1 of 11

Authentication

This page describes the authentication methods supported in Lenses.

Authentication is configured in HQ.

Users can authentication is two ways. Basic authentication and SSO / SAML. Additional specific users can be assigned as admin accounts.

Admin Account

This page describes how to configure admin accounts in Lenses.

You can configure a list of the principals (users, service accounts) that have root admin access. Access control allows any API operation performed by such principals. If not set, it will default to [].

Admin accounts are set in the config.yaml for HQ under the key, as an array of usernames.

Basic Authentication

This page describes configuring basic authentication in Lenses.

Basic authentication is set in the config.yaml for HQ under the key, as an array of usernames and passwords.

To enhance security, it's essential that passwords in the config.yaml file are stored in bcrypt format.

This ensures that the passwords are hashed and secure rather than stored in plaintext. For instance, instead of using "builder" directly, it should be hashed using bcrypt.

An example of a bcrypt-hashed password looks like this: $2a$12$XQW..XQrtZXCvbQWertqQeFi/1KoQW4eNephNXTfHqtoW9Q4qih5G.

Always ensure that you replace plaintext passwords with their bcrypt counterparts to securely authenticate users.

SSO & SAML

This page describes configure SSO & SAML in Lenses for authentication.

Overview

This page gives an overview of SSO & SAML for authentication with Lenses.

Users

Control of how user create with SSO is determined by the. There are two modes:

Manual
SSO

With manual mode, only users that pre-created in HQ can login.

With sso mode, users that do not already exists are created and logged in.

Group Mapping

Control of how a user's group membership should be handled in relation to SSO is determined by the . There are two modes:

Manual
SSO

With the manual mode, the information about the group membership returned from an Identity Provider will not be used and a user will only be a member of groups that were explicitly assigned to them in HQ.

With the sso mode, group information from Identity Provider (IdP) will be used. On login, a user's group membership is set to the groups listed in the IdP.

Groups that do not exist in HQ are ignored.

SAML configuration is defined in the config.yaml provided to HQ. For more information on the configuration options see .

The follow SSO / SAML providers are supported.

Azure SSO

This page describes configuring Azure SSO for Lenses authentication.

Learn more here about Azure SSO

Add Lenses from Azure SSO gallery

Go to Enterprise applications->New Application.

Search for Lenses.io in the gallery directory.

Choose a name for Lenses e.g. Lenses.io and click Add.

Enable SSO

On the overview page select Single Sign On.

Configure SAML

Remember to activate HTTPS on HQ. See TLS.

Setting

Value

Download SAML Certificates

Download the Federation Metadata XML.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

Google SSO

This page describes configuring Google SSO for Lenses authentication.

Create a custom attribute for Lenses groups

Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.

Open the Google Admin console from an administrator account.

Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add

Learn more about Google custom attributes

Assign Lenses groups attributes to Google users

The attribute values should correspond exactly with the names of groups created within Lenses.

Open the Google Admin console from an administrator account.

Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save

Add Google custom SAML app

Learn more about Google custom SAML apps

Open the Google Admin console from an administrator account.
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Run through the below steps

App Details

Enter a descriptive name for the Lenses installation
Upload a Lenses icon

This will appear in the Google apps menu once the app is enabled

Configure SAML

Service provider details

Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:

Setting

Value

Attribute mapping

Add a mapping from the custom attribute for Lenses groups to the app attribute groups

Enable the app

From the newly added app details screen, select User access
Turn on the service

Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.

Download the Federation Metadata XML file with the Google IdP details.

Download SAML Certificates

Click Download Metadata and save the metadata file for configuring Lenses.Configure SAML in HQ.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

Keycloak SSO

This page describes configuring Keycloak SSO for Lenses authentication.

Create a new SAML application client in Keycloak

Go to Clients
Click Create
Fill in the details: see the table below.
Click Save

Setting

Value

Update Client Settings

Change the settings on client you just created to:

Setting

Value

Map users to groups

Configure Keycloak to communicate groups to Lenses. Head to the Mappers section.

Click Create
Fill in the details: see table below.
Click Save

Setting

Value

Download SAML Certificates

Download the Federation Metadata XML file with the Keycloak IdP details.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

Okta SSO

This page describes configuring Okta SSO for Lenses authentication.

Set up Okta IdP

Lenses is available directly in Okta’s Application catalog.

Add application in the Catalog

Go to Applications->Applications
Click Add Application
Search for Lenses
Select by pressing Add

Set General Settings

App label: Lenses
Set the base url of your lenses installation e.g. https://lenses-dev.example.com
Click Done

Download SAML Certificates

Download the Federation Metadata XML file with the OktaIdP details.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

OneLogin SSO

This page describes configuring OneLogin SSO for Lenses authentication.

Set up OneLogin Id

Lenses is available in the OneLogin Application catalog.

Visit OneLogin’s Administration console.

Select Applications->Applications->Add App
Search and select Lenses
Optionally add a description and click save

Add Lenses via the Application Catalog

In the Configuration section set the base path from the url of the Lenses installation e.g. lenses-dev.example.com (without the https://)
Click Save

Download SAML Certificates

Download the Federation Metadata XML file with the OneLogin IdP details.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See for more details.

Generic SSO

This page describes configuring a Generic SSO provider for Lenses authentication.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See for more details.

Google SSO

This page describes configuring Google SSO for Lenses authentication.

Create a custom attribute for Lenses groups

Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.

Open the Google Admin console from an administrator account.

Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add

Learn more about Google custom attributes

Assign Lenses groups attributes to Google users

The attribute values should correspond exactly with the names of groups created within Lenses.

Open the Google Admin console from an administrator account.

Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save

Add Google custom SAML app

Learn more about Google custom SAML apps

Open the Google Admin console from an administrator account.
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Run through the below steps

App Details

Enter a descriptive name for the Lenses installation
Upload a Lenses icon

This will appear in the Google apps menu once the app is enabled

Configure SAML

Service provider details

Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:

Setting

Value

Attribute mapping

Add a mapping from the custom attribute for Lenses groups to the app attribute groups

Enable the app

From the newly added app details screen, select User access
Turn on the service

Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.

Download the Federation Metadata XML file with the Google IdP details.

Download SAML Certificates

Click Download Metadata and save the metadata file for configuring Lenses.Configure SAML in HQ.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.