HomeEngagementContentDiscoveryOther resources
Guides

Unified administration SSO

Suggest Edits

👍

Welcome note

Unified login is in the process of being applied to all users throughout September 2025.

Access the pre-existing documentation here: Administration.

This document explains single sign-on (SSO) authentication in Bloomreach and how to extend it with SSO authorization for automated role management and access control.

What is single sign-on

SSO lets you log in once and access multiple applications without entering your username and password again. SSO works by creating a trusted connection between your identity provider (the system that verifies who you are) and the applications you use. When you access a new application, it checks with your identity provider to confirm you're already logged in. If verified, the application grants you access immediately.

SSO authentication vs SSO authorization

While often used together, SSO authentication and SSO authorization serve different purposes:

  • SSO authentication: Verifies who you are. It's like showing your employee ID badge to enter a building—it confirms your identity through your company credentials.
  • SSO authorization: Determines what you can access. It's like the access card that decides which floors or rooms you can enter once you're inside the building—it controls your permissions and roles within Bloomreach products.

You can use SSO authentication alone and manually assign user roles in Bloomreach, or enable SSO authorization to automate role management entirely through your identity provider.

SSO authentication

Single sign-on (SSO) authentication lets your employees use their company credentials to access all Bloomreach products with a single login. After authenticating once, users can move seamlessly between subscribed products such as Engagement, Discovery, and other Bloomreach applications. You can manage user permissions directly in the Bloomreach platform.

📘

Note

Bloomreach offers SSO as a paid add-on feature. Contact your Customer Success Manager to enable it.

How SSO authentication works

You can set up SSO as an additional login method alongside email and social authentication, or configure it as the only authentication method for your organization. Unified Bloomreach SSO uses SAML 2.0 standards for user authentication.

Authentication flow

  1. Users navigate to Bloomreach Data hub.
  2. They select SSO login and enter their company credentials.
  3. The identity provider verifies their credentials.
  4. Users gain access to Data hub and all subscribed Bloomreach products with their assigned permissions.

SSO authentication specifications

  • User invitation: Users with SSO authorization don't need to be invited. Users without SSO authorization must be invited into the Bloomreach application.
  • Role assignment timing: SSO authorization assigns user roles during the login process. If you change roles, the authentication process may take up to one minute to reflect the change.
  • Two-factor (2FA) and multi-factor (MFA) authentication: When users choose SSO for authentication, Bloomreach 2FA/MFA isn't used. The identity provider manages multi-factor authentication.
  • Single provider per account: Each account can have only one SSO provider enabled.
  • One SSO per user per instance: Each user can only be managed by one SSO application per instance.

SSO authorization

SSO authorization extends basic SSO authentication by automatically managing user roles and provisioning through the identity provider. This eliminates manual user invitations and permission assignments. You can control all access rights directly within the identity provider.

How SSO authorization works

SSO authorization uses role_mapping to connect identity provider attributes with Bloomreach permissions. When users log in through SSO, Bloomreach reads the role_mapping field from the identity provider and assigns permissions based on matching mapping roles.

Authorization flow

  1. User authenticates through your identity provider.
  2. Identity provider sends SAML assertion including role_mapping value.
  3. Bloomreach matches the role_mapping value to configured mapping roles.
  4. Bloomreach assigns permissions based on the matched mapping role.
  5. If the user doesn't exist, Bloomreach creates them automatically with assigned roles.

Role mapping values

The role_mapping field can contain values from:

  • User profile fields (department, division, job title).
  • User group memberships.
  • Fixed string values.
  • Multiple groups (sent as a list).

When SSO authorization is disabled

  • Users must be manually invited to Bloomreach.
  • Roles are assigned manually through account access management.
  • Existing SSO users retain their manually assigned roles.

SSO authorization specifications

  • SSO module required: Available only for accounts with the SSO module enabled.
  • Native account limitation: Roles can be managed through SSO authorization for native accounts only (accounts registered with the identity provider).
  • External account access: Access to accounts other than the native account (not registered with the SSO provider) must be managed directly in Bloomreach.
  • Role propagation delay: Changes take up to 60 seconds to propagate.
  • Login requirement: Role changes apply only during the login process.
  • Access management restrictions: User roles can't be modified in Bloomreach when SSO authorization is enabled.
  • Admin-only control: Only SSO Account Admins can disable SSO authorization and manage mapping roles.

SSO configuration and next steps

Bloomreach knowledge base provides comprehensive SSO authentication and SSO authorization guides for Azure Active Directory and Okta:

For any other identity provider, refer to the respective platform’s documentation.

For SSO login and user role management, refer to the Unified SSO login and user management guide.

Updated 5 days ago