Skip to main content

Overview

This guide demonstrates how to integrate an Identity Provider (IdP) such as Okta or Entra ID with Barndoor to enable:
  • SSO Login: Allow all users in your organization to authenticate via your IdP
  • Automatic Role Mapping: Provision users as admins or standard users based on IdP group membership
  • Centralized User Management: Onboard and offboard users directly from your IdP
Barndoor works with any OIDC or SAML 2.0 compatible IdP. If you use Okta or Microsoft Entra ID, follow the dedicated provider guide below for screenshots and provider-specific gotchas. Otherwise, use the generic flow on this page.

Choose your provider

Okta

Step-by-step Okta OIDC setup, groups claim filter, and role mapping.

Microsoft Entra ID

Entra (Azure AD) app registration, issuer URL gotcha, and group claims.
Using a different IdP (Google Workspace, JumpCloud, OneLogin, Ping, etc.)? The generic OIDC / SAML 2.0 flow below applies to all of them.

Video Walkthrough

Prerequisites:
  • Admin access to your Barndoor account
  • Admin access to your IdP (Okta, Entra, etc.)
  • An IdP application configured with OIDC/OAuth or SAML 2.0

How it works

At a high level, connecting any IdP follows the same five stages:
  1. Configure the connection in Barndoor with your IdP’s Issuer URL, Client ID, and Client Secret.
  2. Verify SSO login works for a standard user.
  3. Configure role mapping so IdP group membership provisions Barndoor admins automatically.
  4. Test offboarding by removing a user from the admin group.
  5. (Optional) Remove the SSO connection when you need to disconnect.
The rest of this page walks through each stage generically. For provider-specific UI and screenshots, use the Okta or Entra ID guides above.

Step 1: Configure IdP Connection in Barndoor

1

Navigate to Identity Provider Settings

Go here in your Barndoor dashboard.
2

Complete IdP Setup Form

  • Provide a display name, such as your domain name. From your IdP application collect:
  • Issuer URL: Your organization’s Issuer URL
  • Client ID: OAuth client ID from your IdP app
  • Client Secret: OAuth client secret from your IdP app
    Auto discover will prefill your Authorization, Token, User Info, JWKS, and Logout URLs. If they are not autodiscovered, enter them manually.
3

Test the Connection

Click Test Connection to verify that Barndoor can communicate with your IdP.Expected result: “Connection successful” message
4

Save Configuration

Click Save to activate the IdP connection.

Step 2: Verify SSO Login Works

1

Log Out of Barndoor

Sign out of your current Barndoor session.
2

Attempt Login with Enterprise User

Try logging in with the enterprise test user from Step 1 using a user’s email connected to your IdP.You should now be redirected to your IdP’s login page.
3

Authenticate via IdP

Complete authentication through your IdP (enter credentials, complete MFA if required).
4

Verify Access to Barndoor

After successful IdP authentication, you should be logged into Barndoor.Expected result: User is logged in but has standard user permissions (not admin yet).
SSO is now working! Users can authenticate via your IdP.

Step 3: Configure Role Mapping (Auto-Provision Admins)

Now we’ll set up automatic role assignment based on IdP group membership.

Create Admin Group in IdP

1

Navigate to Groups in IdP

In your IdP (Okta/Entra ID), go to DirectoryGroups.
2

Create or Select Admin Group

Create a new group called “Barndoor Admins” (or use an existing admin group).
3

Assign Users to Admin Group

Add the test user to the Barndoor Admins group.💡 Note: Any user in this group will automatically receive admin permissions in Barndoor.

Send IdP Groups to Barndoor

Barndoor can only map roles and evaluate group-based policies when your IdP sends group names during login. For OIDC connections, include a claim named exactly groups in the ID token or UserInfo response.
Role mappings are synced on login. If the mapped group claim is missing or does not match exactly, the corresponding Barndoor role can be removed the next time the user signs in.
1

Configure the groups claim

In your IdP application, add a groups claim with:
  • Claim name: groups
  • Claim values: Group display names, not group IDs
  • Included groups: At minimum, the group you want to map to Barndoor admin access, such as Barndoor Admins
2

Use your provider's exact steps

The way you emit the groups claim differs per IdP. Follow the dedicated guide for the precise UI:
3

Verify the emitted claim

Use your IdP’s token preview, logs, or a fresh test login to confirm the token or UserInfo response contains groups with the exact group name you will configure in Barndoor.

