Map groups to Lenses 

Groups are case-sensitive and mapped to roles, by name, with OneLogin

Integrate your user roles with Lenses using the Keycloak role names. Create a group in Lenses using the same case-sensitive role name as in OneLogin.

For example, if the Engineers role is available in OneLogin, create a group with the same name:

OneLogin SAML Kafka user groups

The above group will match all the users with the equivalent OneLogin roles:

Okta SAML Kafka roles

To learn how to use data centric permissions for users and service accounts check access management permissions.

Set up OneLogin IdP 

Lenses is available in the OneLogin Application catalog.

Visit OneLogin’s Administration console. Select Applications > Applications > Add App

Add Lenses via the Application Catalog 

OneLogin application

  1. Search and select Lenses
  2. Optionally add a description and click save
OneLogin SAML setup logo

Configure endpoints 

  1. In the Configuration section set the base path from the url of the Lenses installation e.g. ( without the https://)
  2. Click Save

OneLogin SAML config

Download IdP XML metadata 

Download the Metadata XML file with the OneLogin IdP details.

  1. Use the More Actions button
  2. Click and download the SAML Metadata
  3. You will reference this file’s path in the security.conf configuration file."/path/to/OneLoginIDPMetadata.xml"

OneLogin SSO Metadata XML

Configure Lenses 

Given the downloaded metadata file and a keystore, add the following configuration to security.conf:"""onelogin""/path/to/OneLoginIDPMetadata.xml" = "/path/to/keystore.jks" = "my_keystore_password" = "my_saml_key_password"

See all SSO options.