Configuring Lacework to use Microsoft Azure AD as a SAML IdP requires Active Directory Premium. To complete the integration, you must sign in to the Lacework Console as an administrator and to the Azure portal using your Azure Active Directory administrator account. The integration requires the creation of a Non-gallery application in Azure.
For a more detailed explanation of configuring SAML in Azure Active Directory, see:
Configure single sign-on to applications that are not in the Azure Active Directory application gallery
Before creating the Azure App, sign in to the Lacework Console and navigate to Settings > Authentication > SAML. If you have OAuth enabled, you must disable it before enabling SAML.
In a separate window, sign in to Azure and navigate to Azure Active Directory > Enterprise applications page.
1. Click + New application.
2. Click Non-gallery application tile, which opens the Add your own application pane.
3. Enter a name for your new App.
4. Click Add, which opens the Overview page.
5. Click the [Users and groups] button.
6. Click +Add user, highlight your test user, click Select. and click Assign, which opens the Overview page, again.
7. Click Single sign-on.
8. Select the SAML tile, which opens the Set up Single Sign-On with SAML - Preview page
- In section 1, you must enter the following two required values:
|Identifier (Entity ID)||https://lacework.net|
|Reply URL (Assertion Consumer Service URL)||https://<your_account>.lacework.net/sso/saml/login|
Both of the above values can be copied from the Service Provider Entity ID and Assertion Consumer Service URL fields in the open Lacework integration page.
- In section 2, click to edit the Name identifier value and change the Source attribute to user.email.
- In section 3, download and save the 'Federation Metadata XML' file
To complete the integration, return to the SAML configuration page that is open in the Lacework Console:
1. Click CHOOSE FILE in the Upload Identity Provider Meta Data File field and select the previously saved Azure meta data file.
The fields should be populated and you should see confirmation that the meta data included a certificate. You can change the Identity Provider field to make it more descriptive.
2. Click Save.
To test the integration, return to the Azure AD UI:
1. Skip section 4 and click Test to test the integration. You can also test the integration by logging into the Lacework Console as the user associated with the App during setup.