Skip to main content
Applies to BloodHound Enterprise and CE You can configure multiple SSO providers within your tenant if necessary. This page provides the overall steps to configure an OIDC provider within BloodHound.
Entra ID is not currently supported with BloodHound’s OIDC implementation. Use the SAML configuration instead.

Order of Operations

You must configure OIDC in BloodHound in the following order:
  1. Determine the Identity Provider (IDP) name you will use for the OIDC configuration. The same value must be configured in both the IDP and BloodHound. The BloodHound callback URL will include this value.
  2. Configure the IDP for BloodHound. See the Configure Okta guide for configuring Okta as your OIDC provider.
  3. Create the OIDC configuration in BloodHound.
  4. Create new users or modify existing users using the UI or via the newly created OIDC provider.
    users must have an email address that is unique across all authentication methods (built-in, OIDC, SAML). Account creation fails if a duplicate email is detected.A view of the error message shown when attempting to create a user with a duplicate email address.

User Role Mapping

First name, last name, and email are populated when the correct key/value pairs are provided in the assertion payload.
If omitted, fields default to the user’s email.
A role is applied when the role attribute/claim key is present and its value is a properly formatted BloodHound role. Role values use the prefix bh- and are written in kebab-case. See Administer Users and Roles for capabilities and scopes.
RoleKey Value
Administratorbh-administrator
Power Userbh-power-user
Auditorbh-auditor
Userbh-user
Read Onlybh-read-only
Upload Onlybh-upload-only
Only one role can be passed per user. If multiple roles are provided, BloodHound ignores them and applies the provider’s default role.

BloodHound Icons

If your IDP supports custom icons for configured applications, please feel free to use the logos below:

Configure BloodHound

Ensure you have configured an IDP for BloodHound as described in Order of Operations before proceeding.
1

Open the SSO Configuration page

You must be logged in as an Administrator to perform this action.
In the left menu, click Administration > Authentication > SSO Configuration.
2

Select a provider type

Click Create Provider > Provider.A view of the SSO Configuration page with the Create Provider button highlighted.
3

Enter provider details

Enter the provider details.
FieldAuth TypeDescription
Provider NameOIDC and SAMLName of the SAML or OIDC application in your identity provider; must match exactly
Client IDOIDC onlyClient identifier issued by the identity provider
IssuerOIDC onlyIssuer URL from the identity provider
Metadata FileSAML onlySAML metadata XML from the identity provider
Default RoleOIDC and SAMLRole applied when the provider does not supply one
4

Save the configuration

Click Submit.

Create new users on login

Enabling this option will have BloodHound create a new user on the first login with SSO (Just-In-Time). The user will be granted the role passed in the role claim if included, else the default role will be assigned.
User names (first and last) are only written when the user is first created and will not be updated on subsequent logins. If users are initially created with incorrect names (e.g., email address in the first name field), you must either manually update each user in BloodHound or delete and recreate the user accounts.

Allow IDP to modify roles

Enabling this option allows the SSO provider to modify user roles. This is accomplished by updating the role claim associated with the user account. The role will be updated on the next login.
Only one role can be passed per user. If multiple roles are provided, BloodHound ignores them and applies the provider’s default role.
To have this take effect immediately, disable then re-enable the user to invalidate current sessions and force a fresh login. See User Role Mapping for role claim reference. BloodHound will provide the URLs related to this new provider integration. Please take a moment to verify that the URL matches the Single sign on URL specified in the application integration page during setup of the integration.

Configure Users

By default, all users utilize a username and password via the built-in authentication service. When creating or modifying a user, you can change this setting. When creating a new user, ensure the user does not share an email address with any other users (across all authentication methods).
1

Open the Manage Users page

You must be logged in as an Administrator to perform this action.
In the left menu, click Administration > Users > Manage Users.
2

Locate a user

Locate the user you want to configure with authentication, click the hamburger menu button on the right side of the row, then Update User.A view of the Manage Users page with the hamburger menu button highlighted for a user.
3

Configure the user for SSO authentication

In the Update User dialog, select the Single Sign-On authentication method, then select the appropriate SSO provider.A view of the Update User dialog with the Single Sign-On authentication method selected.
  • When Provisioning is enabled without the Modify Role option, a user’s role may be updated manually after creation.
  • If both Provisioning and Modify Role are enabled, role updates must come through the SSO provider (manual updates in BloodHound are disabled). A view of the Update User dialog with the Single Sign-On authentication method selected and provisioning enabled.
4

Save the user configuration

Click Save.