OneLogin SAML JIT
This topic describes how to add JIT (Just-In-Time) user provisioning capabilities to OneLogin authentication for Lacework.
The steps in the following sections assume you have already added Lacework as a service provider with OneLogin SAML.
Some procedures contain additional configuration steps for Lacework organizations.
Set Attributes in the Lacework Application
Follow these steps to set attributes for the Lacework application:
- Sign in to OneLogin with super user privileges.
- From the Administration home page, go to Applications > Applications.
- Click the Lacework application.
- Click Parameters.
The displayed Lacework fields were added automatically. - Set the default values for the following fields:
- Company Name - Company
- Title - Title
First Name, Last Name, and NameID already have default values. You do not need to set default values for the other fields right now.
Set Up Access to the Lacework Application
Multiple methods are available to set up access to the Lacework application in OneLogin. The following describes the common methods.
Add Custom User Fields and Manually Set Values
These steps describes how to add custom user fields and then manually set their values, to enable users can access the Lacework application.
Add Custom User Fields
Do the following:
Sign in to OneLogin with super user privileges.
From the Administration home page, go to Users > Custom User Fields.
Click New User Field.
Add the following fields with the indicated names and short names. Note that you can optionally use names of your own as long as they are identifiable/meaningful to you.
Expand to view
Name Shortname laceworkAdminRoleAccounts laceworkAdminRoleAccounts laceworkUserRoleAccounts laceworkUserRoleAccounts laceworkPowerUserRoleAccounts laceworkPowerUserRoleAccounts laceworkCustomUserGroups laceworkCustomUserGroups If your Lacework account is enrolled in a Lacework organization, also add the following fields:
Expand to view
Name Shortname laceworkOrgAdminRole laceworkOrgAdminRole laceworkOrgUserRole laceworkOrgUserRole
The following table lists which attributes are required:
| Attribute Configuration | Name |
|---|---|
| Required | First Name |
| Required | Last Name |
| Required | Company Name |
Manually Set Values for Custom Fields
Do the following:
From the Administration home page, go to Users > Users.
Select the user you want to assign Lacework access.
Fill in the custom fields (using the previous example names). The following sections contain details about how to complete the fields:
- laceworkAdminRoleAccounts - see Lacework Admin Role Accounts Attribute
- laceworkUserRoleAccounts - see Lacework User Role Accounts Attribute
- laceworkPowerUserRoleAccounts - see Lacework Power User Role Accounts Attribute
- laceworkCustomUserGroups - see Lacework Custom User Groups
If your Lacework account is enrolled in a Lacework organization, you could also complete the following fields:
- laceworkOrgAdminRole - true|false, see Lacework Organization Admin Role Attribute
- laceworkOrgUserRole - true|false, see Lacework Organization User Role Attribute
Click Save User.
Add Application Rules
Follow these steps to add roles and application rules to map to the roles so users can access the Lacework application.
Add Roles
Do the following:
Sign in to OneLogin with super user privileges.
From the Administration home page, go to Users > Roles.
Click New Role.
Fill in the role name, select the Lacework app, and click Save. For example, you could add the following roles:
- accountnameAdminRole - This provides admin access to a Lacework account.
- accountnameUserRole - This provides user access to a Lacework account.
- accountnamePowerUserRole - This provides power user access to a Lacework account.
- accountnameCustomUserGroups- This provides user custom access to a Lacework account.
If your Lacework account is enrolled in a Lacework organization, you could also add the following roles:
- OrgAdminRole - This provides admin access to organization-level settings.
- OrgUserRole - This provides user access to organization-level settings.
Create Application Rules
Do the following:
- From the Administration home page, go to Applications > Applications.
- Click the Lacework app and click Rules.
- Click Add Rule.
- Add the following rules (using the previous example names):
If your Lacework account is enrolled in a Lacework organization, skip to the next step.
Expand to view rules
| Name | Conditions | Actions |
|---|---|---|
| Reset all Lacework attribute values | none |
|
| Lacework Admin Role Accounts Rule | Roles include accountnameAdminRole | Set Lacework Admin Role Accounts, -Macro-, _accountname_ |
| Lacework User Role Accounts Rule | Roles include accountnameUserRole | Set Lacework User Role Account, -Macro-, _accountname_ |
| Lacework Power User Role Accounts Rule | Roles include accountnamePowerUserRole | Set Lacework Power User Role Account, -Macro-, _accountname_ |
| Lacework Custom User Groups Rule | Roles include accountnameCustomUserGroups | Set Lacework Custom User Groups, -Macro-, _accountname_ |
- If your Lacework account is enrolled in a Lacework organization, add the following rules (using the previous example names):
Expand to view
| Name | Conditions | Actions |
|---|---|---|
| Reset all Lacework attribute values | none |
|
| Lacework Admin Role Accounts Rule | Roles include accountnameAdminRole | Set Lacework Admin Role Accounts, -Macro-, _accountname_ |
| Lacework User Role Accounts Rule | Roles include accountnameUserRole | Set Lacework User Role Account, -Macro-, _accountname_ |
| Lacework Power User Role Accounts Rule | Roles include accountnameCustomUserGroups | Set Lacework Power User Role Account, -Macro-, _accountname_ |
| Lacework Custom User Groups Rule | Roles include accountnameCustomUserGroups | Set Lacework Custom User Groups, -Macro-, _accountname_ |
| Lacework Organization Admin Role Accounts Rule | Roles include OrgAdminRole | Set Lacework Organization Admin Role Accounts, -Macro-, _accountname_ |
| Lacework Organization Admin Role Accounts Rule | Roles include OrgUserRole | Set Lacework Organization Admin Role Accounts, -Macro-, _accountname_ |
- Ensure the reset rule is the first rule in the list. Move it to the first position if it is not already. This reset rule clears user privileges for the Lacework app.
