Skip to main content


This topic describes how to configure SAML SSO with AWS to enable employee access to your Lacework Console.


To use Identity Center enabled applications, first enable IAM Identity Center to allow them access. For more information, see Identity Center enabled applications.

Create the Lacework application in the IAM Identity Center

Complete the following steps:

  1. Log in to the IAM Identity Center console with a role that can create IAM Identity Center resources.
  2. Click Applications > Add application.
  3. Under Applications, search for an application, and select the application from the list. Click Next.
  4. Under Configure application, the Display name and Description pre-populates with the application you chose. You can edit these.
  5. Under IAM Identity Center metadata, download a copy of the IdP metadata, which is required to complete the setup in the Lacework Console.
  6. Under Application properties, enter https://<tenant-name> as the application start URL.
  7. Under Application metadata, enter the following values:
    • Application ACS URL: https://<tenant-name>
    • Application SAML Audience:
  8. Click Submit.
  9. Go to the Attribute mappings tab and update the attribute mappings with your user email. The only user attribute required is the user email (first row). The additional attributes are not required unless JIT user provisioning is enabled.

Enable SAML in the Lacework Console

  1. In a separate browser tab or window, sign in to the Lacework Console.
  2. On the Lacework SAML configuration page (see SAML Configuration), upload the IdP metadata returned from step 5.