Okta SAML JIT

This article describes how to add JIT user provisioning capabilities to Okta SAML authentication for Lacework.

The steps in the following sections assume you have already added Lacework as a service provider with Okta SAML.

NOTE: Some procedures contain additional configuration steps for Lacework organizations. The ability to enroll in an organization is currently in invitation only, limited beta.

Configure the Lacework Application in Okta

These steps detail how to add attribute statements to the Lacework application.

1. Sign in to Okta with administrative privileges.
2. Click Admin.
3. Go to Applications > Applications and click the Lacework application.
4. Click General and then Edit for the SAML Settings.
5. Click Next. You do not need to change General Settings.
6. In the Attribute Statements (Optional) section, add attribute statements with the following names and values, all name formats can remain unspecified. NOTE: The values are examples. You can use values that adhere to your own standards/formats instead.
   • First Name, user.firstName
   • Last Name, user.lastName
   • Company Name, user.company
   • Lacework Admin Role Accounts, user.laceworkAdminRoleAccounts
   • Lacework User Role Accounts, user.laceworkUserRoleAccounts
7. If your Lacework account is enrolled in a Lacework organization, also add attribute statements with the following names and example values:
   
   • Lacework Organization Admin Role, user.laceworkOrgAdminRole
   • Lacework Organization User Role, user.laceworkOrgUserRole
8. Click Next.
9. Click Finish.

Add Custom Lacework Attributes to a Profile

This section details how to add custom Lacework attributes to the Okta profile and the Lacework application profile. Perform one of the following:

• Add attributes to the Okta profile
• Add attributes to the Lacework application profile if you have a specific profile attached to each application

Add Attributes to the Okta Profile

These steps detail how to add custom Lacework attributes to the Okta profile.

1. Go to Directory > Profile Editor.
2. For Okta, click Profile.
3. Click Add Attribute.
4. Add the following attributes with the following data types, display names, and variable names:
   • string, Company, company
   • string, Lacework Admin Role Accounts, laceworkAdminRoleAccounts
   • string, Lacework User Role Accounts, laceworkUserRoleAccounts
5. If your Lacework account is enrolled in a Lacework organization, also add the following attributes with the following data types, display names, and variable names:
   • boolean, Lacework Organization Admin Role, laceworkOrgAdminRole
   • boolean, Lacework Organization User Role, laceworkOrgUserRole
6. In Filters, click Custom, and confirm you added all attributes correctly.
   The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkAdminRoleAccounts, the corresponding attribute statement value must be user.laceworkAdminRoleAccounts.

Add Attributes to the Lacework Application Profile

These steps detail how to add custom Lacework attributes to the Lacework application profile.

1. Go to Directory > Profile Editor.
2. For Lacework, click Profile.
3. Click Add Attribute.
4. Add the following attributes with the following data types, display names, and variable names:
   • string, Company, company
   • string, Lacework Admin Role Accounts, laceworkAdminRoleAccounts
   • string, Lacework User Role Accounts, laceworkUserRoleAccounts
5. If your Lacework account is enrolled in a Lacework organization, also add the following attributes with the following data types, display names, and variable names:
   • boolean, Lacework Organization Admin Role, laceworkOrgAdminRole
   • boolean, Lacework Organization User Role, laceworkOrgUserRole
6. In Filters, click Custom, and confirm you added all attributes correctly.
   The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkOrgAdminRole, the corresponding attribute statement value must be appuser.laceworkAdminRoleAccounts.

Add a Person in Okta

These steps detail how to add a person in Okta with defined Lacework attributes.

1. Go to Directory > People.
2. Click Add Person, complete the fields, and click Save.
3. Click the new person and click Profile.
4. Click Edit.
5. Ensure First Name, Last Name, and Company are completed.

Lacework Admin Role Accounts Attribute

This section contains details about setting the Lacework Admin Role Accounts attribute.

Lacework Admin Role Accounts adds admin privileges to the existing accounts that you specify. You can specify a single account name: 

foo

 or multiple comma-separated account names:

foo,bar,baz

You can also specify a wildcard:

*

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as:

*2,baz

This adds admin privileges to foo2, bar2, and baz. But the person does not have any privileges for foo1 and bar1. To add user privileges for those, you could specify the following value for the Lacework User Role Accounts attribute.

*1

If you specify an account for admin privileges, you do not need to specify it for user privileges in the Lacework User Role Accounts attribute. Any accounts that are also in Lacework User Role Accounts will be ignored and admin privileges will still be granted to them.

Lacework User Role Accounts Attribute

This section contains details about setting the Lacework User Role Accounts attribute.

Lacework User Role Accounts adds user privileges to the existing accounts that you specify. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard:

*

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz.

You specify this attribute as: 

b*

This adds user privileges to bar1, bar2, and baz. But the person does not have any privileges for foo1 and foo2.

To add user privileges for foo1 as well, you could specify this attribute as:

foo1,b*

Another example with the same accounts would be to specify the attribute as:

*

And to specify Lacework Admin Role Accounts as:

bar*

This gives user privileges for all accounts and admin privileges to only bar1 and bar2.

If you specify an account for admin privileges and user privileges, admin privileges will be granted.

Lacework Organization Admin Role Attribute

This section contains details about setting the Lacework Organization Admin Role attribute.

Lacework Organization Admin Role provides admin privileges to organization-level settings and admin privileges to all accounts within the organization.

Select true to make the person an organization admin. If the person is an organization admin, you do not need to set any other Lacework attributes; any settings in those attributes will be ignored.

Select false or undefined if the person should not have admin privileges to organization-level settings and admin privileges to all accounts within the organization. If the person is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute.

Lacework Organization User Role Attribute

This section contains details about setting the Lacework Organization User Role attribute.

Lacework Organization User Role provides user (view-only) privileges to organization-level settings and user privileges to all accounts within the organization.

Select true to make the person an organization user. If the person is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. Any settings in the Lacework User Role Accounts attribute will be ignored.

Select false or undefined if the person should not have any privileges to organization-level settings and user privileges to all accounts within the organization. If the person is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. 

Complete SAML JIT Configuration

1. After specifying all attributes for a person, click Save.
2. Ensure the Lacework application is assigned to the person.
3. Ensure you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.

The team member can now log in to Lacework through SAML.

When the member logs in, a profile (with the specified privileges) is added in only the accounts that are specified.

If the member has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.