7fivefive Lens supports SAML (Security Assertion Markup Language) for logging into the portal. Using SAML allows for easy user provisioning and a single login for users to remember all their enterprise applications.

This article explains how to configure the Lens Portal to be a SAML service provider (SP). Some SAML identity providers (IDPs) use different terminology for fields or attributes but we will try and cover the most common ones.

Prerequisites

  • You will need administrator access to the 7fivefive Lens Portal

  • You will need administrator access to your SAML identity provider

Configuring the IDP

Each IDP is different, however, the following table should be all you need to configure the application in your IDP:

Name

Value

Notes

IdP Entity ID

This can be anything you like, but make a note of this for later in the process.

SP Entity ID/Application SAML audience/Metadata URL

https://lens.example.com/api/auth/saml/metadata

Change lens.example.com to be the FQDN for your Lens Portal.

ACS URL/Application ACS URL

https://lens.example.com/api/auth/saml?acs

Change lens.example.com to be the FQDN for your Lens Portal.

User attributes

The Lens Portal looks for the following attributes in SAML requests. Not all of them are required, but all are recommended. The attribute names are case-sensitive.

Name

Notes

Required

UserName

This should be the username that users will log into remote edit workstations with.

(tick)

FirstName

The user's first name

(error)

LastName

The user's last name

(error)

Email

The user’s email address

(tick)

Group attributes

The Lens Portal looks for the following group attributes in SAML requests. Providing group attributes allows Lens to automatically assign the correct role to users when they connect to the portal upon user provisioning. See the role mapping page for more information.

If group attributes are not provided, then when a SAML user is provisioned in the Lens Portal, they will automatically get the Remote Edit User role.

Name

Notes

Required

GroupNames

This should be a list of groups that the user is part of.

(error)

Configuring the Lens Portal (SP)

Prerequisites

  • Once you have created the application in the SAML IDP, you will need to download the IDP certificate

  • IDP URL/sign-in URL

  • IdP Entity ID

Configure SAML in the Lens Portal

  1. Login to the Lens Portal. The user must have the 'Access to Settings' permission for the location where the scheduler will be enabled.

  2. In the left sidebar, open the Configuration menu, then select the Settings option

  3. Under the General group, select the Authentication option

  4. Click the SAML tab

  5. Check the Enabled toggle

  6. In the 7fivefive Lens Public FQDN field, enter the FQDN for the Lens Portal. This should be without a protocol prefix, like https://. An example of a valid FQDN is: lens.example.com

  7. In the SAML provider name field, enter whatever you would like to be shown on the login page on the SSO button. This will be prefixed with Sign in with. For example, if you enter Okta in the field, then the button will be Sign in with Okta

  8. In the SAML Issuer URL/IDP Entity ID field, enter the IDP entity ID from the previous section

  9. In the SAML SSO URL field, enter the IDP URL/sign-in URL from the previous section

  10. In the SAML IDP certificate field, click the Choose file button. Select the IDP certificate downloaded previously. Alternatively, you can copy and paste this into the text field.

  11. Click the Save button