Tutorial: Azure Active Directory single sign-on (SSO) integration with the Lenses.io DataOps portal
In this tutorial, you'll learn how to integrate the Lenses.io DataOps portal with Azure Active Directory (Azure AD). After you integrate Lenses.io with Azure AD, you can:
- Control in Azure AD who has access to the Lenses.io portal.
- Enable your users to be automatically signed-in to Lenses with their Azure AD accounts.
- Manage your accounts in one central location: the Azure portal.
To get started, you need the following items:
- An Azure AD subscription. If you don't have a subscription, you can get a free account.
- An instance of a Lenses portal. You can choose from a number of deployment options.
- A Lenses.io license that supports single sign-on (SSO).
This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
In this tutorial, you'll configure and test Azure AD SSO in a test environment.
- Lenses.io supports service provider (SP) initiated SSO.
Add Lenses.io from the gallery
To configure the integration of Lenses.io into Azure AD, add Lenses.io to your list of managed SaaS apps:
- Sign in to the Azure portal by using a work or school account, or a personal Microsoft account.
- On the left pane, select the Azure Active Directory service.
- Go to Enterprise Applications, and then select All Applications.
- Select New application.
- In the Add from the gallery section, enter Lenses.io in the search box.
- From results panel, select Lenses.io, and then add the app. Wait a few seconds while the app is added to your tenant.
Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.
Configure and test Azure AD SSO for Lenses.io
You'll create a test user called B.Simon to configure and test Azure AD SSO with your Lenses.io portal. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Lenses.io.
Perform the following steps:
- Configure Azure AD SSO to enable your users to use this feature.
- Configure Lenses.io SSO to configure the SSO settings on the application side.
- Create Lenses.io test group permissions to control what B.Simon can access in Lenses.io (authorization).
- Test SSO to verify whether the configuration works.
Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal:
In the Azure portal, on the Lenses.io application integration page, find the Manage section, and then select single sign-on.
On the Select a single sign-on method page, select SAML.
On the Set up single sign-on with SAML page, select the pencil icon for Basic SAML Configuration to edit the settings.
In the Basic SAML Configuration section, perform the following steps:
a. Identifier (Entity ID): Enter a URL that has the following pattern:
https://<CUSTOMER_LENSES_BASE_URL>. An example is
b. Reply URL: Enter a URL that has the following pattern:
https://<CUSTOMER_LENSES_BASE_URL>/api/v2/auth/saml/callback?client_name=SAML2Client. An example is
c. Sign on URL: Enter a URL that has the following pattern:
https://<CUSTOMER_LENSES_BASE_URL>. An example is
These values are not real. Update them with the actual Identifier,Reply URL and Sign on URL of the base URL of your Lenses portal instance. See the Lenses.io SSO documentation for more information.
On the Set up single sign-on with SAML page, go to the SAML Signing Certificate section. Find Federation Metadata XML, and then select Download to download and save the certificate on your computer.
In the Set up Lenses.io section, use the XML file that you downloaded to configure Lenses against your Azure SSO.
Create an Azure AD test user and group
In the Azure portal, you'll create a test user called B.Simon. Then you'll create a test group that controls the access B.Simon has in Lenses.
You can find out how Lenses uses group membership mapping for authorization in the Lenses SSO documentation.
To create the test user:
- On the left pane of the Azure portal, select Azure Active Directory, select Users, and then select All users.
- At the top of the screen, select New user.
- In the User properties, follow these steps:
- In the Name box, enter B.Simon.
- In the User name box, enter the email@example.com. For example, B.Simon@contoso.com.
- Select the Show password check box. Write down the password that shows in the Password box.
- Select Create.
To create the group:
- Go to Azure Active Directory, and then select Groups.
- At the top of the screen, select New group.
- In the Group properties, follow these steps:
- In the Group type box, select Security.
- In the Group Name box, enter LensesUsers.
- Select Create.
- Select the group LensesUsers and copy the Object ID (for example, f8b5c1ec-45de-4abd-af5c-e874091fb5f7). You'll use this ID in Lenses to map users of the group to the correct permissions.
To assign the group to the test user:
- Go to Azure Active Directory, and then select Users.
- Select the test user B.Simon.
- Select Groups.
- At the top of the screen, select Add memberships.
- Search for and select LensesUsers.
- Click Select.
Assign the Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Lenses.io.
- In the Azure portal, select Enterprise Applications, and then select All applications.
- On the applications list, select Lenses.io.
- On the app overview page, in the Manage section, select Users and groups.
- Select Add user.
- In the Add Assignment dialog box, select Users and groups.
- In the Users and groups dialog box, select B.Simon from the Users list. Then click the Select button at the bottom of the screen.
- If you're expecting any role value in the SAML assertion, in the Select Role dialog box, choose the appropriate role for the user from the list. Then click the Select button at the bottom of the screen.
- In the Add Assignment dialog box, select the Assign button.
Configure Lenses.io SSO
To configure SSO on the Lenses.io portal, install the downloaded Federation Metadata XML on your Lenses instance and configure Lenses to enable SSO.
Create Lenses.io test group permissions
- To create a group in Lenses, use the Object ID of the LensesUsers group. This is the ID that you copied in the user creation section.
- Assign the desired permissions for B.Simon.
For more information, see Azure - Lenses group mapping.
In this section, you test your Azure AD single sign-on configuration with following options.
Click on Test this application in Azure portal. This will redirect to Lenses.io Sign-on URL where you can initiate the login flow.
Go to Lenses.io Sign-on URL directly and initiate the login flow from there.
You can use Microsoft My Apps. When you click the Lenses.io tile in the My Apps, this will redirect to Lenses.io Sign-on URL. For more information about the My Apps, see Introduction to the My Apps.
Once you configure Lenses.io you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.