Keycloak SSO

This page describes configuring Keycloak SSO for Lenses authentication.

Create a new SAML application client in Keycloak

Go to Clients
Click Create
Fill in the details: see the table below.
Click Save

Setting

Value

Client ID

Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com

Client Protocol

Set it to saml

Client Saml Endpoint

This is the Lenses API point for Keycloak to call back. Set it to [BASE_URL]/api/v2/auth/saml/callback?client_name=SAML2Client. e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client

Update Client Settings

Change the settings on client you just created to:

Setting

Value

Name

Lenses

Description

(Optional) Add a description to your app.

SAML Signature Name

KEY_ID

Client Signature Required

OFF

Force POST Binding

Front Channel Logout

OFF

Force Name ID Format

Name ID Format

Root URL

Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com

Valid Redirect URIs

Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com

Map users to groups

Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.

Click Create
Fill in the details: see table below.
Click Save

Setting

Value

Name

Groups

Mapper Type

Group list

Group attribute name

groups (case-sensitive)

Single Group Attribute

Full group path

OFF

Download SAML Certificates

Download the Federation Metadata XML file with the Keycloak IdP details.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

PreviousGoogle SSO NextOkta SSO

Last updated 1 month ago