Overview

This page gives an overview of SSO & SAML for authentication with Lenses.

Users

Control of how user create with SSO is determined by the SSO User Creation Mode. There are two modes:

  1. Manual

  2. SSO

With manual mode, only users that pre-created in HQ can login.

With sso mode, users that do not already exists are created and logged in.

Group Mapping

Control of how a user's group membership should be handled in relation to SSO is determined by the SSO Group Membership Mode. There are two modes:

  1. Manual

  2. SSO

With the manual mode, the information about the group membership returned from an Identity Provider will not be used and a user will only be a member of groups that were explicitly assigned to them in HQ.

With the sso mode, group information from Identity Provider (IdP) will be used. On login, a user's group membership is set to the groups listed in the IdP.

SAML configuration is defined in the config.yaml provided to HQ. For more information on the configuration options see here.

config.yaml
http:
  saml:
    metadata: |-

The follow SSO / SAML providers are supported.

Creating a Keystore

Enable SAML single-sign on by creating a keystore.

  • SAML needs a keystore with a generated key-pair.

  • SAML uses the key-pair to encrypt its communication with the IdP.

Creating a keystore

Use the Java keytool to create one.

keytool \
 -genkeypair \
 -storetype pkcs12 \
 -keystore lenses.p12 \
 -storepass my_password \
 -alias lenses \
 -keypass my_password \
 -keyalg RSA \
 -keysize 2048 \
 -validity 10000
Setting
Definition

storetype

The type of keystore (pkcs12 is industry standard, but jks also supported)

keystore

The filename of the keystore

storepass

The password of the keystore

alias

The name of the key-pair

keypass

The password of the key-pair (must be same as storepass for pkcs12 stores

Last updated

Was this helpful?