Skip to main content

Microsoft Entra ID SAML JIT

This topic describes how to add JIT (Just-In-Time) user provisioning capabilities to Microsoft Entra ID (formerly Azure Active Directory (AD)) SAML authentication for Lacework.

note
  • This configuration requires a Microsoft Entra ID Premium account.
  • This process requires you to create an enterprise application in Microsoft Entra ID.

Set Authentication in the Lacework Console

Before you configure the Lacework enterprise application in Microsoft Entra ID, sign in to the Lacework Console and navigate to Settings > Authentication > SAML. If OAuth is enabled, you must disable it before enabling SAML. Keep this window open.

note

Verify that you assign a company name for each user that you add to the SAML login.

Create the Lacework Application in Microsoft Entra ID

From a new browser window, sign in to Microsoft Entra ID. To create a Lacework application, follow these steps:

  1. Navigate to Microsoft Entra ID > Enterprise applications and follow these steps:
  2. Select New application.
  3. Select Create your own application.
    The Create your own application pane opens.
  4. Enter a name for your new app.
  5. Select Integrate any other application you don’t find in the gallery.
  6. Click Create.
    When the application's Overview page displays, the application is created.
  7. Select Users and groups.
  8. Select +Add user/group. Highlight your choice in the search bar, select Select, and select Assign.
    Repeat as necessary to add users/groups.
  9. Select Single sign-on.
  10. Select the SAML tile.
    The Set up Single Sign-On with SAML page opens.
  11. In section 1, provide the two values listed below. You can copy both values from the Lacework Console authentication settings.
    • Identifier (Entity ID): https://lacework.net
      Copy from Service Provider Entity ID
    • Reply URL (Assertion Consumer Service URL): https://YourLacework.lacework.net/sso/saml/login
      Copy from Assertion Consumer Service URL
      tip

      This option defaults to using XMLSOAP. You must explicity provide the correct form for Name and Attribute for First Name, Last Name, and Company Name.

  12. In section 2, add the following new claims with the indicated Name and Source attribute.
Expand to view name and source attributes
NameSource attributeExample
First Nameuser.givenname
Last Nameuser.surname
Company Nameuser.companyname
Lacework Admin Role AccountsThe Lacework account(s) the application will access with the admin role.account1 or account1,account2 or *.
Use a comma to separate multiple values. For information about using AD groups for Lacework access, see create-groups-in-microsoft-entra-id.
Lacework User Role AccountsThe Lacework account(s) the application will access with the user role.account1 or account1,account2 or *.
Use a comma to separate multiple values. For information about using AD groups for Lacework access, see create-groups-in-microsoft-entra-id.
Lacework Power User Role AccountsThe Lacework account(s) the application will access with the power user role.account1 or account1,account2 or *.
Use a comma to separate multiple values. For information about using AD groups for Lacework access, see create-groups-in-microsoft-entra-id.
Custom User GroupsCustom user groups allow you to fully customize a set of permissions that meet the specific requirements of your organization. Specify a string of comma-separated custom user group GUIDs (globally unique identifiers).

The following table lists which attributes are required:

Expand to view required attributes
Attribute ConfigurationName
RequiredFirst Name
RequiredLast Name
Required Company Name
  1. If your Lacework account is enrolled in a Lacework organization, add attribute statements with the following names and example values:
    • Lacework Organization Admin Role - true
    • Lacework Organization User Role - null (if you set Lacework Organization Admin Role to true.)
  2. In section 3, download and save the Federation Metadata XML file.

Create Groups in Microsoft Entra ID

(Optional) You can create groups in Microsoft Entra ID and use them to assign different access to Lacework accounts. To create groups, follow these steps:

  1. Navigate to the Microsoft Entra ID home page and select Groups.
  2. Select +New group.
  3. For Group type, select Security.
  4. Specify a name for the group.
    For example, you can choose a name that describes the group's access to a Lacework account, such as Account1 Admin or Account1 User.
  5. Select members for the group.
  6. Select Create.
  7. Create additional groups as needed.
    Consider creating separate groups for admin and user access.

Grant Access to Lacework Accounts

To grant certain team members access to login to Lacework, complete the following steps:

  1. Navigate to the Lacework application in Microsoft Entra ID.

  2. Select Single sign-on.

  3. In the Attributes and Claims section (panel 2), edit the following claims:

    • Lacework Admin Role Accounts
    • Lacework User Role Accounts
    • Lacework Power User Role Accounts
    • Custom User Groups
  4. Add a claim condition with the following settings:

    • User type: Any

    • Scoped Groups: Select the groups that use this claim. For example, the Lacework Admin Role Accounts claim should have groups set up for admins. The Lacework User Role Accounts claim should have groups set up for users.

    • Source: Attribute

    • Value: Enter the Lacework accounts that will use this claim.

      Example 1: you have a number of users that only need access to one sub-account within Lacework. Enter the sub-account name in this value field.

      Example 2: you have two accounts named Account1 and Account2. To use this claim for both accounts, enter Account1, Account2, or enter * (wildcard character).

Finish Authentication Setup in the Lacework Console

Return to the open Lacework Console SAML configuration page and follow these steps:

  1. Select Upload identity provider data and select Next.
  2. Enter a descriptive name for Identity Provider.
  3. In Upload Identity Provider Meta Data File select Choose File and select the previously saved Azure metadata file.
    The fields are populated and you see a confirmation that the metadata included a certificate.
  4. Enable the Just-in-Time User Provisioning option.
  5. Click Save.

When a user logs in, a profile (with the specified privileges) is added in only the accounts that are specified.

If the user has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.

Test the Application

To test the application, return to Microsoft Entra ID and do the following:

  1. Navigate to the Lacework application and click Single sign-on.
  2. Go to section 5 and click Test.

You can also test the application by logging in to the Lacework Console as the user associated with the application during setup.

Update the Single Sign-on Signing Certificate

info

Use these steps when you need to update an existing certificate due to expiry or otherwise. It is not required during initial configuration.

If you have created a new Single Sign-on (SSO) token signing certificate to replace the old one, you will need to manually update the existing certificate in the Lacework Platform.

  1. Sign in to the Lacework Console and navigate to Settings > Authentication > SAML.
  2. Edit the configured SAML integration.
  3. In Upload Identity Provider Meta Data File, select Choose File and select the updated Azure metadata file.
    The fields are populated, and you will see a confirmation that the metadata included a certificate.
  4. Click Save.

The updated certificate will now be used.