# Overview

## Users

Control of how user create with SSO is determined by the[ SSO User Creation Mode](https://docs.lenses.io/latest/devx/6.0/deployment/hq#ssousercreationmode). There are two modes:

1. Manual
2. SSO

With **manual** mode, only users that pre-created in HQ can login.

With **sso** mode, users that do not already exists are created and logged in.

## Group Mapping

Control of how a user's group membership should be handled in relation to SSO is determined by the [SSO Group Membership Mode](https://docs.lenses.io/latest/devx/6.0/deployment/hq#ssogroupmembershipmode). There are two modes:

1. Manual
2. SSO

With the **manual** mode, the information about the group membership returned from an Identity Provider will not be used and a user will only be a member of groups that were explicitly assigned to them in HQ.

With the **sso** mode, group information from Identity Provider (IdP) will be used. On login, a user's group membership is set to the groups listed in the IdP.

{% hint style="warning" %}
Groups that do not exist in HQ are ignored.
{% endhint %}

SAML configuration is defined in the **config.yaml** provided to HQ. For more information on the configuration options see [here](https://docs.lenses.io/latest/devx/6.0/deployment/hq#samlconfig).

{% code title="config.yaml" %}

```yaml
http:
  saml:
    metadata: |-
```

{% endcode %}

The follow SSO / SAML providers are supported.

Creating a Keystore

Enable SAML single-sign on by creating a keystore.

* SAML needs a keystore with a generated **key-pair**.
* SAML uses the key-pair to encrypt its communication with the IdP.

## Creating a keystore  <a href="#create-a-keystore" id="create-a-keystore"></a>

Use the Java `keytool` to create one.

```bash
keytool \
 -genkeypair \
 -storetype pkcs12 \
 -keystore lenses.p12 \
 -storepass my_password \
 -alias lenses \
 -keypass my_password \
 -keyalg RSA \
 -keysize 2048 \
 -validity 10000
```

| Setting   | Definition                                                                 |
| --------- | -------------------------------------------------------------------------- |
| storetype | The type of keystore (pkcs12 is industry standard, but jks also supported) |
| keystore  | The filename of the keystore                                               |
| storepass | The password of the keystore                                               |
| alias     | The name of the key-pair                                                   |
| keypass   | The password of the key-pair (must be same as storepass for pkcs12 stores  |