Skip to main content

Configure SAML SSO with Red Hat Keycloak

This document contains procedures to configure SAML SSO with Red Hat Keycloak and allow it to facilitate employee access to your Lacework Console.

note

This configuration requires an admin rights for your realm, and admin rights in your Lacework account or organization.

Create the Lacework Client in Keycloak

In your Keycloak account, complete the following steps:

  1. Sign in to Keycloak with administrative privileges.

  2. Go to the Keycloak administration console and select your realm.

  3. Go to Clients and click on create (top left).

  4. In the new Client wizard, add the following settings:

    red-hat-keycloak-as-a-saml-idp-1

    • Client ID : https://lacework.net
    • Client Protocol : saml
    • Click Save.
  5. Go to the newly created Client and apply the following settings:

    • Client Signature Required : OFF

      red-hat-keycloak-as-a-saml-idp-2

    • Name ID Format : email

    • Root URL : Your Tenant Name in the form https://tenant.lacework.net

    • Valid Redirect URIs : /*

    • Base URL : /ui/

    • Master SAML Processing URL : /sso/saml/login

    red-hat-keycloak-as-a-saml-idp-3

  6. Go to your realm settings in General and download the Keycloak Identity Provider Metadata for SAML 2.0.

    red-hat-keycloak-as-a-saml-idp-4

Enable SAML in the Lacework Console

Sign in to the Lacework Console with an admin account and navigate to Settings > Authentication > SAML.

  1. Select Upload identity provider data and click Next.
  2. Type a descriptive name for Identity Provider.
  3. In Upload Identity Provider Meta Data File, click Choose File and select the previously saved Keycloak metadata file.
    The fields should be populated and you should see confirmation that the metadata included a certificate.
  4. Click Save.