# Authentication

Authentication is configured in the security configuration file. Lenses Administrator and Basic Auth do not require any configuration.

{% hint style="success" %}
Multiple authentication configurations can be used together.

Authentication settings go in **security.conf.**
{% endhint %}

The following authentication methods are available. Users, regardless of the method need to be mapped to groups.

<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>Admin Account</strong></td><td>Configure the Lenses admin account.</td><td><a href="/files/Ie1wzlIdZ7Xo4CPcJAWt">/files/Ie1wzlIdZ7Xo4CPcJAWt</a></td><td><a href="/pages/GXhd2yQ9hpTNL7fMtKoQ">/pages/GXhd2yQ9hpTNL7fMtKoQ</a></td></tr><tr><td><strong>Azure AD</strong></td><td>Configure Azure AD for Lenses.</td><td><a href="/files/MsBXHlqsPfbSW8uy6GZw">/files/MsBXHlqsPfbSW8uy6GZw</a></td><td><a href="/pages/AZBypnvHiTH1NdfXw9Ky">/pages/AZBypnvHiTH1NdfXw9Ky</a></td></tr><tr><td><strong>Basic Authentication</strong></td><td>Configure basic authentication for Lenses.</td><td><a href="/files/VkY6RRwNqcMuxQL8xXlM">/files/VkY6RRwNqcMuxQL8xXlM</a></td><td><a href="/pages/JB0gA1wm6puBdLuXR0rK">/pages/JB0gA1wm6puBdLuXR0rK</a></td></tr><tr><td><strong>Custom HTTP</strong></td><td>Configure a custom HTTP endpoint for authentication with Lenses.</td><td><a href="/files/6sdaE3FPcngazbPbus8T">/files/6sdaE3FPcngazbPbus8T</a></td><td><a href="/pages/ojOf8Ehe5lznYt1vXRyt">/pages/ojOf8Ehe5lznYt1vXRyt</a></td></tr><tr><td><strong>LDAP</strong></td><td>Configure LDAP for Lenses.</td><td><a href="/files/Gku3kCLikPyUXANrWEz8">/files/Gku3kCLikPyUXANrWEz8</a></td><td><a href="/pages/Eaa9QcLGxAdf3pFeUTTG">/pages/Eaa9QcLGxAdf3pFeUTTG</a></td></tr><tr><td><strong>SAML &#x26; SSO</strong></td><td>Configure SAML &#x26; SSO for Lenses.</td><td><a href="/files/iZo0cdi4p4mqQXNKlP12">/files/iZo0cdi4p4mqQXNKlP12</a></td><td><a href="/pages/U0GlSx9tfVN7Pu52jmRy">/pages/U0GlSx9tfVN7Pu52jmRy</a></td></tr></tbody></table>

## Account Locking

For BASIC and LDAP authentication types, there is the option to set a policy to temporarily lock the account when successive login attempts fail. Once the lock time window has passed the user can log in again.

These two configuration entries enable the functionality (both of them have to be provided to take effect):

{% code title="security.conf" %}

```bash
# Number of failed login attempts before an account is locked.
lenses.security.lockout.user.attempts.max = "5"

# The time in seconds to keep the account locked.
lenses.security.lockout.user.period.sec = "600"  #10 minutes
```

{% endcode %}

## Group Mapping

A **Group** is a collection of permissions that defines the level of access for users belonging to it. Groups consist of:

* Namespaces
* Application permissions
* Administration permissions

### LDAP & Active Directory

When working with LDAP or Active Directory, user and group management is done in LDAP.

Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications. Create a group in Lenses with the same name (case-sensitive) as in LDAP/AD.

### SSO & SAML

When using an SSO solution such as Azure AD, Google, Okta, OneLogin or an open source like KeyCloak user and group management is done in the Identity Provider.

Lenses provides fine-grained role-based access (RBAC) for your existing groups of users over data and applications. Create a group in Lenses with the same name (case-sensitive) as in your SSO group.

### Basic Auth

With Basic Authentication, create groups of users and add users to those groups. Authentication and authorization are fully managed, and users can change their passwords.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.lenses.io/latest/devx/5.5/deployment/configuration/iam/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.