Skip to main content

OneLogin SAML JIT

This topic describes how to add JIT user provisioning capabilities to OneLogin authentication for Lacework. OneLogin provides a Lacework application to simplify the setup process.

The steps in the following sections assume you have already added Lacework as a service provider with OneLogin SAML.

note

Some procedures contain additional configuration steps for Lacework organizations.

Set Attributes in the Lacework Application

These steps detail how to set attributes for the Lacework application.

  1. Sign in to OneLogin with super user privileges.

  2. From the Administration home page, go to Applications > Applications.

  3. Click the Lacework application.

  4. Click Parameters.
    The displayed Lacework fields were added automatically.

  5. Set the default values for the following fields:

    • Company Name - Company
    • Title - Title

First Name, Last Name, and NameID already have default values. You do not need to set default values for the other fields right now.

Set Up Access to the Lacework Application

Multiple methods are available to set up access to the Lacework application in OneLogin. The following sections discuss some common methods.

Add Custom User Fields and Manually Set Values

These steps detail how to add custom user fields and then manually set their values so users can access the Lacework application.

Add Custom User Fields

  1. Sign in to OneLogin with super user privileges.

  2. From the Administration home page, go to Users > Custom User Fields.

  3. Click New User Field.

  4. Add the following fields with the indicated names and short names:
    (You can optionally use names of your own as long as they are identifiable/meaningful to you.)

    • laceworkAdminAccounts, laceworkAdminAccounts
    • laceworkUserAccounts, laceworkUserAccounts
  5. If your Lacework account is enrolled in a Lacework organization, also add the following fields:

    • laceworkOrgAdminRole, laceworkOrgAdminRole
    • laceworkOrgUserRole, laceworkOrgUserRole

Manually Set Values for Custom Fields

  1. From the Administration home page, go to Users > Users.

  2. Select the user you want to assign Lacework access.

  3. Fill in the custom fields (using the previous example names). The following sections contain details about how to complete the fields:

  4. If your Lacework account is enrolled in a Lacework organization, you could also complete the following fields:

  5. Click Save User.

Add Application Rules

These steps detail how to add roles and then add application rules to map to the roles so users can access the Lacework application.

Add Roles

  1. Sign in to OneLogin with super user privileges.

  2. From the Administration home page, go to Users > Roles.

  3. Click New Role.

  4. Fill in the role name, select the Lacework app, and click Save. For example, you could add the following roles:

    • accountnameAdminRole - This provides admin access to a Lacework account.
    • accountnameUserRole - This provides user access to a Lacework account.
  5. If your Lacework account is enrolled in a Lacework organization, you could also add the following roles:

    • OrgAdminRole - This provides admin access to organization-level settings.
    • OrgUserRole - This provides user access to organization-level settings.

Create Application Rules

  1. From the Administration home page, go to Applications > Applications.

  2. Click the Lacework app and click Rules.

  3. Click Add Rule.

  4. Add the following rules (using the previous example names):
    If your Lacework account is enrolled in a Lacework organization, skip to the next step.

    • Name: Reset all Lacework attribute values
      Conditions: none
      Actions: (two separate actions)
      Set Lacework Admin Role Accounts, -Macro-, leave field empty
      Set Lacework User Role Accounts, -Macro-, leave field empty

    • Name: Lacework Admin Role Rule
      Conditions: Roles include accountnameAdminRole
      Actions: Set Lacework Admin Role Accounts, -Macro-, accountname
      See Lacework Admin Role Accounts Attribute for details

    • Name: Lacework User Role Rule
      Conditions: Roles include accountnameUserRole
      Actions: Set Lacework User Role Account, -Macro-, accountname
      See Lacework User Role Accounts Attribute for details

  5. If your Lacework account is enrolled in a Lacework organization, add the following rules (using the previous example names):

    • Name: Reset all Lacework attribute values
      Conditions: none
      Actions: (four separate actions)
      Set Lacework Admin Role Accounts, -Macro-, leave field empty
      Set Lacework User Role Accounts, -Macro-, leave field empty
      Set Lacework Organization Admin Role, -Macro-, leave field empty
      Set Lacework Organization User Role, -Macro-, leave field empty

    • Name: Lacework Admin Role Rule
      Conditions: Roles include accountnameAdminRole
      Actions: Set Lacework Admin Role Accounts, -Macro-, accountname
      See Lacework Admin Role Accounts Attribute for details

