Skip to content

Authentication (SSO/SCIM)#

Lens premium subscription feature. See details on Lens Pricing.

As a Lens Business ID administrator, you can integrate Lens with one of the identity providers (IdP) such as JumpCloud, Microsoft Entra ID, Okta, and other services.

SSO (single sign-on) enables users to access multiple services with one set of credentials. SSO improves security and simplifies credential management. Lens Business ID supports SAML and OIDC. Configure SSO for the email domain of your organization so users sign in to their Lens IDs through your IdP. Lens Business ID users with emails from other domains are not required to authenticate through SSO.

The SCIM (System for Cross-domain Identity Management) integration allows associating multiple user accounts of your IAM solution with the Lens Business ID of your organization. In general, you can create an application (or other entity) within the IAM system that is associated with the Lens Business ID. And then you can manage the Lens Business ID users within your IdP solution by adding them to the application. If there is an available subscription seat, a user gets automatically assigned to it. You can remove the user from the Lens Business ID and unassign the subscription seat within the IAM service. To do so, suspend the user account from the corresponding application.

Configure SSO#

Info

When you enable SSO authentication and SCIM provisioning, it only applies to users of your Lens Business ID. Users with the same domain but from a different Lens Business ID log in according to the settings of their own Lens Business ID.

To configure SSO:

  1. As a Lens Business ID administrator, navigate to Authentication.

  2. Toggle Single Sign-On (SSO).

  3. In SSO Provider Type, select one of the following options:

    • SAML
    • OIDC
  4. Provide the IDP with the following URLs:

    URL Description
    Assertion Consumer Service URL The endpoint on the Lens side to which the IDP redirects with the authentication response
    Service Provider Entity ID A URL that identifies Lens as a service provider

    Redirect URI: The endpoint on the Lens side to which the IDP redirects with the authentication response.

  5. If the IDP administrator provided you with configurations, click the following buttons to complete the automatic setup:

    Import metadata

    Import configuration

  6. Contact the IDP administrator to obtain the following parameters and specify them manually:

    Parameter Description
    Single Sign-On Service URL The IDP service endpoint for authentication requests
    Identity Provider Entity ID The URL that identifies IDP
    Parameter Description
    Client ID The public Lens identifier within the IPS system
    Client Secret The confidential Lens identifier within the IPS system
    Authorization URL The authorization request link
    Token URL The URL that contains the authentication token
    JWKS URL The URL to the cryptographic key
    User Info URL The endpoint with the user information
    Logout URL The URL of the page to which users redirect after logging out of Lens
  7. Click Save Single Sign-On Settings.

Configure SCIM#

Warning

When configuring SCIM for Microsoft Entra ID (former Azure AD), be sure that you have disabled the Provision Microsoft Entra ID Groups parameter.

To configure SCIM:

  1. Configure SSO.
  2. Toggle SCIM Provisioning.
  3. Provide the IDP with the following parameters:

    Parameter Description
    Base URL The API endpoint to which the IDP service sends requests
    API Token The access token

See also: