Configuring Lacework to use Microsoft Azure AD as a SAML IdP requires Active Directory Premium. To complete the integration, you will need to sign in to Lacework as an administrator and to the Azure portal using your Azure Active Directory administrator account. The integration requires the creation of a Non-gallery application in Azure.
For a more detailed explanation of configuring SAML in Azure Active Directory, please see:
Configure single sign-on to applications that are not in the Azure Active Directory application gallery
Before creating the Azure App, sign in to Lacework and navigate to Settings >> Authentication >> SAML. If you have OAuth enabled, you will need to disable it before enabling SAML.
In a separate window, sign in to Azure and navigate to Azure Active Directory >> Enterprise applications page.
1. Click the [+ New application] button
2. Click the 'Non-gallery application tile', which will open the 'Add your own application' pane
3. Enter a name for your new App
4. Click the [Add] button, which will take you to the Overview page
5. Click the [Users and groups] button.
6. Click the [+Add user] button, highlight your test user, click the [Select] button and click the [Assign] button, which will take you back to the Overview page.
7. Click the [Single sign-on] button
8. Select the 'SAML' tile, which will take you to the 'Set up Single Sign-On with SAML - Preview' page
- In section 1, you will need to enter the two required values:
| Identifier (Entity ID) | https://lacework.net |
| Reply URL (Assertion Consumer Service URL) | https://<your_account>.lacework.net/sso/saml/login |
Both of the above values can be copied from the from the fields 'Service Provider Entity ID' & 'Assertion Consumer Service URL' in the open Lacework integration page.
- In section 2, click to edit the 'Name identifier value' and change the 'Source attribute' to 'user.email'.
- In section 3, download and save the 'Federation Metadata XML' file
To complete the integration, return to the SAML configuration page open in the Lacework UI
1. Click the [CHOOSE FILE] button in the 'Upload Identity Provider Meta Data File' field and select the previously saved Azure meta data file.
The fields should be populated and you should see confirmation that the meta data included a certificate. You can change the Identity Provider field to make it more descriptive.
2. Click the 'Save' button.
To test the integration, return to the Azure AD UI.
1. Skip section 4 and use the [Test] button to test the integration. You can also test the integration by logging into the Lacework UI as the user associated with the App during setup.