Applies to BloodHound Enterprise and CE You may configure multiple SAML providers within your tenant if necessary. This page provides the overall steps to configure a SAML provider within BloodHound. We have provided walkthroughs for creating the configuration within the provider for your convenience.

Order of Operations

Currently, BloodHound requires the configuration of SAML system in the following order:
  1. Determine the Provider Name you will utilize for the SAML configuration.
    • The same value must be configured in both the Identity Provider and BloodHound.
  2. Configure Identity Provider for BloodHound.
  3. Create the SAML Configuration in BloodHound.
  4. Create new users or modify existing users using the UI or via the newly created SAML provider.

SAML Attribute Quick Reference

Data Type
Value
IDP Name Formaturn:oasis:names:tc:SAML:2.0:attrname-format:uri
Required SAML AttributesEither of the following will map to the user’s email address in BloodHound:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

urn:oid:0.9.2342.19200300.100.1.3
Optional SAML AttributesThe following will map to the user’s first name in BloodHound:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

-The following will map to the user’s last name in BloodHound:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

-The following will map to the user role in BloodHound:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role

User Role Mapping

First/last name and email are populated when the correct key/value are provided in the assertion payload. If omitted, fields default to the user’s email. A role is applied when the roles key is present and its value is a properly formatted BloodHound role. Role values use the prefix bh- and are written in kebab-case.
See role definitions for capabilities and scopes: Users and Roles
RoleKey Value
Administratorbh-administrator
Power Userbh-power-user
Userbh-user
Read Onlybh-read-only
Upload Onlybh-upload-only
Only one role will be accepted in the roles claim. If more than one role is provided, the provider default role will apply.

BloodHound Icons

If your IDP supports custom icons for configured applications, please feel free to utilize the logos below:

Create the Configuration

Ensure you have configured an Identity Provider for BloodHound as described in Order of Operations before proceeding.
  1. While logged in as an Administrator, open the slider on the left, then click “Administration.”
  1. Under the “Authentication” section, choose “SSO Configuration.”
  1. Click “Create Provider,” then ” Provider.”
  1. Give the provider the name you used in the ACS URL (‘okta’ in this example) and upload the metadata.xml you created previously. Click “Submit.”
Automatically create new users on login Enabling this option will have BloodHound create a new user on the first login with SSO (Just-In-Time). The user will be granted the role passed in the roles claim if included, else the default role will be assigned. Allow SSO Provider to modify roles Enabling this option allows the SSO provider to modify user roles. This is accomplished by updating the role claim associated with the user account. The role will be updated on the next login. To have this take effect immediately, disable then re-enable the user to invalidate current sessions and force a fresh login. See User Role Mapping for roles claim reference.
  1. BloodHound will provide the URLs related to this new provider integration. Please take a moment to verify that the ACS URL matches the Single sign on URL specified in the application integration page during setup of the integration.

Configure Users for Authentication

By default, all users utilize a username and password via the built‑in authentication service. When creating or modifying a user, you can change this setting. When creating a new user, ensure the user does not share an email address with any other users (across all authentication methods).
  1. While logged in as an Administrator, open the slider on the left, then click “Administration.”
  1. Under “Users” section, choose “Manage Users.”
  1. Locate the user you wish to configure with authentication, click the hamburger menu button on the right side of the row, then “Update User.”
  1. In the following dialog, modify the authentication method to “Single Sign-On,” then select the appropriate SSO provider against which the user’s account can authenticate.
  • When Provisioning is enabled without the Modify Role option, a user’s role may be updated manually after creation.
  • If both Provisioning and Modify Role are enabled, role updates must come through the SSO provider (manual updates in BloodHound are disabled).
  1. Click “Save.”