SaaS Plugins

KeeperPAM SaaS Rotation Plugins

Overview

KeeperPAM supports automated password rotation for various SaaS applications and services, including cloud infrastructure. This feature requires Keeper Gateway version 1.6 or newer. Currently, the configuration of SaaS rotations requires the use of Keeper Commander CLI. The front-end for managing these rotations will be included in an upcoming release of the Web Vault and Desktop App.

SaaS rotations are available as built-in integrations, catalog integrations or custom integrations.

Built-in SaaS Integrations

KeeperPAM includes pre-built integrations for popular services:

• Okta - Identity and access management

• Snowflake - Cloud data platform

• REST APIs - Generic REST endpoint integration

• AWS Access Keys - Amazon Web Services credential rotation

• Azure Client Secrets - Microsoft Azure application secrets

• Cisco IOS XE - Network device management

• Cisco Meraki - Cloud-managed networking

Catalog SaaS Integrations

In Keeper's SaaS Github Repository, several new rotation plugins have been created, including:

• AWS Cognito

• Cisco APIC

• and More

As new catalog rotations are added, customers may use these rotations within their environments.

Custom Integrations

Following the examples in Keeper's SaaS Github Repository, customers can create their own plugins that are private and only available to their Keeper Gateway. See the Using Custom Plugins section for more information.

Setting Up SaaS Password Rotation

This is accomplished in 3 steps outlined below:

Step 1: Create a SaaS Configuration Record

Step 2: Associate SaaS Rotation with PAM Users

Step 3: Verify Configuration

Step 1: Create a SaaS Configuration Record

SaaS rotation configurations are stored as records with custom fields that define the configuration parameters.

Using Keeper Commander CLI

The fastest way to create a SaaS configuration is using the Commander CLI pam action saas config command:

# Login to your vault
keeper shell

# List available SaaS types for your gateway
pam action saas config --gateway "My Gateway" --list

# Create a new SaaS configuration (example for Okta)
pam action saas config --gateway "My Gateway" --plugin "Okta" --shared-folder-uid FOLDER_UID --create

The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins.

You can also just create a Login record with custom fields as defined below.

Okta Configuration Record

Snowflake Configuration Record

REST Configuration Record

AWS Access Key Configuration Record

Note: The admin access key does NOT be set if you using an EC2 instance an attached IAM role or the using an AWS configuration. The plugin with get its credentials from the following in the specified order.

1. SaaS Configuration Record - Ensure that the Access Key and Secret Key

2. AWS PAM Configuration - See the AWS Environment Setup for details

Assigning Permissions

Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:ListAccessKeys",
        "iam:DeleteAccessKey"
      ],
      "Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID_HERE:user/*"
    }
  ]
}

Azure Client Secret Configuration Record

Note: The administrative application ID and client secret does not be set if you using a PAM Configuration that already has necessary Azure permissions.

The plugin with get its credentials from the following in the specified order.

1. SaaS Configuration Record

2. Azure PAM Configuration

Assigning Permissions to Admin Application

In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.

Required Microsoft Graph Permissions:

• Application.ReadWrite.All

How to Assign:

• Go to Azure Portal > Azure Active Directory > App registrations

• Select your Administrative app (the one that will rotate secrets)

• Go to API permissions > Add a permission

  • Choose Microsoft Graph

  • Select Application permissions

  • Search and select:

    • Application.ReadWrite.All

  • Click Add permissions

• Then click Grant admin consent for the tenant

Cisco IOS EX Configuration Record

Cisco Meraki Configuration Record

API: Cisco Meraki OpenAPI Document

Step 2: Associate SaaS Rotation with PAM Users

Once your SaaS configuration record is created, associate that record with one or more PAM User records in the vault.

• Create the PAM User record either in the vault, or using the Commander CLI

• Using Commander, run the below commands to create the association:

# Add SaaS rotation to a user
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID

# Optionally attach to a specific resource
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UID

Step 3: Verify Configuration

Check that your SaaS rotation is properly configured on the PAM User record:

# View all SaaS rotations for the PAM User
pam action saas user -u USER_RECORD_UID

This will display all configured SaaS rotations for the specified PAM User, including their current settings.

Performing SaaS Rotation

To perform the rotation from the Commander CLI, use the pam action rotate command:

pam action rotate -r USER_RECORD_UID

Managing SaaS Rotations

Remove SaaS Rotation

To remove a SaaS rotation from a PAM User record:

pam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID

Activate/Deactivate Rotations

You can control whether a SaaS rotation is active by setting the Active custom field:

• Set to any value (e.g., "true", "yes", "1") to activate

• Remove the field or set to empty/false to deactivate

Custom and Community Plugins

Available Custom Plugins

In addition to built-in integrations, you can use custom plugins for additional services. Keeper maintains a repository of community-contributed plugins:

GitHub Repository: discovery-and-rotation-saas-dev

Check the integrations/ folder for available plugins, which may include:

• Additional cloud services

• Database systems

• Network equipment

• Custom enterprise applications

Using Custom Plugins

To use custom plugins in your environment:

1. Set Up Plugin Directory

Configure your PAM Gateway to recognize custom plugins:

# Set the plugin directory path on your PAM Configuration record
record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/path/to/plugins"

2. Deploy Plugin Files

Copy the plugin Python files to your configured directory:

# Create plugin directory
mkdir /opt/keeper/saas_plugins

# Copy plugin files from the repository
cp custom_plugin.py /opt/keeper/saas_plugins/

3. Docker Container Setup

If using Docker, mount the plugin directory:

# docker-compose.yml
services:
  keeper-gateway:
    image: keeper/gateway:preview
    volumes:
      - ./saas_plugins:/opt/keeper/saas_plugins
    environment:
      GATEWAY_CONFIG: YOUR_GATEWAY_CONFIG_UID

Update the PAM configuration to use the container path:

record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/opt/keeper/saas_plugins"

4. Configure Plugin Access (If Required)

Some plugins may need access to your PAM configuration credentials (e.g., for AWS or Azure integration). Grant access by adding the plugin name to the allow list:

record-update -r PAM_CONFIG_RECORD_UID "multiline.Allow SaaS Access=Custom Plugin Name\nAnother Plugin"

Developing Custom Plugins

If you need a plugin for a service not currently available, you can develop your own using the development environment provided in the repository. The repository includes:

• Development and testing tools

• Example plugins and templates

• API documentation

• Testing framework

Visit the repository README for detailed development instructions. To contribute to the community rotation plugin directory, submit a pull request.

Best Practices

Security Considerations

• Use dedicated service accounts with minimal required permissions for SaaS integrations

• Regularly rotate API keys and tokens used in SaaS configurations

• Test rotations in a development environment before production deployment

• Monitor rotation logs for failures or authentication issues

Configuration Management

• Store SaaS configurations in dedicated shared folders for better organization

• Use descriptive names for configuration records (e.g., "Okta Production", "Snowflake Dev")

• Document any custom field requirements for team members

• Regularly review and update SaaS rotation assignments

Troubleshooting

• Check Gateway logs for detailed error messages during rotations

• Verify API credentials and permissions in your SaaS applications

• Ensure network connectivity between Gateway and target services

• Test individual SaaS configurations before associating with multiple users

Support and Resources

• Built-in SaaS Types: Supported through standard Keeper support channels

• Custom Plugins: Community support via GitHub repository issues

• Development Questions: Refer to repository documentation and examples

• Enterprise Support: Contact your Keeper representative for assistance with custom integrations

For the most up-to-date list of available plugins and integration examples, regularly check the GitHub repository.