Map groups to Lenses 

Groups are case-sensitive and mapped by name with Keycloak

Integrate your user-groups with Lenses using the Keycloak group names. Create a group in Lenses using the same case-sensitive group name as in Keycloak.

For example, if the Engineers group is available in Keycloak, with Lenses assigned to it, create a group with the same name:

Keycloak Kafka RBAC

The above group will match all the users in the equivalent Keycloak group:

Keycloak user groups

To learn how to use data centric permissions for users and service accounts check access management permissions.

Set up Keycloak IdP 

Use Keycloak’s Administration console to create SAML applications.

Learn more about SSO with SAML in Keycloak documentation.

Create a new SAML application client 

  1. Go to Clients
  2. Click Create
  3. Fill in the details: see table below.
  4. Click Save

Keycloak create client

Client IDUse the base.url of the Lenses installation e.g.
Client ProtocolSet it to saml
Client Saml EndpointThis is the Lenses API point for Keycloak to call back. Set it to [BASE_URL]/api/v2/auth/saml/callback?client_name=SAML2Client. e.g.

Remember to activate HTTPS on Lenses. See TLS.

Set SAML settings 

Besides the defaults already set, change the below and save:

Description(Optional) Add a description to your app.
SAML Signature NameKEY_ID
Client Signature RequiredOFF
Force POST BindingON
Front Channel LogoutOFF
Force Name ID FormatON
Name ID Formatemail
Root URLUse the base.url of the Lenses installation e.g.
Valid Redirect URIsUse the base.url of the Lenses installation e.g.

Keycloak SAML settings 1
Keycloak SAML settings 2

Map user groups 

Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.

Keycloak mappers

  1. Click Create
  2. Fill in the details: see table below.
  3. Click Save

Mapper TypeGroup list
Group attribute namegroups (case-sensitive)
Single Group AttributeON
Full group pathOFF

Keycloak group mapper

Download IdP XML metadata 

Download the Metadata XML file with the Keycloak IdP details.

Head to the URL

This page should generate the XML metadata that you can download.

  1. Download from: [KEYCLOAK_BASE_URL]/auth/realms/demo/protocol/saml/descriptor e.g.
  2. You will reference this file’s path in the security.conf configuration file."/path/to/KeycloakIDPMetadata.xml"

Configure Lenses 

Given the downloaded metadata file and a keystore, add the following configuration to security.conf:"""keycloak""/path/to/KeycloakIDPMetadata.xml" = "/path/to/keystore.jks" = "my_keystore_password" = "my_saml_key_password"

Keycloak SSO should now be fully activated.

See all SSO options.