> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC in BloodHound

> BloodHound supports OIDC for Single Sign On to authenticate users to your tenant environment.

export const auth_mode_4 = "OIDC"

export const auth_mode_3 = "OIDC"

export const auth_mode_2 = "OIDC"

export const auth_mode_1 = "OIDC"

export const endpoint_0 = "callback"

export const auth_mode_0 = "OIDC"

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

You can configure multiple SSO providers within your tenant if necessary. This page provides the overall steps to configure an OIDC provider within BloodHound.

<Note>
  Entra ID is not currently supported with BloodHound's OIDC implementation. Use the [SAML configuration](/manage-bloodhound/auth/saml-entra-id) instead.
</Note>

## Order of Operations

You must configure OIDC in BloodHound in the following order:

1. Determine the Identity Provider (IDP) name you will use for the OIDC configuration.

   The same value must be configured in both the IDP and BloodHound. The BloodHound callback URL will include this value.

2. Configure the IDP for BloodHound.

   See the [Configure Okta](/manage-bloodhound/auth/oidc-okta) guide for configuring Okta as your OIDC provider.

3. Create the OIDC configuration in BloodHound.

4. Create new users or modify existing users using the UI or via the newly created OIDC provider.

   <Warning>
     {auth_mode_3} users must have an email address that is **unique** across all authentication methods (built-in, OIDC, SAML). Account creation fails if a duplicate email is detected.

     <img src="https://mintcdn.com/specterops/NGsFbT_FAx51IRIW/images/sso/create_user_fail_email.png?fit=max&auto=format&n=NGsFbT_FAx51IRIW&q=85&s=2f0017b783b1cf8e922cc5eeeb84d084" alt="A view of the error message shown when attempting to create a user with a duplicate email address." width="482" height="156" data-path="images/sso/create_user_fail_email.png" />
   </Warning>

## User Role Mapping

First name, last name, and email are populated when the correct key/value pairs are provided in the {auth_mode_4} assertion payload.

<Warning>If omitted, fields default to the user's email.</Warning>

A role is applied when the role attribute/claim key is present and its value is a properly formatted BloodHound role.

Role values use the prefix `bh-` and are written in kebab-case. See [Administer Users and Roles](/manage-bloodhound/auth/users-and-roles) for capabilities and scopes.

| **Role**      | **Key Value**    |
| ------------- | ---------------- |
| Administrator | bh-administrator |
| Power User    | bh-power-user    |
| Auditor       | bh-auditor       |
| User          | bh-user          |
| Read Only     | bh-read-only     |
| Upload Only   | bh-upload-only   |

<Note>Only one role can be passed per user. If multiple roles are provided, BloodHound ignores them and applies the provider's default role.</Note>

## BloodHound Icons

If your IDP supports custom icons for configured applications, please feel free to use the logos below:

* [Enterprise Dark-colored icon](https://raw.githubusercontent.com/SpecterOps/BloodHound-docs/main/docs/logo/BHE_PurpleField.png)
* [Enterprise Light-colored icon](https://raw.githubusercontent.com/SpecterOps/BloodHound-docs/main/docs/logo/BHE_WhiteField.png)
* [BHCE Dark-colored icon](https://raw.githubusercontent.com/SpecterOps/BloodHound-docs/main/docs/logo/BHCE_RedField.png)
* [BHCE Light-colored icon](https://raw.githubusercontent.com/SpecterOps/BloodHound-docs/main/docs/logo/BHCE_WhiteField.png)

## Configure BloodHound

Ensure you have configured an IDP for BloodHound as described in **Order of Operations** before proceeding.

<Steps>
  <Step title="Open the SSO Configuration page">
    <Note>You must be logged in as an Administrator to perform this action.</Note>

    In the left menu, click **Administration** > **Authentication** > **SSO Configuration**.
  </Step>

  <Step title="Select a provider type">
    Click **Create Provider** > **{auth_mode_0} Provider**.

