Skip to main content

Overview

This guide demonstrates how to integrate an Identity Provider (IDP) such as Okta or Entra ID with Barndoor to enable:
  • SSO Login: Allow all users in your organization to authenticate via your IDP
  • Automatic Role Mapping: Provision users as admins or standard users based on IDP group membership
  • Centralized User Management: Onboard and offboard users directly from your IDP

Video Walkthrough

Prerequisites:
  • Admin access to your Barndoor account
  • Admin access to your IDP (Okta, Entra, etc.)
  • An IDP application configured with OIDC/OAuth or SAML 2.0

Step 1: Configure IDP Connection in Barndoor

1

Navigate to IDP Setting]s

Go here n your Barndoor dashboard.
2

Complete IDP Setup Form

  • Provide a display name. i.e., your domain name From your IDP application collect:
  • Issuer URL: Your organization’s Issuer URL
  • Client ID: OAuth client ID from your IDP app
  • Client Secret: OAuth client secret from your IDP app
    Auto discover will prefill your Authorzation, Token, User Info , JWKS and Logout URL. If it is not autodiscovered please enter.
3

Test the Connection

Click Test Connection to verify that Barndoor can communicate with your IDP.Expected result: “Connection successful” message
4

Save Configuration

Click Save to activate the IDP connection.

Step 2: Verify SSO Login Works

1

Log Out of Barndoor

Sign out of your current Barndoor session.
2

Attempt Login with Enterprise User

Try logging in with the enterprise test user from Step 1 using a users email connected to your IDPYou should now be redirected to your IDP’s login page.
3

Authenticate via IDP

Complete authentication through your IDP (enter credentials, complete MFA if required).
4

Verify Access to Barndoor

After successful IDP authentication, you should be logged into Barndoor.Expected result: User is logged in but has standard user permissions (not admin yet).
SSO is now working! Users can authenticate via your IDP.

Step 3: Configure Role Mapping (Auto-Provision Admins)

Now we’ll set up automatic role assignment based on IDP group membership.

Create Admin Group in IDP

1

Navigate to Groups in IDP

In your IDP (Okta/Entra ID), go to DirectoryGroups.
2

Create or Select Admin Group

Create a new group called “Barndoor Admins” (or use an existing admin group).
3

Assign Users to Admin Group

Add the test user to the Barndoor Admins group.💡 Note: Any user in this group will automatically receive admin permissions in Barndoor.

Map IDP Group to Barndoor Admin Role

1

Open Role Mapping Settings

In Barndoor, go to SettingsIdentity ProviderRole Mapping.
2

Configure Admin Group Mapping

Set the group name that defines administrators:
  • IDP Group Name: Enter Barndoor Admins (exact name from your IDP)
  • Barndoor Role: Select Admin
3

Save Role Mapping

Click Save Role Settings.Expected result: “Role mapping saved successfully” message

Verify Role Provisioning

1

Log Out and Back In

Sign out of Barndoor and log back in with the test user.
2

Verify Admin Access

After logging in, confirm:
  • ✅ User now has Admin role
  • ✅ Additional admin functionality is visible in the UI
  • ✅ User appears in the Barndoor Admins user group
Role mapping is working! Users in the IDP admin group automatically receive admin permissions.

Step 4: Test User Offboarding (Remove Admin Access)

1

Remove User from Admin Group in IDP

In your IDP, go to DirectoryGroupsBarndoor Admins.Remove the test user from the Barndoor Admins group.
2

Log Out and Back In

In Barndoor, sign out and log back in with the test user.
3

Verify Standard User Access

Confirm that:
  • ✅ User is now a standard user (no longer admin)
  • ✅ Admin-only functionality is no longer visible
  • ✅ User group reflects the change
Changes to IDP group membership are reflected immediately upon next login to Barndoor.

Step 5: Remove SSO Connection (Optional)

If you need to disconnect the IDP integration:
1

Navigate to IDP Settings

Go to SettingsIdentity Provider in Barndoor.
2

Remove Connection

Click Remove SSO Connection (or similar option).Confirm the removal when prompted.
3

Verify SSO Disabled

Log out and attempt to log in with an enterprise user.Expected result: Login should fail since SSO is now disconnected.
Removing the SSO connection will immediately revoke access for all users who authenticate via the IDP. Only users with direct Barndoor credentials will be able to log in.

Summary

You’ve successfully configured IDP integration with Barndoor! Here’s what you accomplished: ✅ **Connected IDP ** for SSO/OIDC authentication
Enabled automatic role provisioning based on IDP groups
Tested user onboarding (SSO login and admin access)
Tested user offboarding (removed admin access via IDP)
Verified SSO disconnection process

Key Benefits

Centralized authentication: Users log in via your existing IDP Automated role management: No manual user provisioning needed Streamlined onboarding: New employees automatically get access Instant offboarding: Removing users from IDP immediately revokes access

Troubleshooting

Common causes:
  • Incorrect Client ID or Client Secret
  • IDP application not configured with correct redirect URIs
  • OIDC endpoints not properly discovered
  • domain mismatch
Solution: Double-check credentials in both Barndoor and your IDP. Re-test the connection and review IDP application logs.
Common causes:
  • Group name mismatch (case-sensitive)
  • User not actually in the IDP group
  • Role mapping not saved properly
Solution: Verify exact group name in IDP matches Barndoor configuration. Confirm user membership in IDP groups. Re-save role mapping settings.
Common causes:
  • Users not assigned to the IDP application
  • IDP application deactivated or suspended
  • Network/firewall blocking communication
Solution: Verify users are assigned to the Barndoor application in your IDP. Check IDP application status. Test connection from Barndoor settings.