BLACKSHIELD

Public Guide

How BlackShield Controls Access to Your Workspace

BlackShield gives tenant admins a concrete identity surface: configure Google, Okta, or Azure AD, validate OIDC before enabling it, map groups to roles, rotate SCIM tokens, and review identity audit activity. Audience: IT admins, security operations teams, workspace owners, and procurement reviewers validating access control. Typical setup time: 15-20 minutes.

Before You Begin

  • Define who can approve admin access, API key management, and billing changes.
  • Prepare identity provider group mappings before enabling broad user access.
  • Have `/identity` and `/api-keys` open while you review lifecycle controls.

Step-by-step

Step 1

Configure the identity providers BlackShield supports

The product supports a defined set of providers and makes admins validate the configuration before broad rollout.

  • In `/identity`, BlackShield supports Google, Okta, and Azure AD as tenant-level OIDC providers.
  • Use the built-in validation step before enabling a provider for production users.
  • When tenant OIDC is enabled, distribute a tenant-specific SSO link such as `/login?tenant=acme-security&provider=okta` so users land on the approved IdP without anonymous tenant discovery.
  • Choose the default role and auto-link behavior explicitly instead of relying on implicit defaults.

Step 2

Map groups and automate lifecycle actions

BlackShield exposes the lifecycle controls buyers usually ask for in enterprise reviews.

  • Map IdP groups to BlackShield roles so access is assigned at sign-in time.
  • Rotate the SCIM token from the same page when you need to reset provisioning credentials.
  • Use the identity audit stream to review recent OIDC and SCIM activity for the workspace.

Step 3

Remove access and privileged credentials when users change

Access control is not complete unless you can remove both user access and service credentials quickly.

  • Remove or remap the user's IdP group access in `/identity` when their role changes.
  • Revoke or rotate API keys in `/api-keys` after privileged departures or scanner ownership changes.
  • Review `/audit` and identity audit to confirm no stale privileged activity remains unexplained.

Success Checks

  • The buyer can see how OIDC, group mapping, SCIM, and API key rotation are handled in product.
  • Emergency revoke and user removal workflows are tested and documented.
How BlackShield Controls Access to Your Workspace | BlackShield Docs