Keycloak SSO
This pages describes configuring Lenses with Keycloak SSO.
Integrate your user groups with Lenses using the Keycloak group names. Create a group in Lenses using the same case-sensitive group name as in Keycloak.
For example, if the Engineers group is available in Keycloak, with Lenses assigned to it, create a group with the same name.
Create a new SAML application client in Keycloak
Go to Clients
Click Create
Fill in the details: see the table below.
Click Save
Client ID
Use the base.url
of the Lenses installation e.g. https://lenses-dev.example.com
Client Protocol
Set it to saml
Client Saml Endpoint
This is the Lenses API point for Keycloak to call back. Set it to [BASE_URL]/api/v2/auth/saml/callback?client_name=SAML2Client
. e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client
Change the settings on client you just created to:
Name
Lenses
Description
(Optional) Add a description to your app.
SAML Signature Name
KEY_ID
Client Signature Required
OFF
Force POST Binding
ON
Front Channel Logout
OFF
Force Name ID Format
ON
Name ID Format
email
Root URL
Use the base.url
of the Lenses installation e.g. https://lenses-dev.example.com
Valid Redirect URIs
Use the base.url
of the Lenses installation e.g. https://lenses-dev.example.com
Map user groups
Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.
Click Create
Fill in the details: see table below.
Click Save
Name
Groups
Mapper Type
Group list
Group attribute name
groups
(case-sensitive)
Single Group Attribute
ON
Full group path
OFF
Download IdP XML file
Configure in the security.conf file.
Last updated