search
Ctrlk

SaaS Configuration Field Reference

Instructs for SaaS Configuration record setup based on target service

hashtag
Overview

Each selected plugin creates a login record with pre-populated custom fields specific to that integration. All fields are blank by default and must be configured before rotation can be performed.

hashtag
Okta Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Okta

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Okta URL

The URL to customer login portal. Where users login in.

Yes

Okta Token

The API token created on the SecurityAPITokens admin page.

Yes

hashtag
Snowflake Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Snowflake

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Snowflake Admin User

An admin username

Yes

Snowflake Admin Password

The password for the admin username.

Yes

Snowflake Account

The account. It’s is the subdomain of the URL.

Yes

hashtag
REST Configuration Record

Custom Field Name
Description
Required?

SaaS Type

REST

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

REST Url

URL to the web service.

Yes

REST Token

A header Bearer token. This must be static. It cannot be generated.

Yes

REST Method

The HTTP Method to use. The default is POST. Valid values are: POST, PUT.

No

hashtag
AWS Access Key Configuration Record

Custom Field Name
Description
Required?

SaaS Type

AWS Access Key

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

AWS Access Key ID for the Administrative role

Admin Access Key ID

No

AWS Secret Access Key for the Administrative role

Admin Secret Access Key

No

Region Name

Region name. This can be left blank unless GovCloud. A value is required for GovCloud.

No

AWS Clean Keys

Remove old Access Keys. If not set, will default to ‘All’

  • All - Will remove all the access keys.

  • Oldest - Will remove the oldest access key if both Access Key slots are filled.

  • Replace - Will replace the Access Key used in the Vault record. If there are two Access Keys, the other will not be removed.

No

Note: The admin access key does not need to be set if you are using an EC2 instance with an attached IAM role or using an AWS configuration. The plugin will get its credentials from the following in the specified order.

  1. SaaS Configuration Record - Ensure that the Access Key and Secret Key

  2. AWS PAM Configuration - See the AWS Environment Setup for details

hashtag
Assigning Permissions

Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:

hashtag
Azure Client Secret Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Azure Client Secret

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Azure Target Object ID

The target Azure Entra ID application. This is the object ID of the application which is being rotated.

Yes

Expiry Days

The number of days before the secret expires. Default if 365 days.

No

Azure Tenant ID

The Directory (tenant) ID of the Azure Entra ID. This for both the admin and target application.

No

Azure Admin Application ID

The Application (client) ID for the Administrative app which is performing the rotation (NOT the target).

No

Azure Admin Client Secret

This is the Secret value for the administrative application.

No

Azure Authority

Special URL for MSAL to request tokens.

No

Azure Graph Endpoint

Special URL for Azure Graph scope.

No

Azure Clean Keys

Remove old Access Keys upon every rotation.

  • All - Will remove all the secrets.

  • Replace - Will replace the secret used in the Vault record.

No

Note: The administrative application ID and client secret does not need to be set if you are using a PAM Configuration that already has the necessary Azure permissions.

The plugin will get its credentials from the following in the specified order.

  1. SaaS Configuration Record

  2. Azure PAM Configuration

hashtag
Assigning Permissions to Admin Application

In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.

Required Microsoft Graph Permissions:

  • Application.ReadWrite.All

How to Assign:

  • Go to Azure Portal > Azure Active Directory > App registrations

  • Select your Administrative app (the one that will rotate secrets)

  • Go to API permissions > Add a permission

    • Choose Microsoft Graph

    • Select Application permissions

    • Search and select:

      • Application.ReadWrite.All

    • Click Add permissions

  • Then click Grant admin consent for the tenant

hashtag
Cisco IOS EX Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Cisco IOS XE

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Admin Username

The administrator’s username.

Yes

Admin Password

The administrator’s password.

Yes

Hostname

Hostname or IP of the web service.

Yes

Verify SSL

Verfiy server’s SSL certificate. Default is FALSE.

No

hashtag
Cisco Meraki Configuration Record

Custom Field Name
Description
Required?

SaaS Type

Cisco Meraki

Yes

Active

Activate/Deactivate a SaaS rotation. The default is active.

No

Admin Email

The administrator’s email address

Yes

API Key

The API Key generated in the admin’s profile, in the API access section.

Yes

Network ID

The Network ID.

If blank, an attempt will be made to find the network id. If the customer has only one organization, and only one network in that organization, it will use that network id.

No

Verify SSL

Verfiy server’s SSL certificate. Default is FALSE.

No

API: Cisco Meraki OpenAPI Documentarrow-up-right

PreviousSaaS PluginsNextSaaS Rotation via Commander

Last updated

Was this helpful?