SAML in BloodHound

This article applies to BHCE and BHE

BloodHound supports SAML 2.0 for Single Sign On to authenticate users to your tenant environment. This integration provides authentication only, user creation and role management will still occur from within BloodHound's "Manage Users" interface.

You may configure multiple SAML providers within your tenant if necessary.

This page provides the overall steps to configure a SAML provider within BloodHound. We have provided walkthroughs for creating the configuration within the provider for your convenience.

Order of Operations

Currently, BloodHound requires the configuration of SAML system in the following order:

  1. Determine the Provider Name you will utilize for the SAML configuration.
    • The same value must be configured in both the Identity Provider and BloodHound.
  2. Configure Identity Provider for BloodHound.
  3. Create the SAML Configuration in BloodHound.
  4. Create new users or modify existing users to utilize the newly created SAML provider.
    • You must ensure SAML users do not share email with built-in users.

SAML Attribute Quick Reference

Data Type

Value

IDP Name Format

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Required SAML Attributes

Either of the following will map to the user's email address in BloodHound:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

urn:oid:0.9.2342.19200300.100.1.3

Tenant Callback URL

https://<DOMAIN>.bloodhoundenterprise.io/api/v1/login/saml/<PROVIDER-NAME>/acs

<DOMAIN>: the subdomain of your tenant URL.

<PROVIDER-NAME>: the name chosen for the SAML provider within the BloodHound configuration

SP Entity ID

https://<DOMAIN>.bloodhoundenterprise.io/api/v1/login/saml/<PROVIDER-NAME>

<DOMAIN>: the subdomain of your tenant URL.

<PROVIDER-NAME>: the name chosen for the SAML provider within the BloodHound configuration

BloodHound Icons

If your IDP supports custom icons for configured applications, please feel free to utilize either of the two logos below:

Create the SAML Configuration

Ensure you have configured an Identity Provider for BloodHound as described in Order of Operations before proceeding.

  1. While logged in as an Administrator, click on the gear icon in the top right, then click "Administration."
  2. Under the "Authentication" section, choose "SAML Configuration."
    mceclip1.png
  3. Click “Create SAML Provider.”
    mceclip2.png
  4. Give the SAML provider the name you used in the ACS URL (‘okta’ in this example) and upload the metadata.xml you created previously. Click "Submit."
    mceclip3.png
  5. BloodHound will provide the URLs related to this new SAML provider integration. Please take a moment to verify that the ACS URL matches the Single sign on URL specified in the SAML application integration page during setup of the Okta SAML integration.

Configure Users for SAML Authentication

By default, all users will utilize username and password via the built-in authentication service. When creating or modifying a user, you will be granted the option to change this setting. When creating a new SAML user, you must ensure the SAML user does not share email with any built-in users.

  1. While logged in as an Administrator, click on the gear icon in the top right, then click "Administration."
    mceclip0.png
  2. Under the "Authentication" section, choose "SAML Configuration."
    mceclip4.png
  3. Locate the user you wish to configure for SAML authentication, click the hamburger menu button on the right side of the row, then "Update User."
    mceclip5.png
  4. In the following dialog, modify the Authentication Method to "SAML" then select the appropriate SAML provider you wish the user's account to authenticate against.
    mceclip6.png
  5. Click "Save."

Updated