SSO/SAML Integration
Use your your Single-Sign-On provider for authentication and authorization to Lacework Edge.
For each provider, you will need to create a new app, obtain SAML metadata for that app, and provide it to Lacework Edge in our Admin UI.
Azure Active Directory
Create a new App
- Login to the Lacework Edge dashboard as an admin.
- Navigate to the settings page, click Integrations, and select SAML SSO, then select Azure AD tab in the dialog box.
- You will need the Reply URL and Identifier here later in this task.
- Leave this tab open, because you will need to paste the credentials here later.
- Login to the Azure Active Directory Admin Center as a user of role Global Administrator, Cloud Application Administrator, Application Administrator or Owner.
- In the left menu, select Azure Active Directory > Enterprise applications. Click on New application in the next screen.
- In the Azure AD Gallery, click Create your own application in the top-left corner. In the dialog box that shows up:
- Enter
Lacework Edge
for the app name. - Choose the Integrate any other application you don't find in the gallery (Non-gallery) radio button.
- Click Create.
- Enter
- In the Overview, click Properties in the left menu.
- Download the Lacework Edge Logo here, upload it to the Logo property and then click Save.
- Click Users and groups in the left menu and assign the desired users access to this Application.
Set up SAML for new App, get metadata
- Click Single sign-on in the left menu and select SAML as the single sign-on method.
- Click on the Edit button in the Basic SAML Configuration section.
- Under Identifier, click Add Identifier and paste the Identifier from the Lacework Edge Admin UI.
- Under Reply URL, click Add reply URL and paste the Reply URL from the Lacework Edge Admin UI. Leave Index blank.
- Click the Save Icon in the top-left of this dialog box and close the dialog box using the X in the top-right corner.
- In the SAML Certificates section, click on the Download link for Federation Metadata XML.
Provide metadata to Lacework Edge
- Go back to your Lacework Edge Admin tab, which should still be in the SAML SSO integration dialog.
- Paste the XML from the downloaded metadata file into the Identity Provider Metadata XML field and click Save.
Configure Transparent SSO (Windows clients only)
Transparent SSO is a feature that enables clients installed on AzureAD domain joined machines to automatically log into Lacework Edge to provide a seamless sign on experience.
This feature only works on AzureAD domains. Lacework Edge does not support Transparent SSO for:
- On-premise AD.
- On-premise AD synced with AzureAD using the AD connector.
To enable this feature, you need to be an Admin on AzureAD:
- Download Configure-EdgeGuardian-AAD-SSO.ps1, a powershell script that creates the necessary applications on AzureAD/Entra.
- Run the above script on a Windows machine. It need not be domain joined.
powershell -ep bypass -Command .\Configure-EdgeGuardian-AAD-SSO.ps1
- When prompted for
accountName:
, enter your Lacework Edge account name that you login on https://login.edge-guardian.io/. - The script will redirect you to Microsoft's signin page that prompts for your AzureAD username and password.
- After logging in, you should see an output like this:
Please enter your organization account name in Lacework Edge: <Account Name>
Creating an application in AzureAD
AzureAD application created with client-id: 'service_uuid'
Updated application identifier uri.
'adminuser@your-ad-domain.com' added as an application owner to app '<Account Name> service app for SSO into Lacework Edge'
AzureAD application created with client-id: 'client_uuid'
'adminuser@your-ad-domain.com' added as an application owner to app '<Account Name> client app for SSO into Lacework Edge'
Added Redirect URIs
Getting access from 'client' to 'Microsoft Graph'
Added API permissions
Following additional steps need to performed manually on the Azure AD portal (https://portal.azure.com):
1. Click on 'Azure Active Directory' on the home screen
2. Click on 'App Registrations' on the left panel
3. Click on '<Account Name> client app for SSO into Lacework Edge' under 'Owned Applications'
4. Click on 'API Permissions' on the left panel
5. Click on 'Grant admin consent for '<Domain Name>'
Client ID for Transparent SSO : 'client_uuid'
- Follow the above additional steps (1--5) on AzureAD portal and copy the
client_uuid
under "Client ID for Transparent SSO" printed above. - Log into your Lacework Edge account at
https://app.edge-guardian.io/ui/integrations. Navigate to the "Integrations"
page, and paste the
client_uuid
into the "Client ID for Transparent SSO" textbox.
Once the above steps are complete, we will need to instruct the clients to use
the domain joined credentials by deploying an environments.json
with the
following additional fields (azure_app_id
and account_name
).
[
{
"name": "001 - ...",
// ... ...
"azure_app_id": "client_uuid",
"account_name": "your-edgeguardian-account-name"
}
]
Once deployed, the clients installed on Windows domain joined machines will automatically login to Lacework Edge.
You must complete the above steps before deploying clients to your users. If
you already installed a client, uninstall and reinstall the clients to ensure
they pick the updated environments.json
configuration.
To delete the two apps that were created above:
powershell -ep bypass -Command ".\Configure-EdgeGuardian-AAD-SSO.ps1 -delete $true"
Google Workspace
Create a new App
- Login to Lacework Edge dashboard as an admin
- Navigate to the settings page, click Integrations, and select SAML SSO, then select Google Workspace tab in the dialog box.
- You will need the ACS URL and Entity ID here later in this task.
