This page describes configuring Lenses with SSO via SAML 2.0 protocol.
Enable TLS (SSL) for Lenses HTTPS.
Create a keystore for SAML.
Choose your identity provider (IdP):
Set the following in the security.conf
lenses.security.saml.keystore.location = "/path/to/lenses.p12"
lenses.security.saml.keystore.password = "my_password"
lenses.security.saml.key.password = "my_password"The user’s session in the SSO provider is too old.
The system clocks of the SSO provider and the Lenses instance are out of sync.
For security purposes, Lenses prevents authenticating SSO users that have remained logged in SSO for a very long time.
Example: You use Okta SSO and, you logged in to Okta a year ago. Okta might allow you to remain logged in along that year without having to re-authenticate. Lenses has a limit of 100 days. In that case, Lenses will receive an authenticated user that originally logged in before the 100 days mark.
Ensure that the SSO and Lenses system clocks are in sync.
If the SSO provider supports very long sessions either:
Log out of the SSO and log back in. This explicitly renews the SSO session.
Increase the Lenses limit to more than 100 days.
Example:
This pages describes configuring Lenses with Onelogin SSO.
Groups are case-sensitive and mapped to roles, by name, with OneLogin
Integrate your user roles with Lenses using the Keycloak role names. Create a group in Lenses using the same case-sensitive role name as in OneLogin.
For example, if the Engineers role is available in OneLogin, create a group with the same name.
Lenses is available in the OneLogin Application catalog.
This pages describes configuring Lenses with Google SSO.
Authentication issue instant is too old or in the futureAzure SSO
Configure Azure SSO for Lenses.
Google SSO
Configure Google SSO for Lenses.
Keycloak SSO
Configure Keycloak SSO for Lenses.
Okta SSO
Configure Okta SSO for Lenses.
Onelogin SSO
Configure Onelogin SSO for Lenses.
Visit OneLogin’s Administration console. Select Applications > Applications > Add App
Search and select Lenses
Optionally add a description and click save
In the Configuration section set the base path from the url of the Lenses installation e.g. lenses-dev.example.com ( without the https://)
Click Save
Use the More Actions button
Click and download the SAML Metadata
You will reference this file’s path in the security.conf configuration file.
Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add
Open the Google Admin console from an administrator account.
Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save
Learn more about Google custom SAML apps
Open the Google Admin console from an administrator account.
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Enter a descriptive name for the Lenses installation
Upload a Lenses icon
Configure in security.conf.
lenses.security.saml.idp.session.lifetime.max = 365dayslenses.security.saml.idp.metadata.file="/path/to/OneLoginIDPMetadata.xml"lenses.security.saml.base.url="https://lenses-dev.example.com"
lenses.security.saml.idp.provider="google"
lenses.security.saml.idp.metadata.file="/path/to/GoogleIDPMetadata.xml"
lenses.security.saml.keystore.location="/path/to/keystore.jks"
lenses.security.saml.keystore.password="my_keystore_password"
lenses.security.saml.key.password="my_saml_key_password"This pages describes configuring Lenses with Keycloak SSO.
Integrate your user groups with Lenses using the Keycloak group names. Create a group in Lenses using the same case-sensitive group name as in Keycloak.
For example, if the Engineers group is available in Keycloak, with Lenses assigned to it, create a group with the same name.
Go to Clients
Click Create
Fill in the details: see the table below.
Click Save
Change the settings on client you just created to:
Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.
Click Create
Fill in the details: see table below.
Click Save
Configure in the security.conf file.
ON
Name ID Format
email
Root URL
Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com
Valid Redirect URIs
Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com
Client ID
Use the base.url of the Lenses installation e.g. https://lenses-dev.example.com
Client Protocol
Set it to saml
Client Saml Endpoint
This is the Lenses API point for Keycloak to call back. Set it to [BASE_URL]/api/v2/auth/saml/callback?client_name=SAML2Client. e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client
Name
Lenses
Description
(Optional) Add a description to your app.
SAML Signature Name
KEY_ID
Client Signature Required
OFF
Force POST Binding
ON
Front Channel Logout
OFF
Name
Groups
Mapper Type
Group list
Group attribute name
groups (case-sensitive)
Single Group Attribute
ON
Full group path
OFF
Force Name ID Format
lenses.security.saml.idp.metadata.file="/path/to/KeycloakIDPMetadata.xml"This pages describes configuring Lenses with Azure SSO.
Groups are case-sensitive and mapped by UUID with Azure
Integrate your user-groups with Lenses using the Azure group IDs. Create a group in Lenses using the UUID as the name.
For example, if the Engineers group has the UUID ae3f363d-f0f1-43e6-8122-afed65147ef8, create a group with the same name.
Learn more about
Go to Enterprise applications > + New Application
Search for Lenses.io in the gallery directory
Choose a name for Lenses e.g. Lenses.io and click Add
Select Set up single sign on > SAML
Download the Federation Metadata XML file with the Azure IdP details. You will reference this file’s path in the Lenses security.conf configuration file.
Configure the SAML details
Identifier (Entity ID)
Use the base url of the Lenses installation e.g. https://lenses-dev.example.com
Reply URL
Use the base url with the callback details e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client
Sign on URL
Use the base url
lenses.security.saml.base.url="https://lenses-dev.example.com"
lenses.security.saml.idp.provider="azure"
lenses.security.saml.idp.metadata.file="/path/to/AzureIDPMetadata.xml"
lenses.security.saml.keystore.location="/path/to/keystore.jks"
lenses.security.saml.keystore.password="my_keystore_password"
lenses.security.saml.key.password="my_saml_key_password"This pages describes configuring Lenses with Okta SSO.
Groups are case-sensitive and mapped by name with Okta
Integrate your user-groups with Lenses using the Okta group names. Create a group in Lenses using the same case-sensitive group name as in Okta.
For example, if the Engineers group is available in Okta, create a group with the same name.
Lenses is available directly in Okta’s Application catalog.
Go to Applications > Applications
Click Add Application
Search for Lenses
Select by pressing Add
App label: Lenses
Set the base url of your lenses installation e.g. https://lenses-dev.example.com
Click Done
Download the Metadata XML file with the Okta IdP details.
Go to Sign On > Settings > SIGN ON METHODS
Click on Identity Provider metadata and download the XML data to a file.
You will reference this file’s path in the security.conf configuration file.
lenses.security.saml.idp.metadata.file="/path/to/OktaIDPMetadata.xml"