Update README.md

README.md

 
-
 #### Minimal Intro:
 - [SSO](https://lmddgtfy.net/?q=SSO): Single Sign On
 - SLO: Single Log Out
@@ -80,15 +79,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame
 
 #### Groups and Permissions
 
-Users receive groups using SSO. For this to work, you need:
-  - some groups in your django project (see `django.contrib.auth` groups)
-  - groups with exactly the same names provided by the IDP
-    - create a group in the IDM
-    - make sure IDM provides it to the IDP
-    - make sure IDP provides it to your SP
-  - you might want to predefine some groups in the project settings (see `ssoauth` default config for details)
-    - these groups will be created automatically (when migrating) and will receive the specified permissions
-    - e.g. you probably want a superuser group, see the example below
+With `ssoauth` the only way to assign permissions is with groups:
+  - when user logs in, `ssoauth` receives group names from the IDP
+  - if your project has `django.contrib.admin` `Groups` with exactly the same names, as received from the IDP, these groups are assigned to the user (`django.contrib.auth` `User` is automatically created)
+  - all other groups and permissions are automatically removed from the user (so it's not possible to "patch" what IDP says with some extra rules in the project)
+
+You can predefine some groups in  project settings (see `ssoauth` default config for details). These predefined groups will be created automatically (when migrating). For example, a superuser group:
 
 ```python
 PREDEFINED_GROUPS = {