Catalog)

• JFrog Access Token (Catalog)

• JFrog User Password Rotation (Catalog)

• Okta (Built-in)

• OpenSearch User (Catalog)

• Oracle Identity Domain User (Catalog)

• REST (Built-in)

• ServiceNow User (Catalog)

• Snowflake (Built-in)

• Splunk Token Rotation (Catalog)

• Splunk User Password Rotation (Catalog)

Each service has specific setup requirements (such as API permissions, tokens, or secret formats). Ensure your service account is configured correctly before enabling rotation.

Requirements

To use SaaS Configuration Password Rotation, the following requirements must be met:

Gateway Requirements

• PAM Gateway version 1.6 or newer

• The Gateway must be online to select it during setup

• Vault version 17.6 (Go-live: Feb 2026)

Folder Requirements

• The SaaS Configuration record must be stored in the Shared Folder(s) assigned to the selected Gateway (This ensures the Gateway can access and rotate the credential.)

How It Works

SaaS Configuration uses your selected PAM Gateway to securely connect to the target service and update the password/secret. When rotation completes, Keeper updates the stored credential to keep your Vault up to date.

Rotation can be triggered by:

• Time-based rotation (scheduled)

• Manual rotation (run on demand)

Create & Configure SaaS Configuration

This guide walks you through creating a SaaS Configuration record and applying it to a PAM User for automated password rotation.

Step 1: Create a SaaS Configuration Record

1. In Keeper, click Create New

2. Select SaaS Configuration

3. Select an active Gateway

   1. Only online Gateways are available to select.

4. Select a Plugin

   1. The available plugins shown are based on the Gateway you selected.

   2. If you don’t see the plugin you need, you may need to create or enable the plugin first.

5. Choose where to save the record

   1. You must save the SaaS Configuration record in a Shared Folder associated with the selected Gateway.

6. Click Save

Step 2: Assign the SaaS Configuration to a PAM User

1. Open the target PAM User record → Edit

2. Navigate to Rotation Settings

3. Under Rotation Settings, select the SaaS Configuration record you created in Step 1

4. Within the Rotation Settings, you can schedule password rotations.

5. Click Save

Once assigned, Keeper will use that SaaS Configuration whenever the user’s password rotation is executed.

These actions can be managed through Keeper Commander.

If you prefer using a command-line interface, refer to the Keeper Commander – SaaS Rotations documentation.