# SaaS Plugins

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FVigI4XWYFOUI8Jxor8Uc%2Fimage%20(2).png?alt=media&#x26;token=c939fde1-399b-4857-85e7-b9e3a8173912" alt=""><figcaption></figcaption></figure>

## KeeperPAM SaaS Rotation Plugins

### Overview

KeeperPAM supports automated password rotation for SaaS applications and cloud infrastructure. SaaS rotations are available as **built-in integrations**, **catalog integrations** or **custom integrations**.

### Built-in SaaS Integrations

KeeperPAM includes pre-built integrations for the following services:

* **Okta** — Identity and access management
* **Snowflake** — Cloud data platform
* **AWS Access Keys** — Amazon Web Services credential rotation
* **Azure Client Secrets** — Microsoft Azure application secrets
* **Check Point Gaia OS** — Network security appliance management
* **Cisco IOS XE** — Network device management
* **Cisco Meraki** — Cloud-managed networking
* **REST APIs** — Generic REST endpoint integration

### Catalog SaaS Integrations

Additional rotation plugins are available in Keeper's [SaaS Github Repository](https://github.com/Keeper-Security/discovery-and-rotation-saas-dev):

* **AWS Cognito** — User pool credential rotation
* **Cisco APIC** — Application policy infrastructure controller
* **Elastic API Key** — Elasticsearch API key rotation
* **Elasticsearch Service Account Token** — Service account token rotation
* **Elasticsearch User** — Elasticsearch user password rotation
* **JFrog Access Token** — JFrog platform token rotation
* **JFrog User Password** — JFrog user credential rotation
* **OpenSearch User** — OpenSearch user password rotation
* **Oracle Identity Domain User** — Oracle Cloud identity credential rotation
* **ServiceNow User** — ServiceNow user password rotation
* **Splunk Token** — Splunk authentication token rotation
* **Splunk User Password** — Splunk user credential rotation
* **and** [**More**](https://github.com/Keeper-Security/discovery-and-rotation-saas-dev/tree/main/integrations)

As new catalog integrations are added, customers can use them within their environments.

### Custom Integrations

Customers can create their own rotation plugins following the examples in Keeper's [SaaS Github Repository](https://github.com/Keeper-Security/discovery-and-rotation-saas-dev),. Custom plugins are private and only available to the customer's Keeper Gateway.

For more information, see the [Using Custom Plugins](#using-custom-plugins) section.

***

## Prerequisites

Prior to configuring Workflow, make sure to have the following:

#### Rotation Enforcement Policy <a href="#workflow-enforcement-policy" id="workflow-enforcement-policy"></a>

Enforcement policies for KeeperPAM are managed in the Keeper Admin Console under **Admin** > **Roles** > **Enforcement Policies** > **Privileged Access Manager**.

The following Enforcement Policies affect user's permissions to configure Rotation settings on PAM Record types and need to be enabled:

<table><thead><tr><th width="196">Enforcement Policy</th><th width="274">Commander Enforcement Policy</th><th>Definition</th></tr></thead><tbody><tr><td>Can configure rotation settings</td><td><pre data-overflow="wrap"><code>ALLOW_CONFIGURE_ROTATION_SETTINGS
</code></pre></td><td>Allow users to configure Rotation settings on PAM User and PAM Configuration Record Types</td></tr></tbody></table>

Rotation configuration Enforcement Policy can also be enabled on the [Keeper Commander CLI](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/secrets-manager-commands#overview) using the `enterprise-role` command:

```
enterprise-role "My Role" --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS":true
```

***

## Setting Up SaaS Password Rotation

To set up SaaS rotation, you need to create a SaaS Configuration record, create a PAM User record with the credentials to rotate, and link them together.

#### **Create a SaaS Configuration Record**

1. Click **Create New** and select **SaaS Configuration**.
2. Configure the following fields:

<table><thead><tr><th width="177.1875">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Select Folder</strong></td><td>The shared folder where the SaaS Configuration record will be stored. This shared folder must be part of the KSM application associated with the gateway performing the rotation.</td></tr><tr><td><strong>PAM Configuration</strong></td><td>Select the configuration with the gateway that will perform the rotation. Only configurations associated with the KSM application containing the selected shared folder will appear.</td></tr><tr><td><strong>Plugin</strong></td><td>Choose the type of SaaS rotation (e.g., AWS Access Key, Okta).</td></tr><tr><td><strong>Title</strong></td><td>A name for the SaaS Configuration record.</td></tr></tbody></table>

<figure><img src="/files/GSSz3ktRr9ML4edgFjB7" alt=""><figcaption></figcaption></figure>

This creates a login record with pre-populated custom fields based on the selected plugin. Each plugin requires specific fields which appear as custom fields on the record.&#x20;

For detailed information on the custom fields for each plugin, visit [SaaS Configuration Field Reference](/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins/saas-configuration-field-reference.md).

#### **Create the PAM User Record**

Create a PAM User record containing the credentials or secrets to be rotated. For example, a PAM User for Okta would contain the username and password, while a PAM User for AWS would contain the access key and secret.

Note: This step can be skipped if you already have a PAM User Record&#x20;

#### Configure the PAM user with the SaaS Configuration Record&#x20;

1. Open the PAM User record and edit the **PAM Settings**.
2. Configure the following fields:

<table><thead><tr><th width="220.14453125">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Rotation Profile</strong></td><td>Select <strong>SaaS User</strong> as the rotation profile.</td></tr><tr><td><strong>PAM Configuration</strong></td><td>Select the PAM Configuration that contains the gateway performing the rotation. This is the same configuration your selected when creating a SaaS Configuration Record</td></tr><tr><td><strong>SaaS Configuration</strong></td><td>Select the SaaS Configuration record you created</td></tr><tr><td><strong>Rotation Schedule</strong></td><td>(Optional) Set a schedule for automatic credential rotation.</td></tr><tr><td><strong>Password Complexity</strong></td><td>(Optional) Define password complexity requirements for rotated credentials.</td></tr></tbody></table>

<figure><img src="/files/VfUjZmij0UaJry8HxJrd" alt=""><figcaption></figcaption></figure>

#### Rotate The PAM User&#x20;

The PAM User is now ready for rotation. Credentials can be rotated on-demand or automatically based on the configured schedule.

<figure><img src="/files/XwYLZItjVgAriORnkJx5" alt=""><figcaption></figcaption></figure>

***

## SaaS Configuration Record Details&#x20;

Each selected plugin creates a login record with custom fields specific to that integration. All fields are blank by default and must be configured before rotation can be performed.

For detailed information on the custom fields for each plugin, visit [SaaS Configuration Field Reference](/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins/saas-configuration-field-reference.md).

***

## Custom and Community Plugins

Customers can extend SaaS rotation beyond built-in and catalog integrations by deploying custom plugins. Keeper maintains a GitHub repository with community-contributed plugins, development tools, and templates. Custom plugins are private to the customer's Keeper Gateway.

For setup instructions, development guides, and best practices, visit [Custom and Community Plugins](/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins/custom-and-community-plugins.md).

***

## SaaS Rotation via Commander&#x20;

SaaS rotation can also be configured, managed, and executed through Keeper Commander.

For more information, visit [SaaS Rotation via Commander](/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins/saas-rotation-via-commander.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.