Skip to main content

SAML Configuration

To enable SAML in the Lacework Console, navigate to Settings > Authentication and create or edit SAML authentication.

If you want to change from one authentication method to another, disable the currently selected method first and then delete it to allow for a new configuration.

Enable SAML in the Lacework Console

Select Upload identity provider data or Manually enter identity provider data.

To upload an identity provider meta data file, click Choose File.

To input identity provider data manually, complete the following fields:

  • Identity Provider
  • Identity Provider Issuer Entity ID
  • Identity provider SAML 2.0 URL
  • Upload Your Certificate File
    The X.509 certificate file must be in PEM format.

Just-in-Time User Provisioning

SAML authentication supports Just-in-Time User Provisioning (JIT). Enabling this option allows for on-the-fly creation of a team member the first time they try to log in. This eliminates the need to create team members in Lacework in advance. For example, if you recently added an employee to your company, you don't need to manually create the team member in Lacework.

To use SAML JIT user provisioning, you must add and define additional attributes in your SAML identity provider. For detailed information about configuring JIT, see the steps for your SAML identity provider.

For accounts within an organization, authentication mechanisms at the account level do not apply. You must set authentication at the organization level.

Add Lacework as a Service Provider

You must also add Lacework as a service provider with your identity provider. Adding Lacework as a service provider requires the following values.

FieldValue
Service Provider Entity IDhttps://lacework.net
Assertion Consumer Service URLhttps://youraccount.lacework.net/sso/saml/login or https://youraccount.yourregion.lacework.net/sso/saml/login
Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
NameId Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure SAML SSO and JIT with other Identity Providers