Configure SAML SSO
This document contains procedures to configure SAML SSO with Microsoft Azure Active Directory (AD) and allow your team members to sign in to the Lacework Console with their Azure AD credentials.
note
- This configuration requires an Azure AD Premium account.
- This process requires you to create an enterprise application in Azure.
Set Authentication in the Lacework Console
Before creating the Lacework enterprise application in Azure, sign in to the Lacework Console and navigate to Settings > Authentication > SAML. If you have OAuth enabled, you must disable it before enabling SAML. Keep this window open.
Create the Lacework Application in Azure Active Directory
In a separate window, sign in to Azure AD. To create a Lacework application, follow these steps:
- Go to Azure Active Directory > Enterprise applications.
- Click New application.
- Click Create your own application.
This opens the Create your own application pane. - Enter a name for your new app.
Ensure Integrate any other application you don’t find in the gallery is selected. - Click Create.
When the application's Overview page displays, the application is created. - Click Users and groups.
- Click +Add user/group. Highlight your choice in the search bar, click Select, and click Assign.
Repeat as necessary to add users/groups. - Click Single sign-on.
- Select the SAML tile.
This opens the Set up Single Sign-On with SAML page. - In section 1, provide the two values listed below. You can copy both values from the Lacework Console authentication settings.
- Identifier (Entity ID): https://lacework.net
Copy from Service Provider Entity ID - Reply URL (Assertion Consumer Service URL): https://YourLacework.lacework.net/sso/saml/login
Copy from Assertion Consumer Service URL
- Identifier (Entity ID): https://lacework.net
- In section 2, ensure that you have the correct Unique User Identifier specified under Attributes and Claims. The default user identifer is preconfigured as
user.userprincipalname
. However, depending on your organization, you can also use the email address as the Unique User Identifer by specifyinguser.mail
. - In section 3, download and save the Federation Metadata XML file.
Complete Authentication Setup in the Lacework Console
Return to the open Lacework Console SAML configuration page and follow these steps:
- Select Upload identity provider data and click Next.
- Type a descriptive name for Identity Provider.
- In Upload Identity Provider Meta Data File click Choose File and select the previously saved Azure metadata file.
The fields should be populated and you should see confirmation that the metadata included a certificate. - Upload Your Certificate File is required to authenticate and save your settings. This can be downloaded from the "Single sign-on" inside Microsoft Azure.
- Click Save.
To enable JIT user provisioning, see Configure SAML JIT.
Test the Application
To test the application, return to Azure AD and do the following:
- Navigate to the Lacework application and click Single sign-on.
- Go to section 5 and click Test.
You can also test the application by logging in to the Lacework Console as the user associated with the application during setup.
Troubleshooting
Azure AD has a limitation that it cannot support multiple instances of the same SSO destination. If you have multiple organizations and therefore need to use Lacework SSO for more than one organization, edit the Entity ID to make it unique. For example: http://lacework.net/#1, http://lacework.net/#2
For more information, see: AWS Single-Account Access architecture.