OIDC in BloodHound

This article applies to BHCE and BHE

BloodHound supports OIDC for Single Sign On to authenticate users to your tenant environment. This integration only provides authentication; user creation and role management will still occur within BloodHound's "Manage Users" interface.

You can configure multiple SSO providers within your tenant if you need to.

This page provides the overall steps to configure an OIDC provider within BloodHound.

Order of Operations

Currently, BloodHound requires the configuration of OIDC system in the following order:

  1. Determine the Provider Name you will utilize for the SAML configuration.
    • The exact value must be configured in both the Identity Provider and BloodHound.
  2. Configure Identity Provider for BloodHound.
    • You will need the Client ID and Issuer provided by your IDP to move foward.
  3. Create the OIDC Configuration in BloodHound.
  4. Create new users or modify existing users to utilize the newly created OIDC provider.
    • You must ensure OIDC users do not share email with built-in or SAML users.

BloodHound Icons

If your IDP supports custom icons for configured applications, please feel free to utilize either of the two logos below:

Create the OIDC Configuration

Before proceeding, please make sure you have set up an Identity Provider for BloodHound as described in the Order of Operations.

  1. While logged in as an Administrator, click on the gear icon in the top right, then click "Administration."
  2. Under the "Authentication" section, choose "SAML Configuration."
  3. Click “Create Provider,” then "OIDC Provider."
  4. Give the OIDC provider the name you used in the (‘test-idp’ in this example) and provide the Client ID and issuer from your IDP. Click "Submit."
  5. BloodHound will provide the URLs related to this new OIDC provider integration.

Configure Users for OIDC Authentication

By default, all users will use a username and password via the built-in authentication service. When creating or modifying a user, you will be granted the option to change this setting. When you make a new OIDC user, you must ensure the OIDC user does not share email with any built-in users.

  1. While logged in as an Administrator, click on the gear icon in the top right, then click "Administration."
    mceclip0.png
  2. Under the "Authentication" section, choose "SAML Configuration."
    mceclip4.png
  3. Locate the user you wish to configure for SAML authentication, click the hamburger menu button on the right side of the row, then "Update User."
    mceclip5.png
  4. In the following dialog, modify the authentication method to "Single Sign-On," then select the appropriate SSO provider against which the user's account can authenticate.
  5. Click "Save."

Updated