# Accounts

After defining roles, you can do the following:

* Create individual accounts manually
* Provision accounts from an identity provider (Idp)

This section describes how to create a new account manually. To learn how to provision Nexthink accounts from existing accounts in an Idp, refer to the [Single sign-on](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/single-sign-on) documentation.

Nexthink supports both internal and external management of credentials to authenticate user accounts as follows:

| Internally managed                                    | Externally managed                                                                                                                                   |
| ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| Password-based                                        | single sign-on (SSO)                                                                                                                                 |
| The credentials are stored in the Nexthink data cloud | [SAML authentication](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/single-sign-on) |

The process verifies the credentials by either internal or external means based on the provided login name:

* If the login name includes an `@` character, Nexthink assumes external user authentication. This username format is known as User Principal Name (UPN) and, for example, may look like this: `user.name@domain.com`. In this case, the configuration determines the external authentication method, and the account is authenticated using Security Assertion Markup Language (SAML).
* If the login name does not include an `@` character, Nexthink authenticates the account with internally stored credentials.

## Accessing accounts <a href="#accounts-accessingaccounts" id="accounts-accessingaccounts"></a>

Manually, you can only create internally managed accounts. The system creates SSO accounts automatically, using just-in-time (JIT) user provisioning.

To create an individual account:

1. Log in as an administrator using the web interface.
2. Select the **Administration** module from the main menu.
3. Under the **Account management** section, select **Accounts** to open the dashboard.
4. Select the **Add account** button in the top-right corner of the page to start the wizard.

## Setting personal data and roles <a href="#accounts-settingpersonaldataandroles" id="accounts-settingpersonaldataandroles"></a>

* **Username**: Enter the name of the user:
  * To use internal authentication, enter the account name, which will be the user login name. In this case, you cannot use the `@` character.&#x20;
  * To use external authentication, enter the username in a format that includes the `@` character. If you use SAML authentication, enter the Name ID of the user, as returned by the Idp. Refer to the [Single sign-on](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/single-sign-on) documentation for more information.
* **Full name**: Enter the full name when using internal authentication.
* **Email address**: Enter the user’s email address to send notifications.
* **Password**: The password field depends on the user authentication method:
  * Users define their password and configure multi-factor authentication (MFA) using the activation email that the system sends. Administrators can perform the following actions:
    * Resend the activation email if the user is not already active.
    * Reset MFA. In this case, the user has to configure MFA again during the next login.
  * Classic: If you use internal user authentication, type in a password for the user and retype it in the **Confirm password** field. The default minimum password length for an internally managed account is 8 characters; however, this requirement is configurable.
* Optional: Select the **Never automatically sign out this user while they are active** box if you want to override the session timeout control. You can configure the session timeout in the Nexthink web interface.

### Roles and permissions <a href="#accounts-rolesandpermissions" id="accounts-rolesandpermissions"></a>

* **Main role**: Select the account role from the drop-down list. You must create a role first to see it in the list. Refer to the [Roles](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/roles) documentation for more information.
* **Additional roles**: Enter the name of one or more additional roles to assign them to the account. Additional roles are optional.

### Roles (classic) <a href="#accounts-roles-classic" id="accounts-roles-classic"></a>

Select one or several roles (classic) to grant access to Custom dashboard and Finder content, such as:

* Modules
* V6 alerts
* V6 remote actions

***

RELATED TASKS

* [Single sign-on](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/single-sign-on)
* [Roles](https://docs.nexthink.com/platform/~/changes/Sh4xqs4GDClkDKT9Hvux/user-guide/administration/account-management/roles)