Okta SAML JIT
This topic describes how to add JIT (Just-In-Time) user provisioning capabilities to Okta SAML authentication for Lacework.
The steps in the following sections assume you have already added Lacework as a service provider with Okta SAML.
Some procedures contain additional configuration steps for Lacework organizations.
Lacework Attributes You Can Configure
In the Attribute Statements (optional) section, add attribute statements with the following names and values (all name formats can remain unspecified).
Expand to view attribute statements
| Attribute | Data Type | Description | Usage |
|---|---|---|---|
| First Name | string | Specify your first name. | user.firstName |
| Last Name | string | Specify your last name. | user.lastName |
| Company Name | string | Specify your company's name. | appuser.company |
| Lacework Admin Role Accounts | string | Add admin privileges to existing accounts that you specify. You can specify a single account name foo. or multiple comma-separated account names foo,bar,baz. You can also specify a wildcard *. | appuser.laceworkAdminRoleAccounts |
| Lacework User Role Accounts | string | Add user privileges to existing accounts that you specify. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard *. For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as b*. This adds user privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2. | appuser.laceworkUserRoleAccounts |
| Lacework Power User Role Accounts | string | Add power user privileges to existing accounts that you specify. Power Users have similar access to Administrators but without access to Settings and Utilities. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard *. For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as b*. This adds Power User privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2. | appuser.laceworkPowerUserRoleAccounts |
| Custom User Groups | string | Specify a string of comma-separated custom user group GUIDs (globally unique identifiers). You can use GUIDs to identify hardware, software, accounts, documents and other items. | appuser.customUserGroups |
| Lacework Organization Admin Role | string | Provide admin privileges to organization-level settings and admin privileges to all accounts within the organization. Select true to make the person an organization admin. Select false or undefined if the person should not have admin privileges to organization-level settings or admin privileges to all accounts within the organization. If the person is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute. | appuser.laceworkOrgAdminRole |
| Lacework Organization User Role | string | Provide user (view-only) privileges to organization-level settings and user privileges to all accounts in the organization. Select true to make the person an organization user. If the person is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. The system ignores any settings in the Lacework User Role Accounts attribute. Select false or undefined if the person should not have any privileges to organization-level settings or user privileges to all accounts in the organization. If the person is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. | appuser.laceworkOrgUserRole |
The values are examples. You can use values that adhere to your own standards or formats instead.
Attribute Configuration Requirements
The following table lists which attributes are required:
| Attribute Configuration | Name | Source Attribute |
|---|---|---|
| Required | First Name | user.firstName |
| Required | Last Name | user.lastName |
| Required | Company Name | appuser.company |
Configure the Lacework Application in Okta
Follow these steps to add attribute statements to the Lacework application.
Sign in to Okta with administrative privileges.
Click Admin.
Go to Applications > Applications and click the Lacework application.
Click the General tab and then Edit the SAML Settings section.
Click Next. You don't need to change General Settings.
In the Attribute Statements (Optional) section, add attribute statements with the following names and values (all name formats can remain unspecified).
Expand to view attribute statements
Name Source attribute First Name user.firstName Last Name user.lastName Company Name appuser.company Lacework Admin Role Accounts appuser.laceworkAdminRoleAccounts Lacework User Role Accounts appuser.laceworkUserRoleAccounts Lacework Power User Role Accounts appuser.laceworkPowerUserRoleAccounts Custom User Groups appuser.customUserGroups
For information on Lacework attributes, see Lacework Attributes You Can Configure.
If your Lacework account is enrolled in a Lacework organization, add attribute statements with the following names and similar values:
Name Source attribute Lacework Organization Admin Role appuser.laceworkOrgAdminRole Lacework Organization User Role appuser.laceworkOrgUserRole Click Next.
Click Finish.
Add Custom Lacework Attributes to a Profile
This section details how to add custom Lacework attributes to the Okta profile and the Lacework application profile. Perform one of the following:
- Add attributes to the Okta profile
- Add attributes to the Lacework application profile if you have a specific profile attached to each application.
Add Attributes to the Okta Profile
Follow these steps to add custom Lacework attributes to the Okta profile.
For information on Lacework attributes, see Lacework Attributes you can Configure.
Go to Directory > Profile Editor.
For Okta, click Profile.
Click Add Attribute.
Add the following attributes:
Display Name Variable Name Data Type Company company string Lacework Admin Role Accounts laceworkAdminRoleAccounts string Lacework User Role Accounts laceworkUserRoleAccounts string If your Lacework account is enrolled in a Lacework organization, also add the following attributes:
Display Name Variable Name Data Type Lacework Organization Admin Role laceworkOrgAdminRole boolean Lacework Organization User Role laceworkOrgUserRole boolean In Filters, click Custom, and confirm that you added all attributes correctly.
The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkAdminRoleAccounts, the corresponding attribute statement value must be user.laceworkAdminRoleAccounts.
Add Attributes to the Lacework Application Profile
Follow these steps to add custom Lacework attributes to the Lacework application profile.
For information on Lacework attributes, see Lacework Attributes you can Configure.
- Go to Directory > Profile Editor.
- For Lacework, click Profile.
- Click Add Attribute.
- Add the following attributes:
Display Name Variable Name Data Type Company company string Lacework Admin Role Accounts laceworkAdminRoleAccounts string Lacework User Role Accounts laceworkUserRoleAccounts string - If your Lacework account is enrolled in a Lacework organization, add the following attributes:
Display Name Variable Name Data Type Lacework Organization Admin Role laceworkOrgAdminRole boolean Lacework Organization User Role laceworkOrgUserRole boolean - In Filters, click Custom, and confirm you added all attributes correctly.
The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable islaceworkAdminRole, the corresponding attribute statement value must beappuser.laceworkAdminRoleAccounts.
Add a Person in Okta
Follow these steps to add a person in Okta with defined Lacework attributes.
- Go to Directory > People.
- Click Add Person, complete the fields, and click Save.
- Click the new person and click the Profile tab.
- Click Edit.
- Ensure that First Name, Last Name, and Company Name are completed.
Finish SAML JIT Configuration
- After specifying all attributes for a person, click Save.
- Ensure that the Lacework application is assigned to the person.
- Ensure that you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.
The team member can now log in to Lacework through SAML.
When the member logs in, a profile (with the specified privileges) is added in only the accounts that are specified.
If the member has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization. Accounts are not created.