Articles in this section

Automatic User Provisioning Through SSO in Bold Reports Using OpenID Connect and OAuth 2.0

Published:
Updated:

Organizations commonly use Single Sign-On (SSO) solutions such as OpenID Connect (OIDC) and OAuth 2.0-based identity providers to centrally manage user authentication and access control. When users access the Bold Reports Report Server or Report Designer directly through a browser, administrators may want to avoid the overhead of manually creating and maintaining user accounts within Bold Reports.

Bold Reports supports automatic user provisioning through OpenID Connect and OAuth 2.0 authentication by using User and Group Mapping. This feature enables users to be automatically created and assigned appropriate permissions based on group claims received from the identity provider during authentication.

Applicable Scenarios

This approach is recommended when:

  • Users access the Bold Reports Report Server directly through a web browser.
  • Users access the Bold Reports Report Designer through the browser.
  • Authentication is managed by an external OpenID Connect (OIDC) or OAuth 2.0 identity provider.
  • Authorization is managed through groups and roles in the identity provider.
  • Organizations want to automate user onboarding and permission assignment.

Benefits

By enabling automatic user provisioning and group mapping, organizations can:

  • Eliminate manual user creation in Bold Reports.
  • Automatically onboard users during their first login.
  • Centralize user management within the identity provider.
  • Simplify permission administration through group-based access control.
  • Align reporting permissions with existing organizational structures.
  • Reduce administrative overhead and improve security governance.

Prerequisites

Before configuring automatic user provisioning, ensure that:

  • OpenID Connect or OAuth 2.0 authentication is configured successfully in Bold Reports.
  • Users can authenticate through the identity provider.
  • Required groups are created in Bold Reports.
  • Matching groups exist in the identity provider.
  • Group claims are included in the authentication token.

Recommended Configuration

Step 1: Create Groups in Bold Reports

Create groups in Bold Reports that align with your organization’s departments, teams, or business functions.

Examples:

  • Sales
  • Support
  • Development
  • DataDesigners
  • SalesTeamReportDesigners
  • ReportAdmins

Assign permissions to these groups based on the access required for each team.

Step 2: Configure Corresponding Groups in the Identity Provider

Ensure matching groups exist in your OpenID Connect or OAuth 2.0 identity provider and assign users to the appropriate groups.

Example group structure:

Identity Provider Group Bold Reports Group Access Level
ReportAdmins ReportAdmins Full administrative access to the Report Server
Sales Sales View and access sales-related reports and folders
Support Support View and access support-related reports and folders
Development Development Access development-related reporting resources
SalesTeamReportDesigners SalesTeamReportDesigners Create, edit, and manage reports within the Sales category
DataDesigners DataDesigners Create, edit, and manage reports across all report categories

Step 3: Enable User and Group Mapping

Enable User and Group Mapping in the OpenID Connect or OAuth 2.0 authentication configuration.

When enabled, Bold Reports will:

  • Automatically create a user account during the first successful login if the user does not already exist.
  • Map users to the appropriate Bold Reports groups based on the group claims received from the identity provider.
  • Apply permissions associated with the mapped groups automatically.

Step 4: Configure Group Claims in the Identity Provider

Configure the identity provider to include the user’s group membership information within the authentication token or claims.

Group claims are required for:

  • Automatic user-to-group mapping.
  • Permission assignment.
  • Access control enforcement within Bold Reports.

Without group claims, Bold Reports can authenticate users, but automatic group assignment and permission mapping will not function as expected.

How Automatic User Provisioning Works

The following process occurs when a new user signs in:

  1. The user accesses the Bold Reports Report Server or Report Designer.
  2. The user authenticates through the configured OpenID Connect or OAuth 2.0 identity provider.
  3. Bold Reports validates the authentication token.
  4. If the user account does not exist, Bold Reports automatically creates the user.
  5. Group claims are extracted from the authentication token.
  6. The user is mapped to the corresponding groups configured in Bold Reports.
  7. Group-based permissions are applied automatically.
  8. The user gains access to reports, folders, categories, and administrative features according to the assigned permissions.

Example Scenario

Consider the following organization structure.

Sales Team

Members of the Sales group need access to view sales reports.

