Bloomreach Dashboard uses Auth0 as our authentication and password system. You can refer to this section to learn about the process of setting up an SSO connection.
We support SAML SSO protocol.
We support SAML integration for our customers. We can authenticate against the customer’s internal IdP (Identity Provider) via SSO to allow them to log into Bloomreach Dashboard.
Creation of SAML SSO connection
We need the following information for setting up the SAML SSO connection:
- Email domains [MANDATORY]: This comprises a comma-separated list of email domains. Example: for disney.com, the user will be logging in as [email protected].
- Sign-in URL [MANDATORY]: This is the sign-in URL from the SAML Identity Provider.
- X509 Signing Certificate [MANDATORY]: Identity Provider public key encoded in PEM or CER format
- IAM Admin user email [MANDATORY]: An email of a user that will be granted the first IAM Admin role.
- Default roles assigned on the first login [MANDATORY]: When you log in successfully, you will be redirected to the Bloomreach dashboard. You will also be assigned a set of default roles, typically Sitesearch Readonly & Category Readonly. Kindly specify the exact roles you want to be assigned as the default roles on the first login.
- Sign out URL [OPTIONAL]: SAML Single logout URL. If not provided, then this is the same as the Sign In URL.
Note: Make sure that your IdP supplies emails with a field specifically named "email".
You may refer to this guide for more details: https://auth0.com/docs/protocols/saml/saml-sp-generic#1-obtain-information-from-idp
Post Creation of SAML SSO connection
After the creation of the SAML connection, we’ll share the following details with you:
- Post-back URL or Assertion Consumer Service URL: This is the URL to which the Identity Provider will send Authentication Assertions after authenticating a user. Example: https://bloomreach-products.auth0.com/login/callback?connection=BBrands-sso
- The Entity ID of the Service Provider: This will be in the form
urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME. Use this value if the Identity Provider asks for Entity ID or SAML Audience.
These details will come in handy to configure your Identity Provider correctly. Use this guide to configure Auth0 as the SAML Service Provider. Once the configuration is complete, we will test and verify the SSO connection.
Note: Direct logins (for email addresses on SSO domains) will not work once SSO is implemented.
After the connection is established, you can follow these steps for an IdP-initiated SSO login:
- Any first-time user can go to https://tools.bloomreach.com. If you are a first-time user, you should only log into the production environment.
- Enter your credentials ending with your email provided in the IdP list. Example for BBrands-sso connection: @lb.com, @victoria.com
- After entering the username, click on the "Login" button. This will take you to your own SSO provider page.
- Enter your SSO credentials there and click login.
- You will be redirected to the Bloomreach dashboard when you successfully log in. You will also be assigned a set of default roles, typically Sitesearch Readonly & Category Readonly. The roles assigned on the first login are customizable.
- These steps also create a user in the Bloomreach system. This user should be visible on the IAM User Management page (only accessible to the IAM admin of the organization).
- Using the User Management feature, the IAM Admin of the organization can grant more roles to the individual users.
No, we don't provide this as of now.
When users enter emails whose domains are set up for SSO login, then the authentication will go through SSO. We simply identify users based on the email domains. Once a user enters their email on the Bloomreach login page, they are redirected to the customer's own Identity Provider (IdP), where it will ask for a username and password. Once the details are authenticated by the IdP, the user will be redirected to Bloomreach tools. So, we do not store usernames and passwords for SSO connections.
Note: For non-SSO logins, usernames and passwords are stored by our authentication provider (Auth0) on our behalf. The passwords are stored in their hashed version and not in their raw form.
Bloomreach’s password policy for normal logins is summarized below:
- Alphanumeric Characters enforced (Upper and Lower Case letters & numbers) – Yes, Auth0 considers simple passwords as too weak. It must have 8 characters.
- Special Characters enforced – No
- Lockout after a certain number of failed login attempts enforced - No, there is no account lockout threshold.
- We maintain a history of the last 6 passwords.
Note: For SSO logins, the password policy will be defined by your IdP.
Passwords are always hashed and salted using bcrypt.
No, password length is a global configuration. Merchant-specific configurations are not possible.
Lockout after a certain number of failed login attempts is not enforced. However, Bloomreach has enabled brute-force protection (offered by Auth0) to block logins to flagged accounts. Additionally, compromised accounts are checked, and these accounts are blocked as well. In these cases, admins are notified, and users are asked to reset their passwords.
The Password policy is standard across all users.
There is no explicit process on the Bloomreach side. This is handled via the merchant IdP when SSO is involved. We recommend that your IAM administrator cleans up those removed users in our IAM dashboard as well.
No. The setup for Production & Staging SSO is one.
Note - Create a Production login first and log into the Production dashboard via SSO. Staging dashboard access syncs over the weekend.
For user creation email restrictions, Bloomreach does not provide merchant-specific domain logic. This is entirely IAM user’s responsibility. SSO would be the solution as the domain control can be offloaded to the IdP.
We do not provide audit trails. However, we have enabled suspicious activity alerting into our login system, which informs us of any such anomalies. Such users will also get blocked due to suspicious activity. The Bloomreach team can always look into these instances and directly reach out to the customers.
We support both. Bloomreach prefers SP-initiated SSO to ensure complete correctness of the integration.
Updated 6 days ago