- Leave this tab open, because you will need to paste the credentials here later.
- Login to the Google Workspace Admin Console as an admin user.
- In the left menu, select Apps > Overview. Click on Web and mobile apps in the next screen.
- Click Add app > Add custom SAML app. In the dialog box that shows up:
- App Name:
Lacework Edge
- App Icon: Download the Lacework Edge Logo here
- Click Continue
- App Name:
- Click Download IdP Metadata and then click Continue
- Enter the ACS URL and Entity ID from the Lacework Edge Admin UI and click Continue.
- Click Finish in the next screen.
- In the app details screen that appears next, click on the User access header and assign the desired users access to this Application.
Provide metadata to Lacework Edge
- Go back to your Lacework Edge Admin tab, which should still be in the SAML SSO integration dialog.
- Paste the XML from the downloaded metadata file into the Identity Provider Metadata XML field and click Save.
Okta
Create a new App
- Login to the Lacework Edge dashboard as an admin.
- Navigate to the settings page, click Integrations, and select SAML SSO, then select Okta tab in the dialog box.
- You will need the SSO URL and Audience URI here later in this task.
- Leave this tab open, because you will need to paste the credentials here later.
- Sign in to your Okta Admin Console (https://.okta.com/admin/getting-started) as an admin.
- Navigate to Applications > Applications.
- Click Create App Integration.
- Choose SAML 2.0 and click Next.
- In the General Settings step, enter the following values and then click Next:
- App Name:
Lacework Edge
- App Logo: Download the Lacework Edge Logo here
- App Name:
- In Configure SAML step, enter the following values copied from the Lacework Edge Admin UI and then click Next:
- Single sign-on URL: SSO URL
- Audience URI: Audience URI
- Leave all other settings as Default.
- In the Feedback step, select I'm an Okta customer adding an internal app, and click Finish.
- Assign the desired users access to this Application by clicking on the Application tile and choosing the Assignments tab.
Get metadata from new App
- Open the App details by clicking on the Application tile
- In the Sign On tab, scroll down to the SAML Signing Certificates section.
- If there is no SHA-2 certificate:
- Click Generate new certificate
- Click Actions next to the newly-minted certificate and click Activate
- Next to the list of certificates, click the button titled View SAML setup instructions
- Scroll to the bottom of the ensuing How to Configure SAML 2.0 page.
- Copy and save the entire contents of the Optional section (XML format)
Provide metadata to Lacework Edge
- Go back to your Lacework Edge Admin tab, which should still be in the SAML SSO integration dialog.
- Paste the XML from the saved metadata file into the Identity Provider Metadata XML field and click Save.
OneLogin
Create a new App, get metadata
- Login to the Lacework Edge dashboard as an admin.
- Navigate to the settings page, click Integrations, and select SAML SSO, then select OneLogin tab in the dialog box.
- You will need the Audience, Recipient, ACS (Consumer) URL Validator and ACS (Consumer) URL here later in this task.
- Leave this tab open, because you will need to paste the credentials here later.
- Login to the OneLogin Admin Console (https://.onelogin.com/admin) as an admin.
- In the Admin Console, navigate to Applications > Applications.
- Click Add App.
- In the Find Applications screen, enter SAML custom and click SAML Custom Connector (Advanced).
- In the Configuration step, enter the following values and then click Save:
- Display Name:
Lacework Edge
- Rectangular Icon: Download the rectangular Lacework Edge Logo here
- Square Icon: Download the square Lacework Edge Logo here
- Display Name:
- Click Configuration the left menu, enter the values copied from the Lacework Edge Admin UI in the matching fields and then click Save.
- In the top-right corner, click More Actions > SAML Metadata to download the SAML metadata to be used in the Lacework Edge Admin UI.
- Using the Users, Roles and Groups menus under Users in the top bar, assign the desired users access to this Application.
Provide metadata to Lacework Edge
- Go back to your Lacework Edge Admin tab, which should still be in the SAML SSO integration dialog.
- Paste the XML from the downloaded metadata file into the Identity Provider Metadata XML field and click Save.
Ping Identity PingOne
Create a new App
- Login to the Lacework Edge dashboard as an admin.
- Navigate to the settings page, click Integrations, and select SAML SSO, then select Ping Identity tab in the dialog box.
- You will need the Entity ID and ACS URL here later in this task.
- Leave this tab open, because you will need to paste the credentials here later.
- Login to the PingOne console as an admin.
- Navigate to Connections > Applications
- Click the + icon to add a new application, enter the following and click Configure:
- Name:
Lacework Edge
- Icon: Download the Lacework Edge Logo here.
- Application Type: SAML Application
- Name:
- Click the Manually Enter radio button
- Enter the ACS URL and Entity ID values from the Lacework Edge admin UI and click Save.
- Under the Access tab, assign the desired users access to this Application.
Get metadata from new App
- Open the App details by clicking on it
- In the Attribute Mappings tab, edit the attribute mappings.
- Map the
saml_subject
attribute to Email Address, and click Save - Open the Configuration tab
- Click Download Metadata
Provide metadata to Lacework Edge
- Go back to your Lacework Edge Admin tab, which should still be in the SAML SSO integration dialog.
- Paste the XML from the downloaded metadata file into the Identity Provider Metadata XML field and click Save.