Keycloak SSO

This pages describes configuring Lenses with Keycloak SSO.

Integrate your user groups with Lenses using the Keycloak group names. Create a group in Lenses using the same case-sensitive group name as in Keycloak.

For example, if the Engineers group is available in Keycloak, with Lenses assigned to it, create a group with the same name.

Create a new SAML application client in Keycloak

  1. Go to Clients

  2. Click Create

  3. Fill in the details: see the table below.

  4. Click Save

Setting
Value

Client ID

Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com

Client Protocol

Set it to saml

Client Saml Endpoint

This is the Lenses API point for Keycloak to call back. Set it to [BASE_URL]/api/v2/auth/saml/callback?client_name=SAML2Client. e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client

Change the settings on client you just created to:

Setting
Value

Name

Lenses

Description

(Optional) Add a description to your app.

SAML Signature Name

KEY_ID

Client Signature Required

OFF

Force POST Binding

ON

Front Channel Logout

OFF

Force Name ID Format

ON

Name ID Format

email

Root URL

Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com

Valid Redirect URIs

Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com

Map user groups

Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.

  1. Click Create

  2. Fill in the details: see table below.

  3. Click Save

Setting
Value

Name

Groups

Mapper Type

Group list

Group attribute name

groups (case-sensitive)

Single Group Attribute

ON

Full group path

OFF

Download IdP XML file

Configure in the security.conf file.

security.conf
lenses.security.saml.idp.metadata.file="/path/to/KeycloakIDPMetadata.xml"

Last updated

Logo

2024 © Lenses.io Ltd. Apache, Apache Kafka, Kafka and associated open source project names are trademarks of the Apache Software Foundation.