4.3

You are viewing documentation for an older version of Lenses.io View latest documentation here

Keystore

Enable SAML single-sign on by creating a keystore.

  • SAML needs a keystore with a generated key-pair.
  • SAML uses the key-pair to encrypt its communication with the IdP.

Create a keystore 

Use the Java keytool to create one.

keytool \
 -genkeypair \
 -storetype pkcs12 \
 -keystore lenses.p12 \
 -storepass my_password \
 -alias lenses \
 -keypass my_password \
 -keyalg RSA \
 -keysize 2048 \
 -validity 10000

SettingDefinition
storetypeThe type of keystore (pkcs12 is industry standard, but jks also supported)
keystoreThe filename of the keystore
storepassThe password of the keystore
aliasThe name of the key-pair
keypassThe password of the key-pair (must be same as storepass for pkcs12 stores)

To ensure the keystore created is compatible with Lenses, please use the keytool utility of the exact java version Lenses uses. To find the Java version used by Lenses:

docker run --rm \
           --entrypoint "java" \
           lensesio/lenses:${YOUR_LENSES_VERSION} \
           --version

You could also opt to use the keytool bundled in the docker image of your Lenses version

mkdir -p lenses_keystores
docker run --rm \
           -it  \
           --user $(id -u):$(id -g) \
           -v ${PWD}/lenses_keystores:${PWD}/lenses_keystores \
           --entrypoint '/opt/lenses/jre/bin/keytool' \
           lensesio/lenses:${YOUR_LENSES_VERSION} \
            -genkeypair \
            -storetype pkcs12 \
            -keystore ${PWD}/lenses_keystores/lenses.p12 \
            -storepass my_password \
            -alias lenses \
            -keypass my_password \
            -keyalg RSA \
            -keysize 2048 \
            -validity 10000

Add to configuration 

Reference the keystore file’s path and put the password info in the security.conf configuration file.

lenses.security.saml.keystore.location = "/path/to/lenses.p12"
lenses.security.saml.keystore.password = "my_password"
lenses.security.saml.key.password = "my_password"

See all SSO options .