BloodHound supports OIDC for Single Sign On to authenticate users to your tenant environment.
You can configure multiple SSO providers within your tenant if you need to.This page provides the overall steps to configure an OIDC provider within BloodHound.
First/last name and email are populated when the correct key/value are provided in the assertion payload. If omitted, fields default to the user’s email.A role is applied when the role attribute/claim key is present and its value is a properly formatted BloodHound role.
Role values use the prefix bh- and are written in kebab-case.
See role definitions for capabilities and scopes: Users and Roles
Role
Key Value
Administrator
bh-administrator
Power User
bh-power-user
User
bh-user
Read Only
bh-read-only
Upload Only
bh-upload-only
Only a single role value is accepted in the role claim. If multiple values are received, BloodHound ignores them and applies the provider’s default role. Ensure your IdP emits only one role value.
Ensure you have configured an Identity Provider for BloodHound as described in Order of Operations before proceeding.
While logged in as an Administrator, open the slider on the left, then click “Administration.”
Under the “Authentication” section, choose “SSO Configuration.”
Click “Create Provider,” then ” Provider.”
Give the provider the name you used in the ACS URL (‘okta’ in this example) and upload the metadata.xml you created previously. Click “Submit.”
Automatically create new users on loginEnabling this option will have BloodHound create a new user on the first login with SSO (Just-In-Time). The user will be granted the role passed in the role claim if included, else the default role will be assigned.Allow SSO Provider to modify rolesEnabling this option allows the SSO provider to modify user roles. This is accomplished by updating the role claim associated with the user account. The role will be updated on the next login.
To have this take effect immediately, disable then re-enable the user to invalidate current sessions and force a fresh login.See User Role Mapping for role claim reference.
BloodHound will provide the URLs related to this new provider integration. Please take a moment to verify that the ACS URL matches the Single sign on URL specified in the application integration page during setup of the integration.
By default, all users utilize a username and password via the built‑in authentication service. When creating or modifying a user, you can change this setting. When creating a new user, ensure the user does not share an email address with any other users (across all authentication methods).
While logged in as an Administrator, open the slider on the left, then click “Administration.”
Under “Users” section, choose “Manage Users.”
Locate the user you wish to configure with authentication, click the hamburger menu button on the right side of the row, then “Update User.”
In the following dialog, modify the authentication method to “Single Sign-On,” then select the appropriate SSO provider against which the user’s account can authenticate.
When Provisioning is enabled without the Modify Role option, a user’s role may be updated manually after creation.
If both Provisioning and Modify Role are enabled, role updates must come through the SSO provider (manual updates in BloodHound are disabled).
