Skip to main content

Okta SAML JIT

This topic describes how to add JIT user provisioning capabilities to Okta SAML authentication for Lacework.

The steps in the following sections assume you have already added Lacework as a service provider with Okta SAML.

note

Some procedures contain additional configuration steps for Lacework organizations.

Configure the Lacework Application in Okta

These steps detail how to add attribute statements to the Lacework application.

  1. Sign in to Okta with administrative privileges.

  2. Click Admin.

  3. Go to Applications > Applications and click the Lacework application.

  4. Click General and then Edit for the SAML Settings. okta_saml.png

  5. Click Next. You don't need to change General Settings.

  6. In the Attribute Statements (Optional) section, add attribute statements with the following names and values (all name formats can remain unspecified).

    For information on Lacework attributes, see Set Lacework Attributes.

    • First Name, user.firstName

    • Last Name, user.lastName

    • Company Name, appuser.company

    • Lacework Admin Role Accounts, appuser.laceworkAdminRoleAccounts

    • Lacework User Role Accounts, appuser.laceworkUserRoleAccounts

      list_of_OKTA_SAML_attributes.png

    note

    The values are examples. You can use values that adhere to your own standards or formats instead.

  7. If your Lacework account is enrolled in a Lacework organization, add attribute statements with the following names and example values:

    • Lacework Organization Admin Role, user.laceworkOrgAdminRole
    • Lacework Organization User Role, user.laceworkOrgUserRole

    okta_org_role.png

  1. Click Next.
  2. Click Finish.

Add Custom Lacework Attributes to a Profile

This section details how to add custom Lacework attributes to the Okta profile and the Lacework application profile. Perform one of the following:

Add Attributes to the Okta Profile

These steps detail how to add custom Lacework attributes to the Okta profile.

For information on Lacework attributes, see Set Lacework Attributes.

  1. Go to Directory > Profile Editor.

  2. For Okta, click Profile.

  3. Click Add Attribute.

  4. Add the following attributes with the corresponding data types, display names, and variable names:

    • string, Company, company
    • string, Lacework Admin Role Accounts, laceworkAdminRoleAccounts
    • string, Lacework User Role Accounts, laceworkUserRoleAccounts

    okta_attributes.png

  5. If your Lacework account is enrolled in a Lacework organization, also add the following attributes with the corresponding data types, display names, and variable names:

    • boolean, Lacework Organization Admin Role, laceworkOrgAdminRole

      okta_add_attributes.png

    • boolean, Lacework Organization User Role, laceworkOrgUserRole

      okta_add_attributes_user.png

  1. In Filters, click Custom, and confirm that you added all attributes correctly.

    okta_profile.png

The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkAdminRoleAccounts, the corresponding attribute statement value must be user.laceworkAdminRoleAccounts.

Add Attributes to the Lacework Application Profile

These steps detail how to add custom Lacework attributes to the Lacework application profile.

note

For information on Lacework attributes, see Set Lacework Attributes.

  1. Go to Directory > Profile Editor.

  2. For Lacework, click Profile.

  3. Click Add Attribute.

  4. Add the following attributes with corresponding data types, display names, and variable names:

    • string, Company, company
    • string, Lacework Admin Role Accounts, laceworkAdminRoleAccounts
    • string, Lacework User Role Accounts, laceworkUserRoleAccounts

    okta_lw_app_main.png

  5. If your Lacework account is enrolled in a Lacework organization, also add the following attributes with the corresponding data types, display names, and variable names:

    • boolean, Lacework Organization Admin Role, laceworkOrgAdminRole

      okta_add_attribute_lw_admin.png

    • boolean, Lacework Organization User Role, laceworkOrgUserRole

    okta_add_attribute_lw_user.png

  6. In Filters, click Custom, and confirm you added all attributes correctly.
    The variable names must match the attribute statement values defined in the Lacework application. For example, if the attribute variable is laceworkOrgAdminRole, the corresponding attribute statement value must be appuser.laceworkAdminRoleAccounts.

okta_lw_app_profile.png

Add a Person in Okta

These steps explain how to add a person in Okta with defined Lacework attributes.

  1. Go to Directory > People.
  2. Click Add Person, complete the fields, and click Save. For details, see Set Lacework Attributes.
  3. Click the new person and click Profile.
  4. Click Edit.
  5. Ensure First Name, Last Name, and Company are completed.

Finish SAML JIT Configuration

  1. After specifying all attributes for a person, click Save.
  2. Ensure the Lacework application is assigned to the person.
  3. Ensure you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.

The team member can now log in to Lacework through SAML.

When the member logs in, a profile (with the specified privileges) is added in only the accounts that are specified.

If the member has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.