IdP API Integration

Sync your company's users, groups, IdP-governed applications, and activity logs to Lacework Edge.

For each provider, you will need to provision and grant permissions to API credentials and provide them to Lacework Edge in our Admin UI.

Azure Active Directory

Register a new App

Note: If you have already created an application in Azure for the Microsoft Office 365 integration, you can reuse that.

1. Log in to the Azure Active Directory Admin Center as a user of role Global Administrator, Cloud Application Administrator, Application Administrator or Owner.
2. Navigate to Azure Active Directory > App registrations and click New registration.
   • Give it a name, e.g., Lacework Edge Integration.
   • Leave the defaults for "Supported account types" and "Redirect URI".
   • Click Register.
3. Once created, you'll be shown the Overview section. Copy the values for Application (client) ID and Directory (tenant) ID and store them for later use.
4. Navigate to Owners in the Manage section of the left menu.
5. Copy the user name listed for your user and store it along with the Client and Tenant IDs.

Grant API permissions

1. Open the API permissions section within your App registration.
2. Remove any existing permissions (User.Read is added by default).
   • Click '...' to the right of the permission name and click Remove permission
3. Click + Add a permission, choose the Microsoft Graph tile, then click Application permissions.
4. Check the following two permissions and then click Add permissions buttom at the bottom:

• Permissions required for log ingestion:
  • AuditLog.Read.All
  • Directory.Read.All
• Permissions required for user/group/app (resource) syncing:
  • User.Read.All
  • Group.Read.All
  • Application.Read.All

5. Click the Grant admin consent button at the top of the permissions table and click Yes in the popup.

Generate client secret

Note: If you have already created an cliet secret in Azure for the Microsoft Office 365 integration, you can reuse that.

1. Navigate to the Certificates & secrets section.
2. Click + New client secret.
3. Enter "Lacework Edge" for the description and select "24 months" for the expiration. Click Add.
4. Click the Copy icon in the Value column of the client secret and store it for later use where you stored the Client and Tenant IDs.
   • Important: you want the Value and not the "Secret ID".

Provide credentials to Lacework Edge

1. Log in to the Lacework Edge dashboard as an admin.
2. Navigate to the settings page, click Integrations, and select Azure Active Directory.
3. Enter the previously gathered Tenant ID, Client ID, and Client Secret Value strings into the form and click Save.

Note: The Azure AD instance must have at least a P1 license for the log ingestion integration to work. The following error is returned if this a license is not present:

    {
        "error": {
            "code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant",
            "message":"Neither tenant is B2C or tenant doesn't have premium license"
        }
    }

Google Workspace

If you are using Google Workspace as your IdP as well as document repository, integrating with its API will enable us to treat it as both, and retrieve the inventory & logs for both.

To set up the Google Workspace integration, please follow the instructions found in the Document/Data API integrations page.

Okta

Create an API token

Note: API tokens have the same permissions as the user who creates them. If the user permissions change, the API token permissions also change.

We use Okta API tokens to get users, groups and applications, as well as system logs from Okta into Lacework Edge. In addition, the Lacework Edge least privilege dashboard allows admins to revoke Okta application assignments for over-privileged users. As a result, API token provided to Lacework Edge needs following permissions:

• view users and their details
• view groups and their details
• view applications and their details
• edit application's user assignment
• view all reports and the system log (reports administrator role)

1. Log in to your Okta Admin Console (https://your-okta-subdomain.okta.com/admin/getting-started) as an admin.
2. Navigate to Security > API and then select the Tokens tab.
3. Click Create token, give the token a name, and click Create token.
4. In the next screen, copy the token value and save for later use.
   • Note: This will be the only opportunity to see and record this token value.
5. Access the API page: In the Admin Console, select API from the Security menu and then select the Tokens tab.
6. Copy your Okta Subdomain from your URL, in the form https://<okta_subdomain>.okta.com, and save it for later use.

Provide credentials to Lacework Edge

1. Log in to the Lacework Edge dashboard as an admin.
2. Navigate to the settings page, click Integrations, and select Okta.
3. Enter the previously gathered Okta Subdomain and Access Token strings into the form and click Save.

OneLogin

Create an API credential

1. Log in to the OneLogin Admin Console (https://.onelogin.com/admin2) as an admin.
2. Navigate to Developers > API Credentials in the top menu.
3. Click New Credential
   • Give the new credential a name, e.g., laceworkedge
   • Choose the Read all permission.
   • Click Save
   • Copy the Client ID and Client Secret in the next screen and save for later use.
4. Get the Tenant Name from your URL, in the form https://<onelogin_tenant>.onelogin.com, and save for later use.

Provide credentials to Lacework Edge

1. Log in to the Lacework Edge dashboard as an admin.
2. Navigate to the settings page, click Integrations, and select OneLogin.
3. Enter the previously gathered Tenant Name, Tenant ID, Client ID and Client Secret strings into the form and click Save.

Ping Identity PingOne

Create a new App, get credentials

1. Log in to your PingOne Admin Console as an admin.
2. Navigate to Connections -> Applications
3. Click the + icon to add a new application
4. Enter a name for the application, i.e. edgeguardian-api.
5. Choose the Worker application type, and click Save
6. In the Roles tab for the new app, add the following roles:
   • IDENTITY DATA READ ONLY
   • CLIENT APPLICATION DEVELOPER
7. Under the Configuration tab, click the pencil icon to edit
8. Change Token Endpoint Authentication Method to Client Secret Post and click Save
9. Expand the General section at the bottom
10. Copy the Client ID, Client Secret and Environment ID values and store them for later use.

Provide credentials to Lacework Edge

1. Log in to the Lacework Edge dashboard as an admin.
2. Navigate to the settings page, click Integrations, and select Ping.
3. Enter the previously gathered Client ID and Client Secret and Environment ID strings into the form and click Save.