SaaS Plugins

SaaS and REST-based rotation plugins

KeeperPAM SaaS Rotation Plugins

Overview

KeeperPAM supports automated password rotation for various SaaS applications and services, including cloud infrastructure. This feature requires Keeper Gateway version 1.6 or newer. Currently, the configuration of SaaS rotations requires the use of Keeper Commander CLI. The front-end for managing these rotations will be included in an upcoming release of the Web Vault and Desktop App.

SaaS rotations are available as built-in integrations, catalog integrations or custom integrations.

Built-in SaaS Integrations

KeeperPAM includes pre-built integrations for popular services:

  • Okta - Identity and access management

  • Snowflake - Cloud data platform

  • REST APIs - Generic REST endpoint integration

  • AWS Access Keys - Amazon Web Services credential rotation

  • Azure Client Secrets - Microsoft Azure application secrets

  • Cisco IOS XE - Network device management

  • Cisco Meraki - Cloud-managed networking

Catalog SaaS Integrations

In Keeper's SaaS Github Repository, several new rotation plugins have been created, including:

  • AWS Cognito

  • Cisco APIC

  • and More

As new catalog rotations are added, customers may use these rotations within their environments.

Custom Integrations

Following the examples in Keeper's SaaS Github Repository, customers can create their own plugins that are private and only available to their Keeper Gateway. See the Using Custom Plugins section for more information.


Setting Up SaaS Password Rotation

This is accomplished in 3 steps outlined below:

Step 1: Create a SaaS Configuration Record

Step 2: Associate SaaS Rotation with PAM Users

Step 3: Verify Configuration

Step 1: Create a SaaS Configuration Record

SaaS rotation configurations are stored as records with custom fields that define the configuration parameters.

Using Keeper Commander CLI

The fastest way to create a SaaS configuration is using the Commander CLI pam action saas config command:

# Login to your vault
keeper shell

# List available SaaS types for your gateway
pam action saas config --gateway "My Gateway" --list

# Create a new SaaS configuration (example for Okta)
pam action saas config --gateway "My Gateway" --plugin "Okta" --shared-folder-uid FOLDER_UID --create

The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins.

You can also just create a Login record with custom fields as defined below.


Okta Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Okta

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Okta URL

The URL to customer login portal. Where users login in.

Yes

Okta Token

The API token created on the SecurityAPITokens admin page.

Yes


Snowflake Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Snowflake

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Snowflake Admin User

An admin username

Yes

Snowflake Admin Password

The password for the admin username.

Yes

Snowflake Account

The account. It’s is the subdomain of the URL.

Yes


REST Configuration Record

Custom Field Name
Description
Required?

SaaS Type

REST

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

REST Url

URL to the web service.

Yes

REST Token

A header Bearer token. This must be static. It cannot be generated.

Yes

REST Method

The HTTP Method to use. The default is POST. Valid values are: POST, PUT.

No


AWS Access Key Configuration Record

Custom Field Name
Description
Required?

SaaS Type

AWS Access Key

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

AWS Access Key ID for the Administrative role

Admin Access Key ID

No

AWS Secret Access Key for the Administrative role

Admin Secret Access Key

No

Region Name

Region name. This can be left blank unless GovCloud. A value is required for GovCloud.

No

AWS Clean Keys

Remove old Access Keys. If not set, will default to ‘All’

  • All - Will remove all the access keys.

  • Oldest - Will remove the oldest access key if both Access Key slots are filled.

  • Replace - Will replace the Access Key used in the Vault record. If there are two Access Keys, the other will not be removed.

No

Note: The admin access key does NOT be set if you using an EC2 instance an attached IAM role or the using an AWS configuration. The plugin with get its credentials from the following in the specified order.

  1. SaaS Configuration Record - Ensure that the Access Key and Secret Key

  2. AWS PAM Configuration - See the AWS Environment Setup for details

Assigning Permissions

Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey"
      ],
      "Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID_HERE:user/*"
    }
  ]
}

Azure Client Secret Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Azure Client Secret

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Azure Target Object ID

The target Azure Entra ID application. This is the object ID of the application which is being rotated.

Yes

Expiry Days

The number of days before the secret expires. Default if 365 days.

No

Azure Tenant ID

The Directory (tenant) ID of the Azure Entra ID. This for both the admin and target application.

No

Azure Admin Application ID

The Application (client) ID for the Administrative app which is performing the rotation (NOT the target).

No

Azure Admin Client Secret

This is the Secret value for the administrative application.

No

Azure Authority

Special URL for MSAL to request tokens.

No

Azure Graph Endpoint

Special URL for Azure Graph scope.

No

Azure Clean Keys

Remove old Access Keys upon every rotation.

  • All - Will remove all the secrets.

  • Replace - Will replace the secret used in the Vault record.

No

Note: The administrative application ID and client secret does not be set if you using a PAM Configuration that already has necessary Azure permissions.

The plugin with get its credentials from the following in the specified order.

  1. SaaS Configuration Record

  2. Azure PAM Configuration

Assigning Permissions to Admin Application

In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.

