Skip to main content

SAML SSO with Red Hat Keycloak

This topic describes to configure SAML SSO with Red Hat Keycloak and allow employee access to your Lacework Console.


This configuration requires an admin rights for your realm, and admin rights in your Lacework account or organization.

Create the Lacework Client in Keycloak

In your Keycloak account, complete the following steps:

  1. Sign in to Keycloak with administrative privileges.

  2. Go to the Keycloak administration console and select your realm.

  3. Go to Clients and click on create (top left).

  4. In the new Client wizard, add the following settings:

    • Client ID :
    • Client Protocol : saml
    • Click Save.
  5. Go to the newly created Client and apply the following settings:

    • Client Signature Required : OFF
    • Name ID Format : email
    • Root URL : Your Tenant Name in the form
    • Valid Redirect URIs : /*
    • Base URL : /ui/
    • Master SAML Processing URL : /sso/saml/login
  6. Go to your realm settings in General and download the Keycloak Identity Provider Metadata for SAML 2.0.

Enable SAML in the Lacework Console

Do the following:

  1. Sign in to the Lacework Console with an admin account.
  2. Navigate to Settings > Authentication > SAML.
  3. Select Upload identity provider data and click Next.
  4. Type a descriptive name for Identity Provider.
  5. In Upload Identity Provider Meta Data File, click Choose File and select the previously saved Keycloak metadata file.
    The fields should be populated and you should see confirmation that the metadata included a certificate.
  6. Click Save.