# Overview

## Users

Control of how user create with SSO is determined by the[ SSO User Creation Mode](https://docs.lenses.io/latest/deployment/hq#ssousercreationmode). There are two modes:

1. Manual
2. SSO

With **manual** mode, only users that pre-created in HQ can login.

With **sso** mode, users that do not already exists are created and logged in.

## Group Mapping

Control of how a user's group membership should be handled in relation to SSO is determined by the [SSO Group Membership Mode](https://docs.lenses.io/latest/deployment/hq#ssogroupmembershipmode). There are two modes:

1. Manual
2. SSO

With the **manual** mode, the information about the group membership returned from an Identity Provider will not be used and a user will only be a member of groups that were explicitly assigned to them in HQ.

With the **sso** mode, group information from Identity Provider (IdP) will be used. On login, a user's group membership is set to the groups listed in the IdP.

{% hint style="warning" %}
Groups that do not exist in HQ are ignored.
{% endhint %}

SAML configuration is defined in the **config.yaml** provided to HQ. For more information on the configuration options see [here](https://docs.lenses.io/latest/deployment/hq#samlconfig).

{% code title="config.yaml" %}

```yaml
http:
  saml:
    metadata: |-
```

{% endcode %}

The follow SSO / SAML providers are supported.

Creating a Keystore

Enable SAML single-sign on by creating a keystore.

* SAML needs a keystore with a generated **key-pair**.
* SAML uses the key-pair to encrypt its communication with the IdP.

## Creating a keystore <a href="#create-a-keystore" id="create-a-keystore"></a>

Use the Java `keytool` to create one.

```bash
keytool \
 -genkeypair \
 -storetype pkcs12 \
 -keystore lenses.p12 \
 -storepass my_password \
 -alias lenses \
 -keypass my_password \
 -keyalg RSA \
 -keysize 2048 \
 -validity 10000
```

| Setting   | Definition                                                                 |
| --------- | -------------------------------------------------------------------------- |
| storetype | The type of keystore (pkcs12 is industry standard, but jks also supported) |
| keystore  | The filename of the keystore                                               |
| storepass | The password of the keystore                                               |
| alias     | The name of the key-pair                                                   |
| keypass   | The password of the key-pair (must be same as storepass for pkcs12 stores  |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/deployment/configuration/authentication/sso-and-saml/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.