Configuring Lacework to use Microsoft Azure AD as a SAML IdP requires Active Directory Premium. To complete the integration, you must sign in to the Lacework Console as an administrator and to the Azure portal using your Azure Active Directory administrator account. The integration requires the creation of a non-gallery application in Azure.
For a more detailed explanation of configuring SAML in Azure Active Directory, see:
Configure single sign-on to applications that are not in the Azure Active Directory application gallery
Sign in to the Lacework Console
Before creating the Azure App, sign in to the Lacework Console and navigate to Settings > Authentication > SAML. If you have OAuth enabled, you must disable it before enabling SAML. Keep this window open.
Sign in to Azure
In a separate window, sign in to Azure and navigate to Azure Active Directory > Enterprise applications and follow these steps:
- Click + New application.
- Click Non-gallery application.
This opens the Add your own application pane. - Enter a name for your new app.
- Click Add.
This opens the Overview page. - Click Users and groups.
- Click +Add user, highlight your test user, click Select, and click Assign.
This opens the Overview page, again. - Click Single sign-on.
- Select the SAML tile.
This opens the Set up Single Sign-On with SAML - Preview page. - In section 1, enter the two values listed below. You can copy both values from the Service Provider Entity ID and Assertion Consumer Service URL fields into the open Lacework integration page.
- Identifier (Entity ID): https://lacework.net
- Reply URL (Assertion Consumer Service URL): https://YourLacework.lacework.net/sso/saml/login
- In section 2, click to edit the Name identifier value and change the Source attribute to user.email.
- In section 3, download and save the 'Federation Metadata XML' file.
Complete the Integration
Return to the open Lacework Console SAML configuration page and follow these steps:
-
In the Upload Identity Provider Meta Data File field, click CHOOSE FILE and select the previously saved Azure metadata file.
The fields should be populated and you should see confirmation that the metadata included a certificate. You can change the Identity Provider field to make it more descriptive.
- Click Save.
Test the Integration
Return to the Azure AD UI and do the following:
Skip section 4 and click Test to test the integration. You can also test the integration by logging in to the Lacework Console as the user associated with the app during setup.