Required Microsoft Graph Permissions:

  • Application.ReadWrite.All

How to Assign:

  • Go to Azure Portal > Azure Active Directory > App registrations

  • Select your Administrative app (the one that will rotate secrets)

  • Go to API permissions > Add a permission

    • Choose Microsoft Graph

    • Select Application permissions

    • Search and select:

      • Application.ReadWrite.All

    • Click Add permissions

  • Then click Grant admin consent for the tenant


Cisco IOS EX Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Cisco IOS XE

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Admin Username

The administrator’s username.

Yes

Admin Password

The administrator’s password.

Yes

Hostname

Hostname or IP of the web service.

Yes

Verify SSL

Verfiy server’s SSL certificate. Default is FALSE.

No


Cisco Meraki Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Cisco Meraki

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Admin Email

The administrator’s email address

Yes

API Key

The API Key generated in the admin’s profile, in the API access section.

Yes

Network ID

The Network ID.

If blank, an attempt will be made to find the network id. If the customer has only one organization, and only one network in that organization, it will use that network id.

No

Verify SSL

Verfiy server’s SSL certificate. Default is FALSE.

No

API: Cisco Meraki OpenAPI Document


Step 2: Associate SaaS Rotation with PAM Users

Once your SaaS configuration record is created, associate that record with one or more PAM User records in the vault.

  • Create the PAM User record either in the vault, or using the Commander CLI

  • Using Commander, run the below commands to create the association:

# Add SaaS rotation to a user
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID

# Optionally attach to a specific resource
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UID

Step 3: Verify Configuration

Check that your SaaS rotation is properly configured on the PAM User record:

# View all SaaS rotations for the PAM User
pam action saas user -u USER_RECORD_UID

This will display all configured SaaS rotations for the specified PAM User, including their current settings.


Performing SaaS Rotation

To perform the rotation from the Commander CLI, use the pam action rotate command:

pam action rotate -r USER_RECORD_UID

Managing SaaS Rotations

Remove SaaS Rotation

To remove a SaaS rotation from a PAM User record:

pam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID

Activate/Deactivate Rotations

You can control whether a SaaS rotation is active by setting the Active custom field:

  • Set to any value (e.g., "true", "yes", "1") to activate

  • Remove the field or set to empty/false to deactivate


Custom and Community Plugins

Available Custom Plugins

In addition to built-in integrations, you can use custom plugins for additional services. Keeper maintains a repository of community-contributed plugins:

GitHub Repository: discovery-and-rotation-saas-dev

Check the integrations/ folder for available plugins, which may include:

  • Additional cloud services

  • Database systems

  • Network equipment

  • Custom enterprise applications

Using Custom Plugins

To use custom plugins in your environment:

1. Set Up Plugin Directory

Configure your PAM Gateway to recognize custom plugins:

# Set the plugin directory path on your PAM Configuration record
record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/path/to/plugins"

2. Deploy Plugin Files

Copy the plugin Python files to your configured directory:

# Create plugin directory
mkdir /opt/keeper/saas_plugins

# Copy plugin files from the repository
cp custom_plugin.py /opt/keeper/saas_plugins/

3. Docker Container Setup

If using Docker, mount the plugin directory:

# docker-compose.yml
services:
  keeper-gateway:
    image: keeper/gateway:preview
    volumes:
      - ./saas_plugins:/opt/keeper/saas_plugins
    environment:
      GATEWAY_CONFIG: YOUR_GATEWAY_CONFIG_UID

Update the PAM configuration to use the container path:

record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/opt/keeper/saas_plugins"

4. Configure Plugin Access (If Required)

Some plugins may need access to your PAM configuration credentials (e.g., for AWS or Azure integration). Grant access by adding the plugin name to the allow list:

record-update -r PAM_CONFIG_RECORD_UID "multiline.Allow SaaS Access=Custom Plugin Name\nAnother Plugin"

Developing Custom Plugins

If you need a plugin for a service not currently available, you can develop your own using the development environment provided in the repository. The repository includes:

  • Development and testing tools

  • Example plugins and templates

  • API documentation

  • Testing framework

Visit the repository README for detailed development instructions. To contribute to the community rotation plugin directory, submit a pull request.

Best Practices

Security Considerations

  • Use dedicated service accounts with minimal required permissions for SaaS integrations

  • Regularly rotate API keys and tokens used in SaaS configurations

  • Test rotations in a development environment before production deployment

  • Monitor rotation logs for failures or authentication issues

Configuration Management

  • Store SaaS configurations in dedicated shared folders for better organization

  • Use descriptive names for configuration records (e.g., "Okta Production", "Snowflake Dev")

  • Document any custom field requirements for team members

  • Regularly review and update SaaS rotation assignments

Troubleshooting

  • Check Gateway logs for detailed error messages during rotations

  • Verify API credentials and permissions in your SaaS applications

  • Ensure network connectivity between Gateway and target services

  • Test individual SaaS configurations before associating with multiple users

Support and Resources

  • Built-in SaaS Types: Supported through standard Keeper support channels

  • Custom Plugins: Community support via GitHub repository issues

  • Development Questions: Refer to repository documentation and examples

  • Enterprise Support: Contact your Keeper representative for assistance with custom integrations

For the most up-to-date list of available plugins and integration examples, regularly check the GitHub repository.

Last updated

Was this helpful?