SSO#
Lens Agents supports OIDC single sign-on. Users authenticate through your organization's identity provider and access Lens Agents under that identity, with every action attributed accordingly in the audit trail.
Supported providers#
Lens Agents works with any standards-compliant OIDC provider. At launch the following are validated:
| Provider |
|---|
| Okta |
| Microsoft Entra ID (Azure AD) |
| JumpCloud |
Other OIDC providers work through standard configuration.
How OIDC integration works#
Lens Agents acts as an OIDC relying party. The organization's identity provider registers Lens Agents as a web application with a redirect URI provided during onboarding. Lens Agents accepts a standard OIDC discovery endpoint (issuer URL) plus client ID and client secret.
Required inputs from your identity provider:
- Client ID (from your IdP's application registration)
- Client secret
- Issuer URL (for example,
https://your-org.okta.comfor Okta, orhttps://login.microsoftonline.com/<tenant-id>/v2.0for Entra ID)
The authorized redirect URI is provided by Lens Agents during setup. SSO configuration is managed per organization by an administrator.
Authentication flow#
When a user signs in:
- User accesses the Lens Agents platform
- Lens Agents redirects to the configured identity provider over OIDC
- User authenticates with their corporate credentials (including MFA if configured at the IdP)
- Identity provider returns a signed JWT to Lens Agents
- Lens Agents validates the token and creates or updates the user session
- User is signed in with their organization role and team memberships
For desktop AI tools (Claude Desktop, Cursor, etc.), the SSO flow is triggered when the user first connects the tool to Lens Agents. After initial authentication, the tool uses a refresh token for subsequent sessions.
Related#
- Organizations, teams & projects — multi-tenant hierarchy
- Identity & authentication — user vs. agent identity models
- Security model — identity and authentication architecture