1 of 1

Google SSO

This page describes configuring Google SSO for Lenses authentication.

Create a custom attribute for Lenses groups

Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.

Open the Google Admin console from an administrator account.

Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add

Learn more about Google custom attributes

Assign Lenses groups attributes to Google users

The attribute values should correspond exactly with the names of groups created within Lenses.

Open the Google Admin console from an administrator account.

Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save

Add Google custom SAML app

Learn more about Google custom SAML apps

Open the Google Admin console from an administrator account.
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Run through the below steps

App Details

Enter a descriptive name for the Lenses installation
Upload a Lenses icon

This will appear in the Google apps menu once the app is enabled

Configure SAML

Service provider details

Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:

Setting

Value

Attribute mapping

Add a mapping from the custom attribute for Lenses groups to the app attribute groups

Enable the app

From the newly added app details screen, select User access
Turn on the service

Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.

Download the Federation Metadata XML file with the Google IdP details.

Download SAML Certificates

Click Download Metadata and save the metadata file for configuring Lenses.Configure SAML in HQ.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.

Google SSO

This page describes configuring Google SSO for Lenses authentication.

Create a custom attribute for Lenses groups

Google doesn't expose the groups, or organization unit, of a user to a SAML app. This means we must set up a custom attribute for the Lenses groups that each user belongs to.

Open the Google Admin console from an administrator account.

Click the Users button
Select the More dropdown and choose Manage custom attributes
Click the Add custom attribute button
Fill the form to add a Text, Multi-value field for Lenses Groups, then click Add

Learn more about Google custom attributes

Assign Lenses groups attributes to Google users

The attribute values should correspond exactly with the names of groups created within Lenses.

Open the Google Admin console from an administrator account.

Click the Users button
Select the user to update
Click User information
Click the Lenses Groups attribute
Enter one or more groups and click Save

Add Google custom SAML app

Learn more about Google custom SAML apps

Open the Google Admin console from an administrator account.
Click the Apps button
Click the SAML apps button
Select the Add App dropdown and choose Add custom SAML app
Run through the below steps

App Details

Enter a descriptive name for the Lenses installation
Upload a Lenses icon

This will appear in the Google apps menu once the app is enabled

Configure SAML

Service provider details

Given the base URL of the Lenses installation, e.g. https://lenses-dev.example.com, fill out the settings:

Setting

Value

Attribute mapping

Add a mapping from the custom attribute for Lenses groups to the app attribute groups

Enable the app

From the newly added app details screen, select User access
Turn on the service

Lenses will reject any user that doesn't have the groups attribute set, so enabling the app for all users in the account is a good option to simplify ongoing administration.

Download the Federation Metadata XML file with the Google IdP details.

Download SAML Certificates

Click Download Metadata and save the metadata file for configuring Lenses.Configure SAML in HQ.

Configure SAML in HQ

SAML configuration is set in HQ's config.yaml file. See here for more details.