Google SSO

This page describes configuring Google SSO for Lenses authentication.

1

Create a custom attribute for Lenses groups

Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.

Open the Google Admin console from an administrator account.

  • Click the Users button

  • Select the More dropdown and choose Manage custom attributes

  • Click the Add custom attribute button

  • Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add

Learn more about Google custom attributes

2

Assign Lenses groups attributes to Google users

The attribute values should correspond exactly with the names of groups created within Lenses.

Open the Google Admin console from an administrator account.

  • Click the Users button

  • Select the user to update

  • Click User information

  • Click the Lenses Groups attribute

  • Enter one or more groups and click Save

3

Add Google custom SAML app

Learn more about Google custom SAML apps

  • Open the Google Admin console from an administrator account.

  • Click the Apps button

  • Click the SAML apps button

  • Select the Add App dropdown and choose Add custom SAML app

  • Run through the below steps

App Details

  • Enter a descriptive name for the Lenses installation

  • Upload a Lenses icon

This will appear in the Google apps menu once the app is enabled

4

Configure SAML

Service provider details

Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:

Setting
Value

ACS URL

Use the base url with the callback path e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client

Entity ID

Use the base url e.g. https://lenses-dev.example.com

Start URL

Leave empty

Signed Response

Leave unchecked

Name ID format

Leave as UNSPECIFIED

Name ID

Leave as Basic Information > Primary Email

Attribute mapping

  • Add a mapping from the custom attribute for Lenses groups to the app attribute groups

Enable the app

  • From the newly added app details screen, select User access

  • Turn on the service

Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.

Download the Federation Metadata XML file with the Google IdP details.

5

Download SAML Certificates

Click Download Metadata and save the metadata file for configuring Lenses.Configure SAML in HQ.

6

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

Last updated

Logo

2024 © Lenses.io Ltd. Apache, Apache Kafka, Kafka and associated open source project names are trademarks of the Apache Software Foundation.