Skip to main content

Configure SAML JIT

This document describes how to add JIT user provisioning capabilities to Google Workspace SAML authentication for Lacework.

note

Adding/modifying a SAML app requires the super administrator role.

The steps in the following sections assume you have already added Lacework as a service provider with Google Workspace SAML.

note

Some procedures contain additional configuration steps for Lacework organizations.

Add Attributes to the Lacework App in Google Workspace

These steps detail how to add custom attributes to the Lacework application.

  1. Sign in to Google Workspace with administrative privileges.
  2. From the Admin console home page, click Users.
  3. Click More > Manage custom attributes.
  4. Click Add Custom Attribute.
  5. Name the category, for example, Lacework Attributes.
  6. Under Custom fields, create the following custom attributes:
    NameInfo typeVisibilityNumber of values
    First NameTextVisible to user and adminSingle value
    Last NameTextVisible to user and adminSingle value
    Company NameTextVisible to user and adminSingle value
    Lacework Admin Role AccountsTextVisible to user and adminSingle value
    Lacework User Role AccountsTextVisible to user and adminSingle value
    Lacework Power User Role AccountsTextVisible to user and adminSingle value
    Custom User GroupsTextVisible to user and adminSingle value
Attribute Configuration Requirements

The following table lists which attributes are required, and which are optional:

Attribute ConfigurationName
RequiredFirst Name
RequiredLast Name
Required Company Name
Required Lacework Admin Role Accounts (value can be empty)
Required Lacework User Role Accounts (value can be empty)
Optional Lacework Power User Role Accounts
Optional Custom User Groups
  1. If your Lacework account is enrolled in a Lacework organization, also add fields with the following names and settings:
    NameInfo typeVisibilityNumber of values
    Lacework Organization Admin Role AccountsYes or noVisible to user and adminSingle value
    Lacework Organization User Role AccountsYes or noVisible to user and adminSingle value
  2. Click Add.

Define Custom Lacework Attributes for a User

These steps detail how to define custom Lacework attributes for a user.

  1. Sign in to Google Workspace with super administrative privileges.
  2. From the Admin console home page, click Users.
  3. Click the user you want to define attributes for.
  4. Expand user information and locate the previously added custom Lacework attributes.
  5. Fill in the attributes. The following sections contain details about how to set Lacework role attributes.
  6. Click Save.

Set Attribute Mapping

These steps detail how to map Lacework attributes to user profile fields.

  1. Sign in to Google Workspace with super administrative privileges.
  2. From the Admin console home page, click Apps > SAML apps.
  3. Expand attribute mapping and add the following application attributes. Select the Lacework category and the matching user field for each. The attribute names must match the following text exactly.
    • First Name
    • Last Name
    • Company Name
    • Lacework Admin Role Accounts
    • Lacework User Role Accounts
    • Lacework Power User Role Accounts
    • Custom User Groups
  4. If your Lacework account is enrolled in a Lacework organization, add the following attributes. Select the Lacework category and the matching user field for each.
    • Lacework Organization Admin Role
    • Lacework Organization User Role
  5. Click Save.

Lacework Admin Role Accounts Attribute

This section contains details about defining the Lacework Admin Role Accounts attribute.

Lacework Admin Role Accounts adds admin privileges to the existing accounts that you specify. You can specify a single account name:

foo

or multiple comma-separated account names:

foo,bar,baz

You can also specify a wildcard:

*

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as:

*2,baz

This adds admin privileges to foo2, bar2, and baz. But the individual does not have any privileges for foo1 and bar1. To add user privileges for those, you could specify the following value for the Lacework User Role Accounts attribute.

*1

If you specify an account for admin privileges, you do not need to specify it for user privileges in the Lacework User Role Accounts attribute. Any accounts that are also in Lacework User Role Accounts will be ignored and admin privileges will still be granted to them.

Lacework User Role Accounts Attribute

This section contains details about defining the Lacework User Role Accounts attribute.

Lacework User Role Accounts adds user privileges to the existing accounts that you specify. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard:

*

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz.

You specify this attribute as:

b*

This adds user privileges to bar1, bar2, and baz. But the individual does not have any privileges for foo1 and foo2.

To add user privileges for foo1 as well, you could specify this attribute as:

foo1,b*

Another example with the same accounts would be to specify the attribute as:

*

And to specify Lacework Admin Role Accounts as:

bar*

This gives user privileges for all accounts and admin privileges to only bar1 and bar2.

If you specify an account for admin privileges and user privileges, admin privileges will be granted.

Lacework Power User Role Accounts Attribute

This section contains details about defining the Lacework Power User Role Accounts attribute.

Lacework Power User Role Accounts adds power user privileges to existing accounts that you specify. Power Users have similar access to Administrators but without access to Settings and Utilities. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard:

*

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz.

You specify this attribute as:

b*

This adds power user privileges to bar1, bar2, and baz. But the individual does not have any privileges for foo1 and foo2.

To add user privileges for foo1 as well, you could specify this attribute as:

foo1,b*

Another example with the same accounts would be to specify the attribute as:

*

And to specify Lacework Admin Role Accounts as:

bar*

This gives power user privileges for all accounts and admin privileges to only bar1 and bar2.

If you specify an account for admin privileges and power user privileges, admin privileges will be granted.

Lacework Custom User Groups

Custom user groups allow you to fully customize a set of permissions that meet the specific requirements of your organization. Specify a string of comma-separated custom user group GUIDs (globally unique identifiers).

Lacework Organization Admin Role Attribute

This section contains details about defining the Lacework Organization Admin Role attribute.

Lacework Organization Admin Role provides admin privileges to organization-level settings and admin privileges to all accounts within the organization.

Select Yes to make the individual an organization admin. If the individual is an organization admin, you do not need to set any other Lacework attributes; any settings in those attributes will be ignored.

Select No or Not Applicable if the individual should not have admin privileges to organization-level settings or admin privileges to all accounts within the organization. If the individual is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute.

Lacework Organization User Role Attribute

This section contains details about defining the Lacework Organization User Role attribute.

Lacework Organization User Role provides user (view-only) privileges to organization-level settings and user privileges to all accounts within the organization.

Select Yes to make the individual an organization user. If the individual is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. Any settings in the Lacework User Role Accounts attribute will be ignored.

Select No or Not Applicable if the individual should not have any privileges to organization-level settings or user privileges to all accounts within the organization. If the individual is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes.

Finish SAML JIT Configuration

  1. Ensure all attributes are set for a user.
  2. Ensure the Lacework application is turned on.
  3. Ensure you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.

The user can now log in to Lacework through SAML.

When the user logs in, a profile (with the specified privileges) is added in only the accounts that are specified.

If the user has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.