    <img src="https://mintcdn.com/specterops/NGsFbT_FAx51IRIW/images/sso/create_provider.png?fit=max&auto=format&n=NGsFbT_FAx51IRIW&q=85&s=b3ffad66b779780578edf6c77d2cdb16" alt="A view of the SSO Configuration page with the Create Provider button highlighted." width="259" height="175" data-path="images/sso/create_provider.png" />
  </Step>

  <Step title="Enter provider details">
    Enter the **{auth_mode_0}** provider details.

    | Field             | Auth Type     | Description                                                                        |
    | ----------------- | ------------- | ---------------------------------------------------------------------------------- |
    | **Provider Name** | OIDC and SAML | Name of the SAML or OIDC application in your identity provider; must match exactly |
    | **Client ID**     | OIDC only     | Client identifier issued by the identity provider                                  |
    | **Issuer**        | OIDC only     | Issuer URL from the identity provider                                              |
    | **Metadata File** | SAML only     | SAML metadata XML from the identity provider                                       |
    | **Default Role**  | OIDC and SAML | Role applied when the {auth_mode_0} provider does not supply one                   |
  </Step>

  <Step title="Save the configuration">
    Click **Submit**.
  </Step>
</Steps>

### Create new users on login

Enabling this option will have BloodHound create a new user on the first login with SSO (Just-In-Time). The user will be granted the role passed in the role claim if included, else the default role will be assigned.

<Warning>
  User names (first and last) are only written when the user is first created and will not be updated on subsequent logins. If users are initially created with incorrect names (e.g., email address in the first name field), you must either manually update each user in BloodHound or delete and recreate the user accounts.
</Warning>

### Allow IDP to modify roles

Enabling this option allows the SSO provider to modify user roles. This is accomplished by updating the role claim associated with the user account. The role will be updated on the next login.

<Note>
  Only one role can be passed per user. If multiple roles are provided, BloodHound ignores them and applies the provider's default role.
</Note>

To have this take effect immediately, disable then re-enable the user to invalidate current sessions and force a fresh login. See [User Role Mapping](#user-role-mapping) for role claim reference.

BloodHound will provide the URLs related to this new {auth_mode_1} provider integration. Please take a moment to verify that the **{endpoint_0} URL** matches the **Single sign on URL** specified in the {auth_mode_1} application integration page during setup of the {auth_mode_1} integration.

## Configure Users

By default, all users utilize a username and password via the built-in authentication service. When [creating or modifying a user](/manage-bloodhound/auth/users-and-roles), you can change this setting.

When creating a new {auth_mode_2} user, ensure the {auth_mode_2} user does not share an email address with any other users (across all authentication methods).

<Steps>
  <Step title="Open the Manage Users page">
    <Note>You must be logged in as an Administrator to perform this action.</Note>

    In the left menu, click **Administration** > Users > **Manage Users**.
  </Step>

  <Step title="Locate a user">
    Locate the user you want to configure with authentication, click the hamburger menu button on the right side of the row, then **Update User**.

    <img src="https://mintcdn.com/specterops/NGsFbT_FAx51IRIW/images/sso/user_hamburger.png?fit=max&auto=format&n=NGsFbT_FAx51IRIW&q=85&s=efc7f462fe68f224d138e35a09294e1d" alt="A view of the Manage Users page with the hamburger menu button highlighted for a user." width="346" height="275" data-path="images/sso/user_hamburger.png" />
  </Step>

  <Step title="Configure the user for SSO authentication">
    In the **Update User** dialog, select the **Single Sign-On** authentication method, then select the appropriate SSO provider.

    <img src="https://mintcdn.com/specterops/NGsFbT_FAx51IRIW/images/sso/update_user_no_provision.png?fit=max&auto=format&n=NGsFbT_FAx51IRIW&q=85&s=04e32ae965927a6345559ad370fcd658" alt="A view of the Update User dialog with the Single Sign-On authentication method selected." width="601" height="549" data-path="images/sso/update_user_no_provision.png" />

    * When Provisioning is enabled without the Modify Role option, a user's role may be updated manually after creation.

    * If both Provisioning and Modify Role are enabled, role updates must come through the SSO provider (manual updates in BloodHound are disabled).

          <img src="https://mintcdn.com/specterops/NGsFbT_FAx51IRIW/images/sso/update_user_with_provision.png?fit=max&auto=format&n=NGsFbT_FAx51IRIW&q=85&s=0d298ad2ad881cc5b6911d5442dfccf2" alt="A view of the Update User dialog with the Single Sign-On authentication method selected and provisioning enabled." width="592" height="277" data-path="images/sso/update_user_with_provision.png" />
  </Step>

  <Step title="Save the user configuration">
    Click **Save**.
  </Step>
</Steps>