- Source:
AZUser(Microsoft Entra, from BloodHound),User(Active Directory, from BloodHound) - Destination: GL_User
| Property | Type | Description |
|---|---|---|
| provider | string | Identity provider used to establish the link: openid_connect, azure_activedirectory_v2, or saml for Entra/OIDC accounts; ldapmain for Active Directory LDAP accounts |
The traversable GL_SyncedTo edge is a hybrid cross-subgraph edge connecting an external identity (Entra user or Active Directory user) to the GitLab user account it is linked to via SSO.
It is created in the enrichment phase by matching GitLab identity provider bindings (from the identities property on user nodes) against existing AZUser or User nodes in BloodHound.
- Entra (AZUser) — linked via SAML, OAuth 2.0, or OIDC
- Active Directory (User) — linked via LDAP
This edge is traversable because compromising the linked Entra or AD account gives an attacker SSO access to the GitLab user account, inheriting all of that user's group and project memberships.
graph LR
entraUser("fa:fa-user AZUser alice@corp.com")
adUser("fa:fa-user User CORP\\alice")
glUser("fa:fa-user GL_User alice")
entraUser -->|GL_SyncedTo| glUser
adUser -->|GL_SyncedTo| glUser