Assign Roles to Users
Do the following:
- From the Administration home page, go to Users > Roles.
- Click the role you want to assign to a user.
- Click Users.
- In Check existing or add new users to this role, add a user’s name, select the user, and click Check.
- Click Add To Role and then click Save.
Lacework Admin Role Accounts Attribute
This section describes how to define the Lacework Admin Role Accounts attribute.
Lacework Admin Role Accounts adds admin privileges to the existing accounts that you specify. You can specify a single account name:
Expand to view admin role accounts
foo
or multiple comma-separated account names:
foo,bar,baz
You can also specify a wildcard:
*
For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as:
*2,baz
This adds admin privileges to foo2, bar2, and baz. But the individual does not have any privileges for foo1 and bar1. To add user privileges for those, you could specify the following value for the Lacework User Role Accounts attribute.
*1
If you specify an account for admin privileges, you do not need to specify it for user privileges in the Lacework User Role Accounts attribute. Any accounts that are also in Lacework User Role Accounts will be ignored and admin privileges will still be granted to them.
Lacework User Role Accounts Attribute
This section describes how to define the Lacework User Role Accounts attribute.
Expand to view user role accounts attribute
Lacework User Role Accounts adds user privileges to the existing accounts that you specify. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard:
*
For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz.
You specify this attribute as:
b*
This adds user privileges to bar1, bar2, and baz. But the individual does not have any privileges for foo1 and foo2.
To add user privileges for foo1 as well, you could specify this attribute as:
foo1,b*
Another example with the same accounts would be to specify the attribute as:
*
And to specify Lacework Admin Role Accounts as:
bar*
This gives user privileges for all accounts and admin privileges to only bar1 and bar2.
If you specify an account for admin privileges and user privileges, admin privileges will be granted.
Lacework Power User Role Accounts Attribute
This section describes how to define the Lacework Power User Role Accounts attribute.
Expand to view power user role accounts attribute
Lacework User Role Accounts adds power user privileges to existing accounts that you specify. Power Users have similar access to Administrators but without access to Settings and Utilities. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard:
*
For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz.
You specify this attribute as:
b*
This adds power user privileges to bar1, bar2, and baz. But the individual does not have any privileges for foo1 and foo2.
To add power user privileges for foo1 as well, you could specify this attribute as:
foo1,b*
Another example with the same accounts would be to specify the attribute as:
*
And to specify Lacework Admin Role Accounts as:
bar*
This gives power user privileges for all accounts and admin privileges to only bar1 and bar2.
If you specify an account for admin privileges and power user privileges, admin privileges will be granted.
Lacework Custom User Groups
Custom user groups allow you to fully customize a set of permissions that meet the specific requirements of your organization. Specify a string of comma-separated custom user group GUIDs (globally unique identifiers).
Lacework Organization Admin Role Attribute
Lacework Organization Admin Role provides admin privileges to organization-level settings and admin privileges to all accounts within the organization.
Expand to view
Add true to make the individual an organization admin. If the individual is an organization admin, you do not need to set any other Lacework attributes; any settings in those attributes will be ignored.
Add false or leave undefined if the individual should not have admin privileges to organization-level settings or admin privileges to all accounts within the organization. If the individual is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute.
Lacework Organization User Role Attribute
Lacework Organization User Role provides user (view-only) privileges to organization-level settings and user privileges to all accounts within the organization.
Expand to view
Add true to make the individual an organization user. If the individual is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. Any settings in the Lacework User Role Accounts attribute will be ignored.
Add false or leave undefined if the individual should not have any privileges to organization-level settings or user privileges to all accounts within the organization. If the individual is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes.
Finish SAML JIT Configuration
Do the following:
- Verify all attributes are set for a user.
- Verify that the Lacework application is turned on.
- Verify that you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.
The user can now log in to Lacework through SAML.
When the user logs in, a profile (with the specified privileges) is added in only the accounts that are specified.
If the user has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.