Skip to content

Authentication (SSO/SCIM)#

Lens premium subscription feature. See details on Lens Pricing.

As a Lens Business ID administrator, you can integrate Lens with one of the identity and access management (IAM) solutions such as JumpCloud, Microsoft Entra ID, Okta, and other services.

The SSO (single sign-on) authentication scheme allows users to access several services with one set of login credentials. For example, you can log in to your Lens ID through the Microsoft Entra ID account. SSO improves security and makes credential management easier. In Lens ID, the SSO integration supports the SAML and OIDC authentication standards.

The SCIM (System for Cross-domain Identity Management) integration allows associating multiple user accounts of your IAM solution with the Lens Business ID of your organization. In general, you can create an application (or other entity) within the IAM system that is associated with the Lens Business ID. And then you can manage the Lens Business ID users within your IAM solution by adding them to the application. If there is an available subscription seat, a user gets automatically assigned to it. You can remove the user from the Lens Business ID and unassign the subscription seat within the IAM service. To do so, suspend the user account from the corresponding application.

Configure SSO#

Info

When you enable SSO authentication and SCIM provisioning, it only applies to users of your Lens Business ID. Users with the same domain but from a different Lens Business ID log in according to the settings of their own Lens Business ID.

To configure SSO:

  1. As a Lens Business ID administrator, navigate to Authentication.

  2. Toggle Single Sign-On (SSO).

  3. In SSO Provider Type, select one of the following options:

    • SAML
    • OIDC

  4. Provide the IDP with the following URLs:

    URL Description
    Assertion Consumer Service URL The endpoint on the Lens side to which the IDP redirects with the authentication response
    Service Provider Entity ID A URL that identifies Lens as a service provider

    Redirect URI: The endpoint on the Lens side to which the IDP redirects with the authentication response.

  5. If the IDP administrator provided you with configurations, click the following buttons to complete the automatic setup:

    Import metadata

    Import configuration

  6. Contact the IDP administrator to obtain the following parameters and specify them manually:

    Parameter Description
    Single Sign-On Service URL The IDP service endpoint for authentication requests
    Identity Provider Entity ID The URL that identifies IDP
    Parameter Description
    Client ID The public Lens identifier within the IPS system
    Client Secret The confidential Lens identifier within the IPS system
    Authorization URL The authorization request link
    Token URL The URL that contains the authentication token
    JWKS URL The URL to the cryptographic key
    User Info URL The endpoint with the user information
    Logout URL The URL of the page to which users redirect after logging out of Lens

  7. Click Save Single Sign-On Settings.

Configure SCIM#

Warning

When configuring SCIM for Microsoft Entra ID (former Azure AD), be sure that you have disabled the Provision Microsoft Entra ID Groups parameter.

To configure SCIM:

  1. Configure SSO.
  2. Toggle SCIM Provisioning.

  3. Provide the IDP with the following parameters:

    Parameter Description
    Base URL The API endpoint to which the IDP service sends requests
    API Token The access token

See also: