Skip to main content


To use AWS as a SAML IDP, you must add Lacework as a custom application to AWS SSO:

  1. Log in to the AWS Management Console with your AWS Organization’s administrator account credentials.
  2. Open the AWS SSO console.
  3. Choose Enable AWS SSO.
  4. If you haven’t already set up AWS Organizations, you will need to create an organization. Click Create AWS Organization to do so. If you have already set up AWS Organizations, move on to the next step.
  5. Click Applications in the AWS SSO console’s left navigation pane.
  6. Click Add a new application.
  7. In the Select an application box, select Custom SAML 2.0 application.

Choose an application from the AWS SSO application catalog

  1. Choose Configure application.
  2. On the Configure <Custom app name> page, under Details, enter Lacework as the Display name for the application.
  3. Under AWS SSO metadata, next to AWS SSO SAML metadatafile, choose Download to download the identity provider metadata, which will eventually be uploaded to the Lacework Console.

Download the AWS SSO SAML metadata file

  1. Under Application metadata, choose to type metadata manually and provide the Application ACS URL and Application SAML audience values as shown below:

Application SAML metadata file Application ACS URL and and application SAML audience

  1. Save the application.
  2. Once saved, navigate to the Attribute mappings tab and update the attribute mappings with your user email. The only user attribute required is the user email (first row). The additional attributes are not required unless JIT user provisioning is enabled.

User attribute in the application

  1. Navigate to the Lacework Console.
  2. Enable SAML in the Lacework Console.
  3. Upload the AWS SSO metadata that you downloaded in Step 10.
  4. To enable JIT user provisioning, see Okta SAML JIT.
  5. Now, you can successfully log in to the Lacework Console using SAML.