Order of Operations
Currently, BloodHound requires the configuration of SAML system in the following order:- Determine the Provider Name you will utilize for the SAML configuration.
- The same value must be configured in both the Identity Provider and BloodHound.
- Configure Identity Provider for BloodHound.
- Create the SAML Configuration in BloodHound.
- Create new users or modify existing users using the UI or via the newly created SAML provider.
SAML Attribute Quick Reference
| Data Type | Value |
|---|---|
| IDP Name Format | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
| Required SAML Attributes | Either of the following will map to the user’s email address in BloodHound:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressurn:oid:0.9.2342.19200300.100.1.3 |
| Optional SAML Attributes | The following will map to the user’s first name in BloodHound:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| - | The following will map to the user’s last name in BloodHound:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
| - | The following will map to the user role in BloodHound:http://schemas.microsoft.com/ws/2008/06/identity/claims/role |
User Role Mapping
First/last name and email are populated when the correct key/value are provided in the assertion payload. If omitted, fields default to the user’s email. A role is applied when the role attribute/claim key is present and its value is a properly formatted BloodHound role. Role values use the prefixbh- and are written in kebab-case.
See role definitions for capabilities and scopes: Users and Roles
| Role | Key Value |
|---|---|
| Administrator | bh-administrator |
| Power User | bh-power-user |
| User | bh-user |
| Read Only | bh-read-only |
| Upload Only | bh-upload-only |
BloodHound Icons
If your IDP supports custom icons for configured applications, please feel free to utilize the logos below:- Enterprise Dark-colored icon
- Enterprise Light-colored icon
- BHCE Dark-colored icon
- BHCE Light-colored icon
Create the Configuration
Ensure you have configured an Identity Provider for BloodHound as described in Order of Operations before proceeding.- While logged in as an Administrator, open the slider on the left, then click “Administration.”
- Under the “Authentication” section, choose “SSO Configuration.”
- Click “Create Provider,” then ” Provider.”
- Give the provider the name you used in the ACS URL (‘okta’ in this example) and upload the metadata.xml you created previously. Click “Submit.”
- BloodHound will provide the URLs related to this new provider integration. Please take a moment to verify that the ACS URL matches the Single sign on URL specified in the application integration page during setup of the integration.
Configure Users for Authentication
By default, all users utilize a username and password via the built‑in authentication service. When creating or modifying a user, you can change this setting. When creating a new user, ensure the user does not share an email address with any other users (across all authentication methods).- While logged in as an Administrator, open the slider on the left, then click “Administration.”
- Under “Users” section, choose “Manage Users.”
- Locate the user you wish to configure with authentication, click the hamburger menu button on the right side of the row, then “Update User.”
- In the following dialog, modify the authentication method to “Single Sign-On,” then select the appropriate SSO provider against which the user’s account can authenticate.
- When Provisioning is enabled without the Modify Role option, a user’s role may be updated manually after creation.
- If both Provisioning and Modify Role are enabled, role updates must come through the SSO provider (manual updates in BloodHound are disabled).
- Click “Save.”