Permissions

  • View sales reports.
  • Access Sales folders and resources.
  • No report design privileges.

Sales Report Designers

Members of the SalesTeamReportDesigners group are responsible for creating and maintaining reports within the Sales category.

Permissions

  • Create reports in the Sales category.
  • Edit Sales reports.
  • Manage Sales report datasets and resources.
  • No access to design reports for other business categories unless explicitly granted.

Central Data and BI Team

Members of the DataDesigners group form the central reporting and analytics team.

Permissions

  • Create reports across all categories.
  • Edit reports across departments.
  • Manage shared datasets and reporting resources.
  • Support organization-wide reporting initiatives.

Report Server Administrators

Members of the ReportAdmins group manage the entire Bold Reports environment.

Permissions

  • User management.
  • Group management.
  • Server administration.
  • Site settings configuration.
  • Security and access control management.

Example Login Flow

Suppose a user belongs to the SalesTeamReportDesigners group in the identity provider.

During sign-in:

  1. Authentication is completed through OpenID Connect or OAuth 2.0.
  2. Bold Reports automatically creates the user account if it does not already exist.
  3. The group claim indicates membership in SalesTeamReportDesigners.
  4. The user is automatically added to the matching Bold Reports group.
  5. Sales report design permissions are automatically assigned.
  6. The user can immediately begin creating and editing reports within the Sales category without requiring manual administration.

Similarly, if a user belongs to the DataDesigners group:

  1. The user is automatically provisioned.
  2. The user is mapped to the DataDesigners group.
  3. Organization-wide report design permissions are granted automatically.

Result

With this configuration:

  • Users can log in without being manually created in Bold Reports.
  • User accounts are automatically provisioned during the first login.
  • Group memberships are synchronized using claims from the identity provider.
  • Permissions are automatically assigned through group membership.
  • Department-based and business-specific access control can be enforced.
  • Administrative overhead is significantly reduced.
  • User lifecycle management remains centralized within the identity provider.

Best Practices

  • Use department-based or business-role-based groups rather than assigning permissions directly to users.
  • Maintain groups within the identity provider as the single source of truth.
  • Follow the principle of least privilege when assigning group permissions.
  • Use dedicated groups such as DataDesigners for enterprise-wide report authors and ReportAdmins for administrators.
  • Regularly review group assignments and permissions to ensure compliance with organizational policies.
  • Configure folder and category-level permissions based on business requirements.

Important Notes

Note: Automatic group mapping requires the identity provider to send group membership information as claims during authentication.

Note: If the required group claims are not included in the token, users may still be authenticated and automatically created, but group mapping and permission assignment will not occur.

Note: Group names do not need to follow predefined naming conventions. You can use groups that align with your organization’s structure, such as Sales, Support, Development, DataDesigners, or other department-specific groups.

Related Documentation

Global Authentication Settings

Configure authentication for the Report Server using the following documentation:

OAuth 2.0

https://help.boldreports.com/enterprise-reporting/administrator-guide/authentication/single-sign-on/oauth-2.0/

OpenID Connect (OIDC)

https://help.boldreports.com/enterprise-reporting/administrator-guide/authentication/single-sign-on/openid-connect/

Site-Level Authentication Settings

For multi-tenant deployments, authentication can also be configured at the site level.

OAuth 2.0 Support

https://help.boldreports.com/enterprise-reporting/administrator-guide/manage-sites/site-administration/authentication/oauth-2.0-support/

OpenID Connect Settings

https://help.boldreports.com/enterprise-reporting/administrator-guide/manage-sites/site-administration/authentication/openid-settings/

Group Claims Authentication

https://help.boldreports.com/enterprise-reporting/administrator-guide/manage-sites/site-administration/authentication/openid-settings/#group-claims-authentication

Conclusion

By using OpenID Connect or OAuth 2.0 authentication with User and Group Mapping enabled, Bold Reports can automatically provision users and assign permissions based on organizational groups defined in the identity provider. This approach eliminates manual user management, simplifies administration, and enables scalable, secure access control across departments such as Sales, Support, Development, and centralized reporting teams like DataDesigners.

Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Comments (0)
Access denied
Access denied