Configure Okta for SAML JIT for an Account
This section describes how to add SAML JIT user provisioning capabilities to SAML authentication for an account.
The steps in the following sections assume you have already added Lacework as a service provider with Okta SAML.
Configure the Lacework Application in Okta
These steps detail how to add attribute statements to the Lacework application.
- Sign in to Okta with administrative privileges.
- Click Admin.
- Go to Applications > Applications and click the Lacework application.
- Click General and then Edit for the SAML Settings.
- Click Next. You do not need to change General Settings.
- In the Attribute Statements (Optional) section, add attribute statements with the following names and values, all name formats can remain unspecified. NOTE: The values are examples. You can use values that adhere to your own standards/formats instead.
- First Name, user.firstName
- Last Name, user.lastName
- Company Name, user.company
- Lacework Admin Role Accounts, user.laceworkAdminRoleAccounts
- Lacework User Role Accounts, user.laceworkUserRoleAccounts
- Click Next.
- Click Finish.
Add Custom Lacework Attributes in Okta Profile Editor
These steps detail how to add custom Lacework attributes to Okta.
- Go to Directory > Profile Editor.
- For Okta, click Profile.
- Click Add Attribute.
- Add the following attributes with the following data types, display names, and variable names:
- string, Company, company
- string, Lacework Admin Role Accounts, laceworkAdminRoleAccounts
- string, Lacework User Role Accounts, laceworkUserRoleAccounts
- In Filters, click Custom, and confirm you added all attributes correctly.
The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkAdminRoleAccounts attribute, the corresponding attribute statement value must be user.laceworkAdminRoleAccounts.
Add a Person in Okta
These steps detail how to add a person in Okta with defined Lacework attributes.
- Go to Directory > People.
- Click Add Person, complete the fields, and click Save.
- Click the new person and click Profile.
- Click Edit.
- Ensure First Name, Last Name, and Company are completed.
Lacework Admin Role Accounts Attribute
This section contains details about setting the Lacework Admin Role Accounts attribute.
Lacework Admin Role Accounts adds admin privileges to the existing accounts that you specify. You can specify a single account name or comma-separated account names. You can also specify wildcard *.
For example, you have these accounts: foo1, foo2, and bar1. You specify this attribute as: *1. This adds admin privileges to foo1 and bar1. But the person does not have any privileges for foo2.
If you specify an account for admin privileges, you do not need to specify it for user privileges in the Lacework User Role Accounts attribute. Any accounts that are also in Lacework User Role Accounts will be ignored and admin privileges will still be granted to them.
Lacework User Role Accounts Attribute
This section contains details about setting the Lacework User Role Accounts attribute.
Lacework User Role Accounts adds user privileges to the existing accounts that you specify. You can specify a single account name or comma-separated account names. You can also specify wildcard *.
For example, you have these accounts: foo1, foo2, and bar1. You specify this attribute as: foo*. This adds user privileges to foo1 and foo2. But the person does not have any privileges for bar1.
Another example with the same accounts would be to specify the attribute as: *. And to specify Lacework Admin Role Accounts as: foo*. This gives user privileges for all accounts and admin privileges to only foo1 and foo2.
If you specify an account for admin privileges and user privileges, admin privileges will be granted.
Complete SAML JIT
- After specifying all attributes for a person, click Save.
- Ensure the Lacework application is assigned to the person.
- Ensure you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.
The team member can now log in to Lacework through SAML.
When the member logs in, a profile (with the specified privileges) is added in only the accounts that are specified.