Skip to main content

Enable SAML

This topic describes how to configure SAML-based SSO (Single-Sign-On) authentication in the Lacework console, and add Lacework as a service provider.

Do the following:

  1. In the Lacework console, navigate to Settings > Authentication
  2. Create or edit SAML authentication.
    note

    If you want to change authentication methods, first disable the currently selected method, and then delete it to allow for a new configuration. Select Upload identity provider data or Manually enter identity provider data.

  3. To upload an identity provider meta data file, click Choose File.
  4. To enter the identity provider data manually, complete the following fields:
  • Identity Provider
  • Identity Provider Issuer Entity ID
  • Identity provider SAML 2.0 URL
  • Upload Your Certificate File
    The X.509 certificate file must be in PEM format.

Just-in-Time User Provisioning

SAML authentication supports Just-in-Time User Provisioning (JIT). Enable this option to allow for on-the-fly creation of a team member the first time they try to log in, and eliminates the need to create team members in Lacework in advance. For example, if you recently added an employee to your company, you don't need to manually create the team member in Lacework.

To use SAML JIT user provisioning, add and define additional attributes in your SAML identity provider. For detailed information about configuring JIT, see the steps for your SAML identity provider.

For accounts within an organization, authentication mechanisms at the account level do not apply. You must set authentication at the organization level.

Add Lacework as a Service Provider

You must add Lacework as a service provider with your identity provider. Adding Lacework as a service provider requires the following values.

FieldValue
Service Provider Entity IDhttps://lacework.net
Assertion Consumer Service URLhttps://youraccount.lacework.net/sso/saml/login or https://youraccount.yourregion.lacework.net/sso/saml/login
Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
NameId Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure SAML SSO and JIT with other Identity Providers

Use the following links to add additional SAML SSO and JIT identity providers.