Microsoft Entra ID SAML SSO

This topic describes to configure SAML SSO with Microsoft Entra ID (formerly Azure Active Directory (AD)) to allow your team members to sign in to the Lacework Console with their Entra ID credentials.

note

• This configuration requires an Microsoft Entra ID Premium account.
• This process requires you to create an enterprise application in Azure.

info

Before you create the Lacework enterprise application in Entra ID, sign in to the Lacework Console and navigate to Settings > Authentication > SAML. If OAuth is enabled, disable it before you enable SAML. Keep this window open.

Create the Lacework Application in Microsoft Entra ID

From a separate browser window, sign in to Microsoft Entra ID. To create a Lacework application, follow these steps:

1. Navigate to Microsoft Entra ID > Enterprise applications.
2. Select New application.
3. Select Create your own application.
   The Create your own application pane opens.
4. Enter a name for your new app.
5. Select Integrate any other application you don’t find in the gallery.
6. Select Create.
   When the application's Overview page displays, the application is created.
7. Select Users and groups.
8. Select +Add user/group. Highlight your choice in the search bar, select Select, and select Assign.
   Repeat as necessary to add users and groups.
9. Select Single sign-on.
10. Select the SAML tile.
    The Set up Single Sign-On with SAML page opens.
11. In section 1, provide the two values listed below. You can copy both values from the Lacework Console authentication settings.

• Identifier (Entity ID): https://lacework.net
  Copy from Service Provider Entity ID
• Reply URL (Assertion Consumer Service URL): https://YourLacework.lacework.net/sso/saml/login
  Copy from Assertion Consumer Service URL

12. In section 2, verify that you have the correct Unique User Identifier specified under Attributes and Claims. The default user identifer is preconfigured as user.userprincipalname. Depending on your organization, you can also use the email address as the Unique User Identifer by specifying user.mail.
13. In section 3, download and save the Federation Metadata XML file.

Complete Authentication Setup in the Lacework Console

Return to the open Lacework Console SAML configuration page and follow these steps:

1. Select Upload identity provider data and click Next.
2. Enter a descriptive name for Identity Provider.
3. In Upload Identity Provider Meta Data File select Choose File and select the previously saved Entra ID metadata file.
   The fields are populated and a confirmation that the metadata included a certificate displays.
4. Upload Your Certificate File is required to authenticate and save your settings. This can be downloaded from the "Single sign-on" inside Microsoft Entra ID.
5. Click Save.

To enable JIT user provisioning, see Configure SAML JIT.

Test the Application

To test the application, return to Microsoft Entra ID and do the following:

1. Navigate to the Lacework application and click Single sign-on.
2. Go to section 5 and select Test.

You can also test the application by logging in to the Lacework Console as the user associated with the application during setup.

note

Microsoft Entra ID has a limitation that it cannot support multiple instances of the same SSO destination. If you have multiple organizations and need to use Lacework SSO for more than one organization, edit the Entity ID to make it unique. For example: http://lacework.net/#1, http://lacework.net/#2

For more information, see: AWS Single-Account Access architecture.