SAML: Entra ID Configuration

  1. This article applies to BHCE and BHE

This document provides instructions for creating an application within Entra ID for compatibility with BloodHound Enterprise. For general instructions on adding a SAML provider to BloodHound Enterprise or for configuring users to utilize a SAML provider, see SAML in BloodHound Enterprise.

See SAML Order of Operations and Quick Reference before starting.

SAML Settings

The following SAML settings are required for Entra ID to integrate with BloodHound Enterprise:

SAML Setting

Value

Identifier

(Entity ID)

https://<DOMAIN>.bloodhoundenterprise.io/api/v1/login/saml/<PROVIDER-NAME>

<DOMAIN>: the subdomain of your tenant URL.

<PROVIDER-NAME>: the name chosen for the SAML provider within the BloodHound Enterprise configuration

Reply URL

(Assertion Consumer Service URL)

https://<DOMAIN>.bloodhoundenterprise.io/api/v1/login/saml/<PROVIDER-NAME>/acs

<DOMAIN>: the subdomain of your tenant URL.

<PROVIDER-NAME>: the name chosen for the SAML provider within the BloodHound Enterprise configuration

Sign On URL

(Optional)

https://<DOMAIN>.bloodhoundenterprise.io/api/v1/login/saml/<PROVIDER-NAME>

<DOMAIN>: the subdomain of your tenant URL.

<PROVIDER-NAME>: the name chosen for the SAML provider within the BloodHound Enterprise configuration

Create an Enterprise Application

  1. Login to Azure at https://portal.azure.com
  2. Navigate to the Enterprise Applications section of Entra ID.
  3. Click New Application.
  4. Click Create your own application.
  5. Provide a name for your application and click Create.

Configure Single Sign-On Settings

  1. Your browser should redirect you to your newly created application. Click on Single sign-on.
  2. Click on SAML.
  3. Click Edit under the Basic SAML Configuration section.
  4. Configure SAML. The following screenshot shows the tenant codename is "demo" and the provider name is "azure". 
  5. Azure will inform you the settings have saved successfully.
  6. Click the X to close the dialog.
  7. Scroll down to the SAML Certificates section and download the Metadata XML.
  8. Use the Users and Groups section to configure groups and users which you would like to grant access to BloodHound Enterprise.
  9. Use the downloaded metadata.xml file and follow the instructions at SAML in BloodHound Enterprise to Create the SAML Configuration in BloodHound.

Troubleshooting

Verify your attributes and claims use a proper schema in the claim name, and that you have a properly mapped claim for "user.mail" as in the example below. An indicator that this is necessary is when an authentication attempt returns the response: "assertion does not meet requirements for user lookup".

 

Updated