Google SSO
This page describes configuring Google SSO for Lenses authentication.
Create a custom attribute for Lenses groups
Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.
Open the Google Admin console from an administrator account.
Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add
Learn more about Google custom attributes
Assign Lenses groups attributes to Google users
The attribute values should correspond exactly with the names of groups created within Lenses.
Open the Google Admin console from an administrator account.
Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save
Add Google custom SAML app
Learn more about Google custom SAML apps
Open the Google Admin console from an administrator account.
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Run through the below steps
App Details
Enter a descriptive name for the Lenses installation
Upload a Lenses icon
This will appear in the Google apps menu once the app is enabled
Configure SAML
Service provider details
Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:
ACS URL
Use the base url with the callback path e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client
Entity ID
Use the base url e.g. https://lenses-dev.example.com
Start URL
Leave empty
Signed Response
Leave unchecked
Name ID format
Leave as UNSPECIFIED
Name ID
Leave as Basic Information > Primary Email
Attribute mapping
Add a mapping from the custom attribute for Lenses groups to the app attribute groups
Enable the app
From the newly added app details screen, select User access
Turn on the service
Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.
Download the Federation Metadata XML file with the Google IdP details.
Configure SAML in HQ
SAML configuration is set in HQ's config.yaml file. See here for more details.
Last updated