SAML Configuration
To enable SAML in the Lacework Console, navigate to Settings > Authentication and create or edit SAML authentication.
If you want to change from one authentication method to another, disable the currently selected method first and then delete it to allow for a new configuration.
Enable SAML in the Lacework Console
Select Upload identity provider data or Manually enter identity provider data.
To upload an identity provider meta data file, click Choose File.
To input identity provider data manually, complete the following fields:
- Identity Provider
- Identity Provider Issuer Entity ID
- Identity provider SAML 2.0 URL
- Upload Your Certificate File
The X.509 certificate file must be in PEM format.
Just-in-Time User Provisioning
SAML authentication supports Just-in-Time User Provisioning (JIT). Enabling this option allows for on-the-fly creation of a team member the first time they try to log in. This eliminates the need to create team members in Lacework in advance. For example, if you recently added an employee to your company, you don't need to manually create the team member in Lacework.
To use SAML JIT user provisioning, you must add and define additional attributes in your SAML identity provider. For detailed information about configuring JIT, see the steps for your SAML identity provider.
For accounts within an organization, authentication mechanisms at the account level do not apply. You must set authentication at the organization level.
Add Lacework as a Service Provider
You must also add Lacework as a service provider with your identity provider. Adding Lacework as a service provider requires the following values.
| Field | Value |
|---|---|
| Service Provider Entity ID | https://lacework.net |
| Assertion Consumer Service URL | https://youraccount.lacework.net/sso/saml/login or https://youraccount.yourregion.lacework.net/sso/saml/login |
| Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| NameId Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |