Enable SAML
This topic describes how to configure SAML-based SSO (Single-Sign-On) authentication in the Lacework console, and add Lacework as a service provider.
Do the following:
- In the Lacework console, navigate to Settings > Authentication
- Create or edit SAML authentication.note
If you want to change authentication methods, first disable the currently selected method, and then delete it to allow for a new configuration. Select Upload identity provider data or Manually enter identity provider data.
- To upload an identity provider meta data file, click Choose File.
- To enter the identity provider data manually, complete the following fields:
- Identity Provider
- Identity Provider Issuer Entity ID
- Identity provider SAML 2.0 URL
- Upload Your Certificate File
The X.509 certificate file must be in PEM format.
Just-in-Time User Provisioning
SAML authentication supports Just-in-Time User Provisioning (JIT). Enable this option to allow for on-the-fly creation of a team member the first time they try to log in, and eliminates the need to create team members in Lacework in advance. For example, if you recently added an employee to your company, you don't need to manually create the team member in Lacework.
To use SAML JIT user provisioning, add and define additional attributes in your SAML identity provider. For detailed information about configuring JIT, see the steps for your SAML identity provider.
For accounts within an organization, authentication mechanisms at the account level do not apply. You must set authentication at the organization level.
Add Lacework as a Service Provider
You must add Lacework as a service provider with your identity provider. Adding Lacework as a service provider requires the following values.
Field | Value |
---|---|
Service Provider Entity ID | https://lacework.net |
Assertion Consumer Service URL | https://youraccount.lacework.net/sso/saml/login or https://youraccount.yourregion.lacework.net/sso/saml/login |
Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
NameId Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Configure SAML SSO and JIT with other Identity Providers
Use the following links to add additional SAML SSO and JIT identity providers.
- Azure Active Directory SAML
- Azure Active Directory JIT
- Google Workspace SAML
- Google Workspace JIT
- Okta SAML
- Okta JIT
- OneLogin SAML
- OneLogin JIT
- Red Hat Keycloak
- To enable Google OAuth using the Lacework Console, navigate to Settings > Authentication and select Google OAuth.