Configure SAML JIT
This document describes how to add JIT user provisioning capabilities to Azure Active Directory (AD) SAML authentication for Lacework.
note
- This configuration requires an Azure AD Premium account.
- This process requires you to create an enterprise application in Azure.
Set Authentication in the Lacework Console
Before creating the Lacework enterprise application in Azure, sign in to the Lacework Console and navigate to Settings > Authentication > SAML. If you have OAuth enabled, you must disable it before enabling SAML. Keep this window open.
Ensure that you assign a company name
for each user that you add to the SAML login.
Create the Lacework Application in Azure Active Directory
In a separate window, sign in to Azure AD. To create a Lacework application, follow these steps:
- Navigate to Azure Active Directory > Enterprise applications and follow these steps:
- Click New application.
- Click Create your own application.
This opens the Create your own application pane. - Enter a name for your new app.
Ensure Integrate any other application you don’t find in the gallery is selected. - Click Create.
When the application's Overview page displays, the application is created. - Click Users and groups.
- Click +Add user/group. Highlight your choice in the search bar, click Select, and click Assign.
Repeat as necessary to add users/groups. - Click Single sign-on.
- Select the SAML tile.
This opens the Set up Single Sign-On with SAML page. - In section 1, provide the two values listed below. You can copy both values from the Lacework Console authentication settings.
- Identifier (Entity ID): https://lacework.net
Copy from Service Provider Entity ID - Reply URL (Assertion Consumer Service URL): https://YourLacework.lacework.net/sso/saml/login
Copy from Assertion Consumer Service URL
- Identifier (Entity ID): https://lacework.net
- In section 2, add the following new claims with the indicated Name and Source attribute. For information on Lacework attributes, see Set Lacework Attributes.
Name Source attribute Example First Name user.givenname Last Name user.surname Company Name user.companyname Lacework Admin Role Accounts The Lacework account(s) the application will access with the admin role. account1
oraccount1,account2
or*
.
Use a comma to separate multiple values. For information about using AD groups for Lacework access, see Create Groups in Azure Active Directory.Lacework User Role Accounts The Lacework account(s) the application will access with the user role. account1
oraccount1,account2
or*
.
Use a comma to separate multiple values. For information about using AD groups for Lacework access, see Create Groups in Azure Active Directory.Lacework Power User Role Accounts The Lacework account(s) the application will access with the power user role. account1
oraccount1,account2
or*
.
Use a comma to separate multiple values. For information about using AD groups for Lacework access, see Create Groups in Azure Active Directory.Custom User Groups Custom user groups allow you to fully customize a set of permissions that meet the specific requirements of your organization. Specify a string of comma-separated custom user group GUIDs (globally unique identifiers).
Attribute Configuration Requirements
The following table lists which attributes are required, and which are optional:
Attribute Configuration | Name |
---|---|
Required | First Name |
Required | Last Name |
Required | Company Name |
Required | Lacework Admin Role Accounts (value can be empty) |
Required | Lacework User Role Accounts (value can be empty) |
Optional | Lacework Power User Role Accounts |
Optional | Custom User Groups |
- If your Lacework account is enrolled in a Lacework organization, add attribute statements with the following names and example values:
- Lacework Organization Admin Role -
true
- Lacework Organization User Role -
null
(if you set Lacework Organization Admin Role totrue
.)
- In section 3, download and save the Federation Metadata XML file.
Create Groups in Azure Active Directory
(Optional) You can create groups in Azure AD and use them to assign different access to Lacework accounts. To create groups, follow these steps:
- Navigate to the Azure home page and click Groups.
- Click +New group.
- For Group type, select Security.
- Name the group.
For example, you can choose a name that describes the group's access to a Lacework account, such as Account1 Admin or Account1 User. - Select members for the group.
- Click Create.
- Create additional groups as needed.
Consider creating separate groups for admin and user access.
Grant Access to Specific Sub-Accounts
If you have multiple sub-accounts configured within your organization and would like to grant certain team members access to specific sub-accounts, complete the following steps:
Navigate to the Lacework application in Azure.
Click Single sign-on.
In the Attributes and Claims section (panel 2), edit the following claims:
- Lacework Admin Role Accounts
- Lacework User Role Accounts
- Lacework Power User Role Accounts
- Custom User Groups
Add a claim condition with the following settings:
User type: Any
Scoped Groups: Select the groups that will use this claim. For example, the Lacework Admin Role Accounts claim should have groups set up for admins. The Lacework User Role Accounts claim should have groups set up for users.
Source: Attribute
Value: Enter the Lacework accounts that will use this claim.
Example 1: you have a number of users that only need access to one sub-account within Lacework. Enter the sub-account name in this value field.
Example 2: you have two accounts named Account1 and Account2. To use this claim for both accounts, enter
Account1, Account2
, or enter*
(wildcard).
Finish Authentication Setup in the Lacework Console
Return to the open Lacework Console SAML configuration page and follow these steps:
- Select Upload identity provider data and click Next.
- Type a descriptive name for Identity Provider.
- In Upload Identity Provider Meta Data File click Choose File and select the previously saved Azure metadata file.
The fields should be populated and you should see confirmation that the metadata included a certificate. - Enable the Just-in-Time User Provisioning option.
- Click Save.
When a user logs in, a profile (with the specified privileges) is added in only the accounts that are specified.
If the user has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.
Test the Application
To test the application, return to Azure AD and do the following:
- Navigate to the Lacework application and click Single sign-on.
- Go to section 5 and click Test.
You can also test the application by logging in to the Lacework Console as the user associated with the application during setup.