> For the complete documentation index, see [llms.txt](https://docs.lenses.io/latest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.lenses.io/latest/deployment/configuration/authentication/sso-and-saml/overview.md).

# Overview

## Users

Control of how user create with SSO is determined by the[ SSO User Creation Mode](/latest/deployment/configuration/hq.md#ssousercreationmode). There are two modes:

1. Manual
2. SSO

With **manual** mode, only users that pre-created in HQ can login.

With **sso** mode, users that do not already exists are created and logged in.

## Group Mapping

Control of how a user's group membership should be handled in relation to SSO is determined by the [SSO Group Membership Mode](/latest/deployment/configuration/hq.md#ssogroupmembershipmode). There are two modes:

1. Manual
2. SSO

With the **manual** mode, the information about the group membership returned from an Identity Provider will not be used and a user will only be a member of groups that were explicitly assigned to them in HQ.

With the **sso** mode, group information from Identity Provider (IdP) will be used. On login, a user's group membership is set to the groups listed in the IdP.

{% hint style="warning" %}
Groups that do not exist in HQ are ignored.
{% endhint %}

SAML configuration is defined in the **config.yaml** provided to HQ. For more information on the configuration options see [here](/latest/deployment/configuration/hq.md#samlconfig).

{% code title="config.yaml" %}

```yaml
http:
  saml:
    metadata: |-
```

{% endcode %}

The follow SSO / SAML providers are supported.

Creating a Keystore

Enable SAML single-sign on by creating a keystore.

* SAML needs a keystore with a generated **key-pair**.
* SAML uses the key-pair to encrypt its communication with the IdP.

## Creating a keystore <a href="#create-a-keystore" id="create-a-keystore"></a>

Use the Java `keytool` to create one.

```bash
keytool \
 -genkeypair \
 -storetype pkcs12 \
 -keystore lenses.p12 \
 -storepass my_password \
 -alias lenses \
 -keypass my_password \
 -keyalg RSA \
 -keysize 2048 \
 -validity 10000
```

| Setting   | Definition                                                                 |
| --------- | -------------------------------------------------------------------------- |
| storetype | The type of keystore (pkcs12 is industry standard, but jks also supported) |
| keystore  | The filename of the keystore                                               |
| storepass | The password of the keystore                                               |
| alias     | The name of the key-pair                                                   |
| keypass   | The password of the key-pair (must be same as storepass for pkcs12 stores  |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.lenses.io/latest/deployment/configuration/authentication/sso-and-saml/overview.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
