Skip to main content

Okta SAML JIT

This topic describes how to add JIT (Just-In-Time) user provisioning capabilities to Okta SAML authentication for Lacework.

The steps in the following sections assume you have already added Lacework as a service provider with Okta SAML.

note

Some procedures contain additional configuration steps for Lacework organizations.

Lacework Attributes You Can Configure

In the Attribute Statements (optional) section, add attribute statements with the following names and values (all name formats can remain unspecified).

Expand to view attribute statements
AttributeData TypeDescriptionUsage
First NamestringSpecify your first name.user.firstName
Last NamestringSpecify your last name.user.lastName
Company NamestringSpecify your company's name.appuser.company
Lacework Admin Role AccountsstringAdd admin privileges to existing accounts that you specify. You can specify a single account name foo. or multiple comma-separated account names foo,bar,baz. You can also specify a wildcard *.appuser.laceworkAdminRoleAccounts
Lacework User Role AccountsstringAdd user privileges to existing accounts that you specify. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard *. For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as b*. This adds user privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2.appuser.laceworkUserRoleAccounts
Lacework Power User Role AccountsstringAdd power user privileges to existing accounts that you specify. Power Users have similar access to Administrators but without access to Settings and Utilities. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard *. For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as b*. This adds Power User privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2.appuser.laceworkPowerUserRoleAccounts
Custom User GroupsstringSpecify a string of comma-separated custom user group GUIDs (globally unique identifiers). You can use GUIDs to identify hardware, software, accounts, documents and other items.appuser.customUserGroups
Lacework Organization Admin RolestringProvide admin privileges to organization-level settings and admin privileges to all accounts within the organization.
Select true to make the person an organization admin. Select false or undefined if the person should not have admin privileges to organization-level settings or admin privileges to all accounts within the organization.
If the person is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute.
appuser.laceworkOrgAdminRole
Lacework Organization User RolestringProvide user (view-only) privileges to organization-level settings and user privileges to all accounts in the organization.
Select true to make the person an organization user. If the person is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. The system ignores any settings in the Lacework User Role Accounts attribute.
Select false or undefined if the person should not have any privileges to organization-level settings or user privileges to all accounts in the organization.
If the person is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes.
appuser.laceworkOrgUserRole
note

The values are examples. You can use values that adhere to your own standards or formats instead.

Attribute Configuration Requirements

The following table lists which attributes are required:

Attribute ConfigurationNameSource Attribute
RequiredFirst Nameuser.firstName
RequiredLast Nameuser.lastName
RequiredCompany Nameappuser.company

Configure the Lacework Application in Okta

Follow these steps to add attribute statements to the Lacework application.

  1. Sign in to Okta with administrative privileges.

  2. Click Admin.

  3. Go to Applications > Applications and click the Lacework application.

  4. Click the General tab and then Edit the SAML Settings section.

  5. Click Next. You don't need to change General Settings.

  6. In the Attribute Statements (Optional) section, add attribute statements with the following names and values (all name formats can remain unspecified).

    Expand to view attribute statements
    NameSource attribute
    First Nameuser.firstName
    Last Nameuser.lastName
    Company Nameappuser.company
    Lacework Admin Role Accountsappuser.laceworkAdminRoleAccounts
    Lacework User Role Accountsappuser.laceworkUserRoleAccounts
    Lacework Power User Role Accountsappuser.laceworkPowerUserRoleAccounts
    Custom User Groupsappuser.customUserGroups
note

For information on Lacework attributes, see Lacework Attributes You Can Configure.

  1. If your Lacework account is enrolled in a Lacework organization, add attribute statements with the following names and similar values:

    NameSource attribute
    Lacework Organization Admin Roleappuser.laceworkOrgAdminRole
    Lacework Organization User Roleappuser.laceworkOrgUserRole
  2. Click Next.

  3. Click Finish.

Add Custom Lacework Attributes to a Profile

This section details how to add custom Lacework attributes to the Okta profile and the Lacework application profile. Perform one of the following:

Add Attributes to the Okta Profile

Follow these steps to add custom Lacework attributes to the Okta profile.

For information on Lacework attributes, see Lacework Attributes you can Configure.

  1. Go to Directory > Profile Editor.

  2. For Okta, click Profile.

  3. Click Add Attribute.

  4. Add the following attributes:

    Display NameVariable NameData Type
    Companycompanystring
    Lacework Admin Role AccountslaceworkAdminRoleAccountsstring
    Lacework User Role AccountslaceworkUserRoleAccountsstring
  5. If your Lacework account is enrolled in a Lacework organization, also add the following attributes:

    Display NameVariable NameData Type
    Lacework Organization Admin RolelaceworkOrgAdminRoleboolean
    Lacework Organization User RolelaceworkOrgUserRoleboolean
  6. In Filters, click Custom, and confirm that you added all attributes correctly.

The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkAdminRoleAccounts, the corresponding attribute statement value must be user.laceworkAdminRoleAccounts.

Add Attributes to the Lacework Application Profile

Follow these steps to add custom Lacework attributes to the Lacework application profile.

For information on Lacework attributes, see Lacework Attributes you can Configure.

  1. Go to Directory > Profile Editor.
  2. For Lacework, click Profile.
  3. Click Add Attribute.
  4. Add the following attributes:
    Display NameVariable NameData Type
    Companycompanystring
    Lacework Admin Role AccountslaceworkAdminRoleAccountsstring
    Lacework User Role Accounts laceworkUserRoleAccountsstring
  5. If your Lacework account is enrolled in a Lacework organization, add the following attributes:
    Display NameVariable NameData Type
    Lacework Organization Admin RolelaceworkOrgAdminRoleboolean
    Lacework Organization User Role laceworkOrgUserRoleboolean
  6. In Filters, click Custom, and confirm you added all attributes correctly.
    The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkAdminRole, the corresponding attribute statement value must be appuser.laceworkAdminRoleAccounts.

Add a Person in Okta

Follow these steps to add a person in Okta with defined Lacework attributes.

  1. Go to Directory > People.
  2. Click Add Person, complete the fields, and click Save.
  3. Click the new person and click the Profile tab.
  4. Click Edit.
  5. Ensure that First Name, Last Name, and Company Name are completed.

Finish SAML JIT Configuration

  1. After specifying all attributes for a person, click Save.
  2. Ensure that the Lacework application is assigned to the person.
  3. Ensure that you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.

The team member can now log in to Lacework through SAML.

When the member logs in, a profile (with the specified privileges) is added in only the accounts that are specified.

If the member has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization. Accounts are not created.