Tutorial: Azure Active Directory single sign-on (SSO) integration with the Lenses.io DataOps portal

In this tutorial, you'll learn how to integrate the Lenses.io DataOps portal with Azure Active Directory (Azure AD). After you integrate Lenses.io with Azure AD, you can:

  • Control in Azure AD who has access to the Lenses.io portal.
  • Enable your users to be automatically signed-in to Lenses with their Azure AD accounts.
  • Manage your accounts in one central location: the Azure portal.

Prerequisites

To get started, you need the following items:

  • An Azure AD subscription. If you don't have a subscription, you can get a free account.
  • An instance of a Lenses portal. You can choose from a number of deployment options.
  • A Lenses.io license that supports single sign-on (SSO).

Note

This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

Scenario description

In this tutorial, you'll configure and test Azure AD SSO in a test environment.

  • Lenses.io supports service provider (SP) initiated SSO.

To configure the integration of Lenses.io into Azure AD, add Lenses.io to your list of managed SaaS apps:

  1. Sign in to the Azure portal by using a work or school account, or a personal Microsoft account.
  2. On the left pane, select the Azure Active Directory service.
  3. Go to Enterprise Applications, and then select All Applications.
  4. Select New application.
  5. In the Add from the gallery section, enter Lenses.io in the search box.
  6. From results panel, select Lenses.io, and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.

Configure and test Azure AD SSO for Lenses.io

You'll create a test user called B.Simon to configure and test Azure AD SSO with your Lenses.io portal. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Lenses.io.

Perform the following steps:

  1. Configure Azure AD SSO to enable your users to use this feature.
    1. Create an Azure AD test user and group to test Azure AD SSO with B.Simon.
    2. Assign the Azure AD test user to enable B.Simon to use Azure AD SSO.
  2. Configure Lenses.io SSO to configure the SSO settings on the application side.
    1. Create Lenses.io test group permissions to control what B.Simon can access in Lenses.io (authorization).
  3. Test SSO to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal:

  1. In the Azure portal, on the Lenses.io application integration page, find the Manage section, and then select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, select the pencil icon for Basic SAML Configuration to edit the settings.

    Screenshot that shows the icon for editing basic SAML configuration.

  4. In the Basic SAML Configuration section, perform the following steps:

    a. Identifier (Entity ID): Enter a URL that has the following pattern: https://<CUSTOMER_LENSES_BASE_URL>. An example is https://lenses.my.company.com.

    b. Reply URL: Enter a URL that has the following pattern: https://<CUSTOMER_LENSES_BASE_URL>/api/v2/auth/saml/callback?client_name=SAML2Client. An example is https://lenses.my.company.com/api/v2/auth/saml/callback?client_name=SAML2Client.

    c. Sign on URL: Enter a URL that has the following pattern: https://<CUSTOMER_LENSES_BASE_URL>. An example is https://lenses.my.company.com.

    Note

    These values are not real. Update them with the actual Identifier,Reply URL and Sign on URL of the base URL of your Lenses portal instance. See the Lenses.io SSO documentation for more information.

  5. On the Set up single sign-on with SAML page, go to the SAML Signing Certificate section. Find Federation Metadata XML, and then select Download to download and save the certificate on your computer.

    Screenshot that shows the Certificate download link.

  6. In the Set up Lenses.io section, use the XML file that you downloaded to configure Lenses against your Azure SSO.

Create an Azure AD test user and group

In the Azure portal, you'll create a test user called B.Simon. Then you'll create a test group that controls the access B.Simon has in Lenses.

You can find out how Lenses uses group membership mapping for authorization in the Lenses SSO documentation.

To create the test user:

  1. On the left pane of the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. At the top of the screen, select New user.
  3. In the User properties, follow these steps:
    1. In the Name box, enter B.Simon.
    2. In the User name box, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box. Write down the password that shows in the Password box.
    4. Select Create.

To create the group:

  1. Go to Azure Active Directory, and then select Groups.
  2. At the top of the screen, select New group.
  3. In the Group properties, follow these steps:
    1. In the Group type box, select Security.
    2. In the Group Name box, enter LensesUsers.
    3. Select Create.
  4. Select the group LensesUsers and copy the Object ID (for example, f8b5c1ec-45de-4abd-af5c-e874091fb5f7). You'll use this ID in Lenses to map users of the group to the correct permissions.

To assign the group to the test user:

  1. Go to Azure Active Directory, and then select Users.
  2. Select the test user B.Simon.
  3. Select Groups.
  4. At the top of the screen, select Add memberships.
  5. Search for and select LensesUsers.
  6. Click Select.

Assign the Azure AD test user

In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Lenses.io.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. On the applications list, select Lenses.io.
  3. On the app overview page, in the Manage section, select Users and groups.
  4. Select Add user.
  5. In the Add Assignment dialog box, select Users and groups.
  6. In the Users and groups dialog box, select B.Simon from the Users list. Then click the Select button at the bottom of the screen.
  7. If you're expecting any role value in the SAML assertion, in the Select Role dialog box, choose the appropriate role for the user from the list. Then click the Select button at the bottom of the screen.
  8. In the Add Assignment dialog box, select the Assign button.

Configure Lenses.io SSO

To configure SSO on the Lenses.io portal, install the downloaded Federation Metadata XML on your Lenses instance and configure Lenses to enable SSO.

Create Lenses.io test group permissions

  1. To create a group in Lenses, use the Object ID of the LensesUsers group. This is the ID that you copied in the user creation section.
  2. Assign the desired permissions for B.Simon.

For more information, see Azure - Lenses group mapping.

Test SSO

In this section, you test your Azure AD single sign-on configuration with following options.

  • Click on Test this application in Azure portal. This will redirect to Lenses.io Sign-on URL where you can initiate the login flow.

  • Go to Lenses.io Sign-on URL directly and initiate the login flow from there.

  • You can use Microsoft My Apps. When you click the Lenses.io tile in the My Apps, this will redirect to Lenses.io Sign-on URL. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Lenses.io you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.