Map IdP Group to Barndoor Admin Role

1

Open Role Mapping Settings

In Barndoor, go to SettingsIdentity ProviderRole Mapping.
2

Configure Admin Group Mapping

Set the group name that defines administrators:
  • IdP Group Name: Enter Barndoor Admins (exact name from your IdP)
  • Barndoor Role: Select Admin
3

Save Role Mapping

Click Save Role Settings.Expected result: “Role mapping saved successfully” message

Verify Role Provisioning

1

Log Out and Back In

Sign out of Barndoor and log back in with the test user.
2

Verify Admin Access

After logging in, confirm:
  • ✅ User now has Admin role
  • ✅ Additional admin functionality is visible in the UI
  • ✅ User appears in the Barndoor Admins user group
Role mapping is working! Users in the IdP admin group automatically receive admin permissions.

Step 4: Test User Offboarding (Remove Admin Access)

1

Remove User from Admin Group in IdP

In your IdP, go to DirectoryGroupsBarndoor Admins.Remove the test user from the Barndoor Admins group.
2

Log Out and Back In

In Barndoor, sign out and log back in with the test user.
3

Verify Standard User Access

Confirm that:
  • ✅ User is now a standard user (no longer admin)
  • ✅ Admin-only functionality is no longer visible
  • ✅ User group reflects the change
Changes to IdP group membership are reflected immediately upon next login to Barndoor.

Step 5: Remove SSO Connection (Optional)

If you need to disconnect the IdP integration:
1

Navigate to IdP Settings

Go to SettingsIdentity Provider in Barndoor.
2

Remove Connection

Click Remove SSO Connection (or similar option).Confirm the removal when prompted.
3

Verify SSO Disabled

Log out and attempt to log in with an enterprise user.Expected result: Login should fail since SSO is now disconnected.
Removing the SSO connection will immediately revoke access for all users who authenticate via the IdP. Only users with direct Barndoor credentials will be able to log in.

Summary

You’ve successfully configured IdP integration with Barndoor! Here’s what you accomplished: ✅ **Connected IdP ** for SSO/OIDC authentication
Enabled automatic role provisioning based on IdP groups
Tested user onboarding (SSO login and admin access)
Tested user offboarding (removed admin access via IdP)
Verified SSO disconnection process

Key Benefits

Centralized authentication: Users log in via your existing IdP Automated role management: No manual user provisioning needed Streamlined onboarding: New employees automatically get access Instant offboarding: Removing users from IdP immediately revokes access

Troubleshooting

Common causes:
  • Incorrect Client ID or Client Secret
  • IdP application not configured with correct redirect URIs
  • OIDC endpoints not properly discovered
  • domain mismatch
Solution: Double-check credentials in both Barndoor and your IdP. Re-test the connection and review IdP application logs.
Common causes:
  • Group name mismatch (case-sensitive)
  • User not actually in the IdP group
  • OIDC groups claim is missing from the ID token or UserInfo response
  • IdP sends group IDs, paths, or a different claim name instead of the group display name
  • Role mapping not saved properly
Solution: Verify the exact group name in IdP matches Barndoor configuration. Confirm user membership in IdP groups. For OIDC, preview the token or UserInfo response and confirm it includes groups with the expected value, such as Barndoor Admins. Re-save role mapping settings and have the user sign out and back in.
Common causes:
  • Users not assigned to the IdP application
  • IdP application deactivated or suspended
  • Network/firewall blocking communication
Solution: Verify users are assigned to the Barndoor application in your IdP. Check IdP application status. Test connection from Barndoor settings.