BLACKSHIELD

Public Guide

How BlackShield Controls Access to Your Workspace

BlackShield gives tenant admins a concrete identity surface: configure Google, Okta, or Azure AD, validate OIDC before enabling it, map groups to roles, rotate SCIM tokens, and review identity audit activity. Audience: IT admins, security operations teams, workspace owners, and procurement reviewers validating access control. Typical setup time: 15-20 minutes.

trust

Use this if

BlackShield gives tenant admins a concrete identity surface: configure Google, Okta, or Azure AD, validate OIDC before enabling it, map groups to roles, rotate SCIM tokens, and review identity audit activity.

Audience
IT admins, security operations teams, workspace owners, and procurement reviewers validating access control
Typical time
15-20 minutes

Before You Begin

  • Define who can approve admin access, API key management, and billing changes.
  • Prepare identity provider group mappings before enabling broad user access.
  • Have `/identity` and `/api-keys` open while you review lifecycle controls.

Guide walkthrough

Step 1

Configure the identity providers BlackShield supports

The product supports a defined set of providers and makes admins validate the configuration before broad rollout.

  • In `/identity`, BlackShield supports Google, Okta, and Azure AD as tenant-level OIDC providers.
  • Use the built-in validation step before enabling a provider for production users.
  • When tenant OIDC is enabled, distribute a tenant-specific SSO link such as `/login?tenant=acme-security&provider=okta` so users land on the approved IdP without anonymous tenant discovery.
  • Choose the default role and auto-link behavior explicitly instead of relying on implicit defaults.

What success looks like

Choose the default role and auto-link behavior explicitly instead of relying on implicit defaults.

Step 2

Map groups and automate lifecycle actions

BlackShield exposes the lifecycle controls buyers usually ask for in enterprise reviews.

  • Map IdP groups to BlackShield roles so access is assigned at sign-in time.
  • Rotate the SCIM token from the same page when you need to reset provisioning credentials.
  • Use the identity audit stream to review recent OIDC and SCIM activity for the workspace.

What success looks like

Use the identity audit stream to review recent OIDC and SCIM activity for the workspace.

Step 3

Remove access and privileged credentials when users change

Access control is not complete unless you can remove both user access and service credentials quickly.

  • Remove or remap the user's IdP group access in `/identity` when their role changes.
  • Revoke or rotate API keys in `/api-keys` after privileged departures or scanner ownership changes.
  • Review `/audit` and identity audit to confirm no stale privileged activity remains unexplained.

What success looks like

Review `/audit` and identity audit to confirm no stale privileged activity remains unexplained.

What success looks like

  • The buyer can see how OIDC, group mapping, SCIM, and API key rotation are handled in product.
  • Emergency revoke and user removal workflows are tested and documented.
How BlackShield Controls Access to Your Workspace | BlackShield Docs