View the latest documentation 5.5
Groups are case-sensitive and mapped by name with Keycloak
Integrate your user-groups with Lenses using the Keycloak group names. Create a group in Lenses using the same case-sensitive group name as in Keycloak.
For example, if the Engineers group is available in Keycloak, with Lenses assigned to it, create a group with the same name:
The above group will match all the users in the equivalent Keycloak group:
To learn how to use data centric permissions for users and service accounts check access management permissions.
Use Keycloak’s Administration console to create SAML applications.
Learn more about SSO with SAML in Keycloak documentation.
base.url
https://lenses-dev.example.com
saml
[BASE_URL]/api/v2/auth/saml/callback?client_name=SAML2Client
https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client
Remember to activate HTTPS on Lenses. See TLS.
Besides the defaults already set, change the below and save:
Lenses
KEY_ID
OFF
ON
email
Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.
Groups
Group list
groups
Download the Metadata XML file with the Keycloak IdP details.
Head to the URL
This page should generate the XML metadata that you can download.
[KEYCLOAK_BASE_URL]/auth/realms/demo/protocol/saml/descriptor
https://my.keycloak.com/auth/realms/demo/protocol/saml/descriptor
security.conf
lenses.security.saml.idp.metadata.file="/path/to/KeycloakIDPMetadata.xml"
Given the downloaded metadata file and a keystore, add the following configuration to security.conf:
lenses.security.saml.base.url="https://lenses-dev.example.com" lenses.security.saml.idp.provider="keycloak" lenses.security.saml.idp.metadata.file="/path/to/KeycloakIDPMetadata.xml" lenses.security.saml.keystore.location = "/path/to/keystore.jks" lenses.security.saml.keystore.password = "my_keystore_password" lenses.security.saml.key.password = "my_saml_key_password"
Keycloak SSO should now be fully activated.
See all SSO options.
On this page