HomeEngagementContentDiscoveryOther resources
Guides

Unified SSO authorization for Azure Active Directory

Suggest Edits

👍

Welcome note

Unified login is in the process of being applied to all users throughout September 2025.

Access the pre-existing documentation here: Administration.

Single sign-on (SSO) authorization is an extension of SSO authentication. It enables you to define user privileges and control what they can access within Bloomreach products.

This guide explains how to configure SSO authorization for Azure Active Directory (Azure AD).

📘

Note

The SSO authorization uses role_mapping to determine user permissions. For role mapping configuration details, see the Unified SSO overview guide.

Prerequisites

Before configuring SSO authorization for Azure AD, you must complete the SSO authentication setup in Azure AD. You’ll also need:

  • Admin role in Bloomreach.
  • Admin access to your Azure AD account.
  • Understanding of your organization's role structure.
  • Active SSO feature enabled on your account.

Configure role mapping in Azure AD

Add the role mapping claim in Azure AD

Azure AD sends the role_mapping value as a SAML attribute. This value must match the mapping role names you configure in Bloomreach.

  1. Go to your Azure AD dashboard.
  2. Go to Manage > Enterprise Applications.
  3. Select your Bloomreach SSO application.
  4. From the Manage menu, select Single sign-on.
  5. Click Edit in the Attributes & Claims section.
  6. Click + Add new claim.
  7. Configure the new claim:
    • Name: role_mapping.
    • Source: Attribute.
    • Source attribute: Select your preferred value (for example, user.department).
  8. Click Save.
Azure AD Attributes and Claims section showing role_mapping claim with user.department value highlighted.

Role mapping claims in Azure AD.

Example:

Sarah's department in Azure AD is "Product Management." When you configure role_mapping to use user.department, Azure AD sends "Product Management" during login. You'll map this value to permissions in Bloomreach next.

Using group membership for role mapping

You can use Azure AD group membership instead of user attributes. This allows sending multiple groups as part of the claim, giving you flexibility to assign different roles based on group combinations.

Azure AD Group Claims configuration panel with Filter groups checkbox and role_mapping field highlighted.

Group role mapping claims in Azure AD.

Set up authorization in Bloomreach

Configure role mapping in Bloomreach to connect identity provider values with application permissions.

Create role mapping

  1. Go to Administration > Users > Mapping roles.
  2. Click New mapping role.
  3. Enter a mapping role name that exactly matches the role_mapping value from your identity provider to the “Incoming role name” field.
  4. Add an optional description for the mapping role.
  5. In the Permissions section, select an application (for example, Engagement).
  6. Choose at least one scope (the part this role can access in Bloomreach):
    • Workspace: Users can access all projects within a workspace (for example, department-wide access).
    • Project: User can access only specific projects you select (for example, project-specific members or limited access).
  7. Select one or more roles for the chosen scope.
  8. Click Add permission to add roles for additional scopes or applications.
  9. Click Save to finish role mapping setup.

🚧

Important

The role mapping must include all scopes and roles that users with this mapping will need.

Bloomreach New role mapping dialog showing incoming role name field and Engagement application selected.

Create role mapping in Bloomreach.

Example:

Sarah's Azure AD sends "Product Management" as her role_mapping value. In Bloomreach, you create a mapping role with "Product Management" as the incoming role name and assign it Campaign Editor access in Engagement. When Sarah logs in, she automatically receives these permissions.

Enable SSO authorization

After creating and configuring the role mapping setup, activate SSO authorization in Bloomreach.

Important prerequisites

  • Ensure you have created a role mapping setup containing SSO admin role to prevent locking out of configuration.
  • Verify that mapping roles in Bloomreach match role_mapping claim values in Azure AD. Incorrect configuration can prevent login acces.
  1. Go to Administration > Settings > Single sign-on > Preferences.
  2. Scroll to the bottom of the page.
  3. Enable Single sign-on authorization.
  4. Click Save changes.
Bloomreach SSO settings with Enable Single sign-on authorization toggle highlighted.

Enable SSO authorization in Bloomreach.

Users with the SSO Account Admin role can disable this option later if needed.

Next steps

Updated about 6 hours ago