Single Sign On (SSO)

Optional add-on for customers with an Enterprise plan

Overview

Single Sign-On (SSO) is an easy and secure way for your team to access Lens. With SSO enabled, users can use a single set of authentication credentials for their organization to log straight into Lens. This means no more extra passwords to remember and a higher level of security. Lens supports Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and Microsoft Azure Active Directory authentication processes.

If you’re in an Enterprise plan and would like to add single sign-on to your Lens account, please reach out to lens@upstream.tech to get started.

How to set up SSO for Lens

1.  The first step is to set up a connection for Lens with your identity provider. Lens supports Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and Microsoft Azure Active Directory. We’ll work with you to configure the setup with your IT team and make SSO mandatory for your organization. Please work with your IT team to gather the relevant information about your provider.

    • For SAML:
      • Identity Provider ID
      • Identity Provider Certificate
      • Identity Provider SSO URL
    • For OIDC:
      • Client ID
      • Client Secret
      • Issuer URL
    • For Microsoft:
      • Client ID
      • Client Secret

2.  Please reach out to lens@upstream.tech to let us know you'd like to set up SSO for your Lens account, and if it should be required or optional for your Lens users. Note that any users in Lens will need to be in your SSO Active Directory, and will need to use the same email address for Lens and that is listed in the identity provider (i.e. using a personal email address for a Lens account won't work). Please also send us the relevant information from Step 1.

3.  We will confirm the service provider entity ID and the authentication redirect URL (currently https://login.upstream.tech/__/auth/handler) and any other information your IT team needs to configure the link between Lens and your identity provider. 

What to expect once SSO is enabled

  • When SSO is enabled for a Lens account, users can initiate the login process from the same app.upstream.tech webpage. 
  • Once you enter your email address, we'll check to see whether you are part of an organization with SSO set up. If so, we’ll redirect so you can log in through your provider, then take you straight into Lens.
  • When inviting new users to Lens, please use the same invite links from the Settings --> Team page of Lens to add them at the appropriate profile level. 

Below is an example sign-up page where SSO is required:

And here is an example sign-up page where SSO is optional: