search
ProductsDownload Community Edition

Google SSO

This page describes configuring Google SSO for Lenses authentication.

1

hashtag
Create a custom attribute for Lenses groups

circle-info

Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.

Open the Google Admin consolearrow-up-right from an administrator account.

  • Click the Users button

  • Select the More dropdown and choose Manage custom attributes

  • Click the Add custom attribute button

  • Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add

Learn more about Google custom attributesarrow-up-right

2

hashtag
Assign Lenses groups attributes to Google users

circle-info

The attribute values should correspond exactly with the names of groups created within Lenses.

Open the Google Admin consolearrow-up-right from an administrator account.

  • Click the Users button

  • Select the user to update

  • Click User information

  • Click the Lenses Groups attribute

  • Enter one or more groups and click Save

3

hashtag
Add Google custom SAML app

Learn more about Google custom SAML appsarrow-up-right

  • Open the Google Admin consolearrow-up-right from an administrator account.

  • Click the Apps button

  • Click the SAML apps button

  • Select the Add App dropdown and choose Add custom SAML app

  • Run through the below steps

hashtag
App Details

circle-info

This will appear in the Google apps menu once the app is enabled

4

hashtag
Configure SAML

hashtag
Service provider details

Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:

Setting
Value

ACS URL

Use the base url with the callback path e.g. https://lenses-dev.example.com/api/v2/auth/saml/callback?client_name=SAML2Client

Entity ID

Use the base url e.g. https://lenses-dev.example.com

Start URL

Leave empty

Signed Response

Leave unchecked

Name ID format

Leave as UNSPECIFIED

Name ID

Leave as Basic Information > Primary Email

hashtag
Attribute mapping

  • Add a mapping from the custom attribute for Lenses groups to the app attribute groups

hashtag
Enable the app

  • From the newly added app details screen, select User access

  • Turn on the service

circle-info

Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.

Download the Federation Metadata XML file with the Google IdP details.

5

hashtag
Download SAML Certificates

Click Download Metadata and save the metadata file for configuring Lenses.Configure SAML in HQ.

6

hashtag
Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here arrow-up-rightfor more details.

PreviousAzure SSONextKeycloak SSO

Last updated

Was this helpful?