> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML: Entra ID Configuration

> This document provides instructions for creating an application within Entra ID for compatibility with BloodHound Enterprise.

export const IDPIntro = ({auth_mode}) => {
  const mode = (auth_mode || '').toUpperCase();
  const isOIDC = mode === 'OIDC';
  const href = isOIDC ? '/manage-bloodhound/auth/oidc' : '/manage-bloodhound/auth/saml';
  const label = isOIDC ? 'OIDC' : 'SAML';
  return <Tip>
      See <a href={href}>{label} in BloodHound</a> for order of operations, general {label} setup, and user configuration in BloodHound.
    </Tip>;
};

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

<IDPIntro auth_mode="SAML" />

## Create an Enterprise Application

1. Login to Azure at [https://portal.azure.com](https://portal.azure.com)
2. Navigate to the **Enterprise Applications** section of Entra ID.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-44.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=9dd075e843935a34e3b24a2825a7472e" width="430" height="207" data-path="assets/image-2-44.png" />
</Frame>

3. Click **New Application**.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-46.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=e0d6eb0f745d19c12cbefcbce0daa093" width="564" height="171" data-path="assets/image-2-46.png" />
</Frame>

4. Click **Create your own application**.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-47.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=6f022e827d43aa75a8e4e53ea213bcd6" width="484" height="231" data-path="assets/image-2-47.png" />
</Frame>

5. Provide a name for your application and click **Create**.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-48.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=24190f64a919ba1d39b1514248a48e89" width="573" height="850" data-path="assets/image-2-48.png" />
</Frame>

## Configure Single Sign-On Settings

1. Your browser should redirect you to your newly created application. Click on **Single sign-on**.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-49.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=f8877424f289306894b9757a00bef9f2" width="406" height="498" data-path="assets/image-2-49.png" />
</Frame>

2. Click on **SAML**.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-50.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=55e7f71e5f81711262c80d13672bceae" width="370" height="199" data-path="assets/image-2-50.png" />
</Frame>

3. Click **Edit** under the Basic SAML Configuration section.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-51.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=aba8d2efe75c8bd1a95d9358c64d6869" width="760" height="226" data-path="assets/image-2-51.png" />
</Frame>

4. Configure SAML. The following screenshot shows the tenant codename is "demo" and the provider name is "entra".

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-52.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=f5f225795baddeccbab93b6bc9219f7f" width="793" height="651" data-path="assets/image-2-52.png" />
</Frame>

5. Azure will inform you the settings have saved successfully.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-53.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=89b88c7355836b3552eda63317552446" width="358" height="77" data-path="assets/image-2-53.png" />
</Frame>

6. Click the **X** to close the dialog.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-54.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=7e007f19ed1d94db80bb43d7bf35d845" width="859" height="250" data-path="assets/image-2-54.png" />
</Frame>

7. Scroll down to the **SAML Certificates** section and download the **Metadata XML**.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-55.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=7da4112f079b6aaa57ab7cfecfe75a53" width="765" height="408" data-path="assets/image-2-55.png" />
</Frame>

8. Use the **Users and Groups** section to configure groups and users which you would like to grant access to BloodHound Enterprise.

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-56.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=e2a034f23e2a711f832b551d9d690a99" width="436" height="371" data-path="assets/image-2-56.png" />
</Frame>

9. Use the downloaded metadata.xml file and follow the instructions at [SAML in BloodHound Enterprise](/manage-bloodhound/auth/saml) to Create the SAML Configuration in BloodHound.

## Troubleshooting

Verify your attributes and claims use a proper schema in the claim name, and that you have a properly mapped claim for "user.mail" as in the example below. An indicator that this is necessary is when an authentication attempt returns the response: "*assertion does not meet requirements for user lookup*".

<Frame>
  <img src="https://mintcdn.com/specterops/TwsBcJyEWw_Zwex2/assets/image-2-57.png?fit=max&auto=format&n=TwsBcJyEWw_Zwex2&q=85&s=77acb3afc450d64dd4b0aea640f3f18c" width="1075" height="988" data-path="assets/image-2-57.png" />
</Frame>