Automatic User Provisioning Through SSO in Bold Reports Using OpenID Connect and OAuth 2.0
Organizations commonly use Single Sign-On (SSO) solutions such as OpenID Connect (OIDC) and OAuth 2.0-based identity providers to centrally manage user authentication and access control. When users access the Bold Reports Report Server or Report Designer directly through a browser, administrators may want to avoid the overhead of manually creating and maintaining user accounts within Bold Reports.
Bold Reports supports automatic user provisioning through OpenID Connect and OAuth 2.0 authentication by using User and Group Mapping. This feature enables users to be automatically created and assigned appropriate permissions based on group claims received from the identity provider during authentication.
Applicable Scenarios
This approach is recommended when:
- Users access the Bold Reports Report Server directly through a web browser.
- Users access the Bold Reports Report Designer through the browser.
- Authentication is managed by an external OpenID Connect (OIDC) or OAuth 2.0 identity provider.
- Authorization is managed through groups and roles in the identity provider.
- Organizations want to automate user onboarding and permission assignment.
Benefits
By enabling automatic user provisioning and group mapping, organizations can:
- Eliminate manual user creation in Bold Reports.
- Automatically onboard users during their first login.
- Centralize user management within the identity provider.
- Simplify permission administration through group-based access control.
- Align reporting permissions with existing organizational structures.
- Reduce administrative overhead and improve security governance.
Prerequisites
Before configuring automatic user provisioning, ensure that:
- OpenID Connect or OAuth 2.0 authentication is configured successfully in Bold Reports.
- Users can authenticate through the identity provider.
- Required groups are created in Bold Reports.
- Matching groups exist in the identity provider.
- Group claims are included in the authentication token.
Recommended Configuration
Step 1: Create Groups in Bold Reports
Create groups in Bold Reports that align with your organization’s departments, teams, or business functions.
Examples:
- Sales
- Support
- Development
- DataDesigners
- SalesTeamReportDesigners
- ReportAdmins
Assign permissions to these groups based on the access required for each team.
Step 2: Configure Corresponding Groups in the Identity Provider
Ensure matching groups exist in your OpenID Connect or OAuth 2.0 identity provider and assign users to the appropriate groups.
Example group structure:
| Identity Provider Group | Bold Reports Group | Access Level |
|---|---|---|
| ReportAdmins | ReportAdmins | Full administrative access to the Report Server |
| Sales | Sales | View and access sales-related reports and folders |
| Support | Support | View and access support-related reports and folders |
| Development | Development | Access development-related reporting resources |
| SalesTeamReportDesigners | SalesTeamReportDesigners | Create, edit, and manage reports within the Sales category |
| DataDesigners | DataDesigners | Create, edit, and manage reports across all report categories |
Step 3: Enable User and Group Mapping
Enable User and Group Mapping in the OpenID Connect or OAuth 2.0 authentication configuration.
When enabled, Bold Reports will:
- Automatically create a user account during the first successful login if the user does not already exist.
- Map users to the appropriate Bold Reports groups based on the group claims received from the identity provider.
- Apply permissions associated with the mapped groups automatically.
Step 4: Configure Group Claims in the Identity Provider
Configure the identity provider to include the user’s group membership information within the authentication token or claims.
Group claims are required for:
- Automatic user-to-group mapping.
- Permission assignment.
- Access control enforcement within Bold Reports.
Without group claims, Bold Reports can authenticate users, but automatic group assignment and permission mapping will not function as expected.
How Automatic User Provisioning Works
The following process occurs when a new user signs in:
- The user accesses the Bold Reports Report Server or Report Designer.
- The user authenticates through the configured OpenID Connect or OAuth 2.0 identity provider.
- Bold Reports validates the authentication token.
- If the user account does not exist, Bold Reports automatically creates the user.
- Group claims are extracted from the authentication token.
- The user is mapped to the corresponding groups configured in Bold Reports.
- Group-based permissions are applied automatically.
- The user gains access to reports, folders, categories, and administrative features according to the assigned permissions.
Example Scenario
Consider the following organization structure.
Sales Team
Members of the Sales group need access to view sales reports.
Permissions
- View sales reports.
- Access Sales folders and resources.
- No report design privileges.
Sales Report Designers
Members of the SalesTeamReportDesigners group are responsible for creating and maintaining reports within the Sales category.
Permissions
- Create reports in the Sales category.
- Edit Sales reports.
- Manage Sales report datasets and resources.
- No access to design reports for other business categories unless explicitly granted.
Central Data and BI Team
Members of the DataDesigners group form the central reporting and analytics team.
Permissions
- Create reports across all categories.
- Edit reports across departments.
- Manage shared datasets and reporting resources.
- Support organization-wide reporting initiatives.
Report Server Administrators
Members of the ReportAdmins group manage the entire Bold Reports environment.
Permissions
- User management.
- Group management.
- Server administration.
- Site settings configuration.
- Security and access control management.
Example Login Flow
Suppose a user belongs to the SalesTeamReportDesigners group in the identity provider.
During sign-in:
- Authentication is completed through OpenID Connect or OAuth 2.0.
- Bold Reports automatically creates the user account if it does not already exist.
- The group claim indicates membership in SalesTeamReportDesigners.
- The user is automatically added to the matching Bold Reports group.
- Sales report design permissions are automatically assigned.
- The user can immediately begin creating and editing reports within the Sales category without requiring manual administration.
Similarly, if a user belongs to the DataDesigners group:
- The user is automatically provisioned.
- The user is mapped to the DataDesigners group.
- Organization-wide report design permissions are granted automatically.
Result
With this configuration:
- Users can log in without being manually created in Bold Reports.
- User accounts are automatically provisioned during the first login.
- Group memberships are synchronized using claims from the identity provider.
- Permissions are automatically assigned through group membership.
- Department-based and business-specific access control can be enforced.
- Administrative overhead is significantly reduced.
- User lifecycle management remains centralized within the identity provider.
Best Practices
- Use department-based or business-role-based groups rather than assigning permissions directly to users.
- Maintain groups within the identity provider as the single source of truth.
- Follow the principle of least privilege when assigning group permissions.
- Use dedicated groups such as DataDesigners for enterprise-wide report authors and ReportAdmins for administrators.
- Regularly review group assignments and permissions to ensure compliance with organizational policies.
- Configure folder and category-level permissions based on business requirements.
Important Notes
Note: Automatic group mapping requires the identity provider to send group membership information as claims during authentication.
Note: If the required group claims are not included in the token, users may still be authenticated and automatically created, but group mapping and permission assignment will not occur.
Note: Group names do not need to follow predefined naming conventions. You can use groups that align with your organization’s structure, such as Sales, Support, Development, DataDesigners, or other department-specific groups.
Related Documentation
Global Authentication Settings
Configure authentication for the Report Server using the following documentation:
OAuth 2.0
OpenID Connect (OIDC)
Site-Level Authentication Settings
For multi-tenant deployments, authentication can also be configured at the site level.
OAuth 2.0 Support
OpenID Connect Settings
Group Claims Authentication
Conclusion
By using OpenID Connect or OAuth 2.0 authentication with User and Group Mapping enabled, Bold Reports can automatically provision users and assign permissions based on organizational groups defined in the identity provider. This approach eliminates manual user management, simplifies administration, and enables scalable, secure access control across departments such as Sales, Support, Development, and centralized reporting teams like DataDesigners.