HomeEngagementContentDiscoveryOther resources
Guides

SSO (Single Sign On)

Suggest Edits

Bloomreach Dashboard uses Auth0 as our authentication and password system. You can refer to this section to learn about the process of setting up an SSO connection. 

FAQs

1. Which SSO authentication protocols are supported?

We support SAML SSO protocol.

2. How to set up a connection between your Identity Provider (IdP) and the Bloomreach Discovery application?

Bloomreach Discovery can authenticate against a customer’s own Identity Provider (IdP) via SAML protocol to allow users to log into Discovery product GUI.

Creation of SAML connection

We need the following information for setting up the SAML connection:

  1. Discovery organization name [MANDATORY]: This name is visible in the product GUI in the navigation menu at the top-right corner and also in the Setup > Users app.

  2. Email domains [MANDATORY]: This comprises a comma-separated list of email domains. Example: for brxdemos.com, the user might be known as [email protected].

  3. Sign-in URL [MANDATORY]: This is the sign-in URL from the SAML Identity Provider.

  4. X509 Signing Certificate [MANDATORY]: Identity Provider public key encoded in PEM or CER format

  5. Users admin email [MANDATORY]: An email of a user that will be granted the first Users admin role.

  6. Default roles assigned on the first login [MANDATORY]: When you log in successfully, you will be redirected to the Bloomreach dashboard. You will also be assigned a set of default roles, typically Search merchandising viewer & Categories merchandising viewer. Kindly specify the exact roles you want to be assigned as the default roles on the first login.

  7. Suggested "turn-on" schedule[MANDATORY]: It is helpful to turn on the SAML connection live with an IT administrator and a user who is expected to have access to the Discovery product, to resolve any unexpected issues quickly. Please suggest dates and times when this can be scheduled with a Bloomreach engineer.

Note: SAML integration works most smoothly if the IdP supplies a user's email address in a SAML response property specifically named "email". This is default behavior for most but not all IdP solutions.

You may refer to this guide for more details: https://auth0.com/docs/protocols/saml/saml-sp-generic#1-obtain-information-from-idp

Service Provider Details

When configuring a SAML connection, an IdP will typically require information about the service provider :

  • Post-back URL or Assertion Consumer Service URL: This is the URL to which the IdP will send Authentication Assertions after authenticating a user. Example: https://bloomreach-products.auth0.com/login/callback?connection=brxdemos-sso Note that this always uses a predictable format based on the organization name provided above. If your IdP requires this information before producing the information above, you may substitute your organization name for 'brxdemos' into the connection parameter to proceed with integration.
  • The Entity ID or SAML Audience of the Service Provider: This represents the Bloomreach Discovery product to the IdP and will always be in the form urn:auth0:bloomreach-products:brxdemos-sso. As above, substitute your organization name for 'brxdemos' to configure your SAML connection.

These details will come in handy to configure your Identity Provider correctly. For example, use this guide to configure Auth0 as a SAML Service Provider. Once the configuration is complete, we will test and verify the SSO connection.

Note: Direct logins (for email addresses on SSO domains) will not work once SSO is implemented. However, any role assignments that were previously associated with a user's email address will be preserved after the transition to a SAML connection.

3. What are the steps for an SSO login (SP-initiated)?

After the connection is established, you can follow these steps for a Service Provider-initiated SSO login:

  • Any first-time user can go to https://tools.bloomreach.com.
  • Enter your email address ending with an email domain provided in the IdP list. Example for the brxdemos-sso connection: [email protected]
  • After entering the email address, click on the "Login" button. If you are already logged in via your IdP, this will immediately redirect to the Discovery product GUI. Otherwise, you will be redirected to your own IdP's login page. If necessary, enter the credentials required by your IdP.
  • You will be redirected to the Bloomreach dashboard when you successfully log in. You will be automatically assigned the set of default roles specified above.
  • These steps also create a user in the Bloomreach system. This user will be visible on the Setup > Users page (only accessible to people assigned the Users admin role for this organization).
  • Using the Users app, the Users admin of the organization can assign more roles to the individual users.

4. Does Bloomreach provide MFA authentication capabilities for privileged and other user access?

No, we don't provide this as of now. However, this feature is common for Identity Providers and can be used to secure logins via SAML connection.

5. Does Bloomreach store passwords for SSO connections?

When users enter emails whose domains are set up for SSO login, then the authentication will go through SSO. We simply identify users based on the email domains. Once a user enters their email on the Bloomreach login page, they are redirected to the customer's own Identity Provider (IdP), where it will ask for whatever credentials are required by that IdP. Once authenticated by the IdP, the user will be redirected to Bloomreach tools. Bloomreach does not access nor store the credentials.

Note: For non-SSO logins, usernames and passwords are stored by our authentication provider (Auth0) on our behalf. The passwords are stored in a hashed form using industry-standard bcrypt hashing.

6. What is the Password policy for normal logins?

Bloomreach’s password policy for normal logins is summarized below:

  • Alphanumeric Characters enforced (Upper and Lower Case letters & numbers) – Yes, Auth0 considers simple passwords as too weak. It must have 8 characters.
  • Special Characters enforced – No
  • Lockout after a certain number of failed login attempts enforced - No, there is no account lockout threshold.
  • We maintain a history of the last 6 passwords.

Note: For SSO logins, the password policy will be defined by your IdP.

7. What is the Password encryption policy by Auth0?

Passwords are always hashed and salted using bcrypt.

8. Is it possible to have a longer password length for a specific merchant?

No, password length is a global configuration. Merchant-specific configurations are not possible.

9. What is the failed password lockout policy?

Lockout after a certain number of failed login attempts is not enforced. However, Bloomreach has enabled brute-force protection (offered by Auth0) to block logins to flagged accounts. Additionally, compromised accounts are checked, and these accounts are blocked as well. In these cases, admins are notified, and users are asked to reset their passwords.

10. Can we customize the Password policy, or is it standard for all Bloomreach users?

The Password policy is standard across all users.

11. Is Just-in-Time (JIT) provisioning available?

No.

12. What is the cleanup process after a user has left the company?

There is no explicit process on the Bloomreach side. This is handled via the merchant IdP when SSO is involved. We recommend that your Users admin cleans up those removed users in our Users application as well.

13. Are there any User/Role management APIs?

No.

14. Does the Staging dashboard need a different SSO configuration/connection?

No. The same SAML connection is used for both Production & Staging.

15. Can Bloomreach limit email addresses in native dashboard logins?

For user creation email restrictions, Bloomreach does not provide merchant-specific domain logic. This is entirely the user’s responsibility. SSO would be the solution as the domain control can be offloaded to the IdP.

16. Is there an audit trail that can be used in case of suspected unauthorized access?

We do not provide audit trails. However, we have enabled suspicious activity alerting into our login system, which informs us of any such anomalies. Such users will also get blocked due to suspicious activity. The Bloomreach team can always look into these instances and directly reach out to the customers.

17. Does Bloomreach support IdP-initiated and/or SP-initiated SSO?

We support both types of login for Discovery customers, but we do not enable IdP-initiated login unless requested, due to potential security concerns. For the Content SaaS product, Bloomreach supports only SP-initiated SSO.

Updated 8 days ago