SSO (Single Sign On)
Bloomreach Dashboard uses Auth0 as our authentication and password system. You can refer to this section to learn about the process of setting up an SSO connection.
1. Which SSO authentication protocols are supported?
We support SAML SSO protocol.
2. How to set up a connection between your IdP and the Bloomreach IAM?
We support SAML integration for our customers. We can authenticate against the customer’s internal IdP (Identity Provider) via SSO to allow them to log into Bloomreach Dashboard.
Creation of SAML SSO connection
We need the following information for setting up the SAML SSO connection:
- Email domains [MANDATORY]: This comprises a comma-separated list of email domains. Example: for disney.com, the user will be logging in as [email protected]
- Sign-in URL [MANDATORY]: This is the sign-in URL from the SAML Identity Provider.
- X509 Signing Certificate [MANDATORY]: Identity Provider public key encoded in PEM or CER format
- IAM Admin user email [MANDATORY]: An email of a user that will be granted the first IAM Admin role.
- Default roles assigned on the first login [MANDATORY]: When you log in successfully, you will be redirected to the Bloomreach dashboard. You will also be assigned a set of default roles, typically Sitesearch Readonly & Category Readonly. Kindly specify the exact roles you want to be assigned as the default roles on the first login.
- Sign out URL [OPTIONAL]: SAML Single logout URL. If not provided, then this is the same as the Sign In URL.
Note: Make sure that your IdP supplies emails with a field specifically named "email".
You may refer to this guide for more details: https://auth0.com/docs/protocols/saml/saml-sp-generic#1-obtain-information-from-idp
Post Creation of SAML SSO connection
After the creation of the SAML connection, we’ll share the following details with you:
- Post-back URL or Assertion Consumer Service URL: This is the URL to which the Identity Provider will send Authentication Assertions after authenticating a user. Example: https://bloomreach-products.auth0.com/login/callback?connection=BBrands-sso
- The Entity ID of the Service Provider: This will be in the form
urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME. Use this value if the Identity Provider asks for Entity ID or SAML Audience.
These details will come in handy to configure your Identity Provider correctly. Use this guide to configure Auth0 as the SAML Service Provider. Once the configuration is complete, we will test and verify the SSO connection.
Note: Direct logins (for email addresses on SSO domains) will not work once SSO is implemented.
3. What are the steps for an SSO login (IdP-initiated)?
After the connection is established, you can follow these steps for an IdP-initiated SSO login:
- Any first-time user can go to https://tools.bloomreach.com. If you are a first-time user, you should only log into the production environment.
- Enter your credentials ending with your email provided in the IdP list. Example for BBrands-sso connection: @lb.com, @victoria.com
- After entering the username, click on the "Login" button. This will take you to your own SSO provider page.
- Enter your SSO credentials there and click login.
- You will be redirected to the Bloomreach dashboard when you successfully log in. You will also be assigned a set of default roles, typically Sitesearch Readonly & Category Readonly. The roles assigned on the first login are customizable.
- These steps also create a user in the Bloomreach system. This user should be visible on the IAM User Management page (only accessible to the IAM admin of the organization).
- Using the User Management feature, the IAM Admin of the organization can grant more roles to the individual users.
4. Does Bloomreach provide 2FA authentication capabilities for privileged and other user access?
No, we don't provide this as of now.
5. Does Bloomreach store passwords for SSO connections?
When users enter emails whose domains are set up for SSO login, then the authentication will go through SSO. We simply identify users based on the email domains. Once a user enters their email on the Bloomreach login page, they are redirected to the customer's own Identity Provider (IdP), where it will ask for a username and password. Once the details are authenticated by the IdP, the user will be redirected to Bloomreach tools. So, we do not store usernames and passwords for SSO connections.
Note: For non-SSO logins, usernames and passwords are stored by our authentication provider (Auth0) on our behalf. The passwords are stored in their hashed version and not in their raw form.
6. What is the Password policy for normal logins?
Bloomreach’s password policy for normal logins is summarized below:
- Alphanumeric Characters enforced (Upper and Lower Case letters & numbers) – Yes, Auth0 considers simple passwords as too weak. It must have 8 characters.
- Special Characters enforced – No
- Lockout after a certain number of failed login attempts enforced - No, there is no account lockout threshold.
- We maintain a history of the last 6 passwords.
Note: For SSO logins, the password policy will be defined by your IdP.
7. What is the Password encryption policy by Auth0?
Passwords are always hashed and salted using bcrypt.
8. Is it possible to have a longer password length for a specific merchant?
No, password length is a global configuration. Merchant-specific configurations are not possible.
9. What is the failed password lockout policy?
Lockout after a certain number of failed login attempts is not enforced. However, Bloomreach has enabled brute-force protection (offered by Auth0) to block logins to flagged accounts. Additionally, compromised accounts are checked, and these accounts are blocked as well. In these cases, admins are notified, and users are asked to reset their passwords.
10. Can we customize the Password policy, or is it standard for all Bloomreach users?
The Password policy is standard across all users.
11. Is Just-in-Time (JIT) provisioning available?
12. What is the cleanup process after a user has left the company?
There is no explicit process on the Bloomreach side. This is handled via the merchant IdP when SSO is involved. We recommend that your IAM administrator cleans up those removed users in our IAM dashboard as well.
13. Are there any User/Role management APIs?
14. Does the Staging dashboard need a different SSO configuration/connection?
No. The setup for Production & Staging SSO is one.
Note - Create a Production login first and log into the Production dashboard via SSO. Staging dashboard access syncs over the weekend.
15. Can Bloomreach limit email addresses in native dashboard logins?
For user creation email restrictions, Bloomreach does not provide merchant-specific domain logic. This is entirely IAM user’s responsibility. SSO would be the solution as the domain control can be offloaded to the IdP.
16. Is there an audit trail that can be used in case of suspected unauthorized access?
We do not provide audit trails. However, we have enabled suspicious activity alerting into our login system, which informs us of any such anomalies. Such users will also get blocked due to suspicious activity. The Bloomreach team can always look into these instances and directly reach out to the customers.
Updated 11 days ago