SaaS Rotation Plugins
SaaS and REST-based rotation plugins
Last updated
Was this helpful?
KeeperPAM and Secrets Manager
SaaS and REST-based rotation plugins
Last updated
Was this helpful?
KeeperPAM supports automated password rotation for various SaaS applications and services. This feature allows you to automatically update passwords across multiple systems whenever a user's password is rotated, ensuring synchronized access without manual intervention.
KeeperPAM includes pre-built integrations for popular services:
Okta - Identity and access management
Snowflake - Cloud data platform
REST APIs - Generic REST endpoint integration
AWS Access Keys - Amazon Web Services credential rotation
Azure Client Secrets - Microsoft Azure application secrets
Cisco IOS XE - Network device management
Cisco Meraki - Cloud-managed networking
In Keeper's SaaS Github Repository, several new rotation plugins have been created, including:
AWS Cognito
Cisco APIC
and More
SaaS configurations are stored as Login records with custom fields that define the connection parameters.
Using Keeper Commander CLI
The easiest way to create a SaaS configuration is using the Commander CLI:
# Connect to your vault
keeper shell
# List available SaaS types for your gateway
My Vault> pam action saas config --gateway "My Gateway" --list
# Create a new SaaS configuration (example for Okta)
My Vault> pam action saas config --gateway "My Gateway" --config-type "Okta" --shared-folder-uid FOLDER_UIDThe command will prompt you for the required configuration values specific to your chosen SaaS type.
Manual Configuration
You can also create a Login record manually and add the appropriate custom fields:
Required Custom Fields for All SaaS Types:
SaaS Type - The type of service (e.g., "Okta", "Snowflake", "REST")
Active - Set to any "truthy" value to activate rotation (optional, defaults to active)
Service-Specific Custom Fields:
Okta Configuration
SaaS Type: Okta
Okta URL: Your Okta domain URL (e.g., https://company.okta.com)
Okta Token: API token from Security → API → Tokens in Okta admin
Snowflake Configuration
SaaS Type: Snowflake
Snowflake Admin User: Administrator username
Snowflake Admin Password: Administrator password
Snowflake Account: Account identifier (subdomain from your Snowflake URL)
REST API Configuration
SaaS Type: REST
REST Url: API endpoint URL
REST Token: Bearer token for authentication (must be static)
REST Method: HTTP method (POST or PUT, defaults to POST)
AWS Access Key Configuration
SaaS Type: AWS Access Key
AWS Admin Access Key ID: Administrative access key ID
AWS Admin Secret Access Key: Administrative secret access key
Region Name: AWS region (required for GovCloud)
AWS Clean Keys: Cleanup policy ("All" or "Oldest")
Azure Client Secret Configuration
SaaS Type: Azure Client Secret
Azure Target Object ID: Target application's object ID
Azure Tenant ID: Directory (tenant) ID
Azure Admin Application ID: Admin application (client) ID
Azure Admin Client Secret: Admin application secret
Expiry Days: Secret expiration days (default: 365)
Azure Authority: MSAL token request URL
Azure Graph Endpoint: Azure Graph scope URL
AWS Clean Keys: Cleanup policy ("All" or "Replace")
Cisco IOS XE Configuration
SaaS Type: Cisco IOS XE
Admin Username: Administrator username
Admin Password: Administrator password
Hostname: Device hostname or IP address
Verify SSL: SSL certificate verification (default: FALSE)
Cisco Meraki Configuration
SaaS Type: Cisco Meraki
Admin Email: Administrator email address
API Key: API key from admin profile
Network ID: Target network ID (auto-detected if blank)
Verify SSL: SSL certificate verification (default: FALSE)
Once your SaaS configuration is created, associate it with user records:
# Add SaaS rotation to a user
My Vault> pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID
# Optionally attach to a specific resource
My Vault> pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UIDCheck that your SaaS rotation is properly configured:
# View all SaaS rotations for a user
My Vault> pam action saas info --user-uid USER_RECORD_UIDThis will display all configured SaaS rotations for the specified user, including their current settings.
To remove a SaaS rotation from a user:
My Vault> pam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UIDControl whether a SaaS rotation is active by setting the Active custom field:
Set to any value (e.g., "true", "yes", "1") to activate
Remove the field or set to empty/false to deactivate
In addition to built-in integrations, you can use custom plugins for additional services. Keeper maintains a repository of community-contributed plugins:
GitHub Repository: discovery-and-rotation-saas-dev
Check the integrations/ folder for available plugins, which may include:
Additional cloud services
Database systems
Network equipment
Custom enterprise applications
To use custom plugins in your environment:
1. Set Up Plugin Directory
Configure your PAM Gateway to recognize custom plugins:
# Set the plugin directory path on your PAM Configuration record
My Vault> record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/path/to/plugins"2. Deploy Plugin Files
Copy the plugin Python files to your configured directory:
# Create plugin directory
mkdir /opt/keeper/saas_plugins
# Copy plugin files from the repository
cp custom_plugin.py /opt/keeper/saas_plugins/3. Docker Container Setup
If using Docker, mount the plugin directory:
# docker-compose.yml
services:
keeper-gateway:
image: keeper/gateway:preview
volumes:
- ./saas_plugins:/opt/keeper/saas_plugins
environment:
GATEWAY_CONFIG: YOUR_GATEWAY_CONFIG_UIDUpdate the PAM configuration to use the container path:
My Vault> record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/opt/keeper/saas_plugins"4. Configure Plugin Access (If Required)
Some plugins may need access to your PAM configuration credentials (e.g., for AWS or Azure integration). Grant access by adding the plugin name to the allow list:
My Vault> record-update -r PAM_CONFIG_RECORD_UID "multiline.Allow SaaS Access=Custom Plugin Name\nAnother Plugin"If you need a plugin for a service not currently available, you can develop your own using the development environment provided in the repository. The repository includes:
Development and testing tools
Example plugins and templates
API documentation
Testing framework
Visit the repository README for detailed development instructions. To contribute to the community rotation plugin directory, submit a pull request.
Use dedicated service accounts with minimal required permissions for SaaS integrations
Regularly rotate API keys and tokens used in SaaS configurations
Test rotations in a development environment before production deployment
Monitor rotation logs for failures or authentication issues
Store SaaS configurations in dedicated shared folders for better organization
Use descriptive names for configuration records (e.g., "Okta Production", "Snowflake Dev")
Document any custom field requirements for team members
Regularly review and update SaaS rotation assignments
Check Gateway logs for detailed error messages during rotations
Verify API credentials and permissions in your SaaS applications
Ensure network connectivity between Gateway and target services
Test individual SaaS configurations before associating with multiple users
Built-in SaaS Types: Supported through standard Keeper support channels
Custom Plugins: Community support via GitHub repository issues
Development Questions: Refer to repository documentation and examples
Enterprise Support: Contact your Keeper representative for assistance with custom integrations
For the most up-to-date list of available plugins and integration examples, regularly check the GitHub repository.