    • Name: Lacework User Role Rule
      Conditions: Roles include accountnameUserRole
      Actions: Set Lacework User Role Accounts, -Macro-, accountname
      See Lacework User Role Accounts Attribute for details

    • Name: Lacework Organization Admin Role Rule
      Conditions: Roles include OrgAdminRole
      Actions: Set Lacework Organization Admin Role, -Macro-, true
      See Lacework Organization Admin Role Attribute for details

    • Name: Lacework Organization User Role Rule
      Conditions: Roles include OrgUserRole
      Actions: Set Lacework Organization User Role, -Macro-, true
      See Lacework Organization User Role Attribute for details

  6. Ensure the reset rule is the first rule in the list. Move it to the first position if it is not already. This reset rule clears user privileges for the Lacework app.

Assign Roles to Users

  1. From the Administration home page, go to Users > Roles.
  2. Click the role you want to assign to a user.
  3. Click Users.
  4. In Check existing or add new users to this role, add a user’s name, select the user, and click Check.
  5. Click Add To Role and then click Save.

Lacework Admin Role Accounts Attribute

This section contains details about defining the Lacework Admin Role Accounts attribute.

Lacework Admin Role Accounts adds admin privileges to the existing accounts that you specify. You can specify a single account name:

    foo

or multiple comma-separated account names:

    foo,bar,baz

You can also specify a wildcard:

    *

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz. You specify this attribute as:

    *2,baz

This adds admin privileges to foo2, bar2, and baz. But the individual does not have any privileges for foo1 and bar1. To add user privileges for those, you could specify the following value for the Lacework User Role Accounts attribute.

    *1

If you specify an account for admin privileges, you do not need to specify it for user privileges in the Lacework User Role Accounts attribute. Any accounts that are also in Lacework User Role Accounts will be ignored and admin privileges will still be granted to them.

Lacework User Role Accounts Attribute

This section contains details about defining the Lacework User Role Accounts attribute.

Lacework User Role Accounts adds user privileges to the existing accounts that you specify. You can specify a single account name or multiple comma-separated account names. You can also specify a wildcard:

    *

For example, your organization contains these accounts: foo1, foo2, bar1, bar2, baz.

You specify this attribute as:

    b*

This adds user privileges to bar1, bar2, and baz. But the individual does not have any privileges for foo1 and foo2.

To add user privileges for foo1 as well, you could specify this attribute as:

    foo1,b*

Another example with the same accounts would be to specify the attribute as:

    *

And to specify Lacework Admin Role Accounts as:

    bar*

This gives user privileges for all accounts and admin privileges to only bar1 and bar2.

If you specify an account for admin privileges and user privileges, admin privileges will be granted.

Lacework Organization Admin Role Attribute

This section contains details about defining the Lacework Organization Admin Role attribute.

Lacework Organization Admin Role provides admin privileges to organization-level settings and admin privileges to all accounts within the organization.

Add true to make the individual an organization admin. If the individual is an organization admin, you do not need to set any other Lacework attributes; any settings in those attributes will be ignored.

Add false or leave undefined if the individual should not have admin privileges to organization-level settings or admin privileges to all accounts within the organization. If the individual is not an organization admin, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes. You can also specify user privileges to organization-level settings with the Lacework Organization User Role attribute.

Lacework Organization User Role Attribute

This section contains details about defining the Lacework Organization User Role attribute.

Lacework Organization User Role provides user (view-only) privileges to organization-level settings and user privileges to all accounts within the organization.

Add true to make the individual an organization user. If the individual is an organization user, you can still give account-level admin privileges with the Lacework Admin Role Accounts attribute. Any settings in the Lacework User Role Accounts attribute will be ignored.

Add false or leave undefined if the individual should not have any privileges to organization-level settings or user privileges to all accounts within the organization. If the individual is not an organization user, you can still specify account-level admin and user privileges with the Lacework Admin Role Accounts and Lacework User Role Accounts attributes.

Finish SAML JIT Configuration

  1. Ensure all attributes are set for a user.
  2. Ensure the Lacework application is turned on.
  3. Ensure you enable SAML in the Lacework Console and select the Just-in-Time User Provisioning option.

The user can now log in to Lacework through SAML.

When the user logs in, a profile (with the specified privileges) is added in only the accounts that are specified.

If the user has organization-level privileges, a profile (with the specified privileges) is added in each account that is part of the organization, accounts are not created.