Guides
HomeEngagementOther resources
  1. Administration, Security, Privacy
  2. Unified administration
  3. Unified administration SSO

Unified SSO authorization for Azure Active Directory

👍

Data hub rollout

Engagement customers are being upgraded to unified login in several phases. Your registered support contacts will be notified when the login experience is upgraded for your organization. If your account hasn't been upgraded yet, the pre-existing Administration documentation still applies.

Single sign-on (SSO) authorization is an extension of SSO authentication. It enables you to define user privileges and control what they can access within Bloomreach products.

This guide explains how to configure SSO authorization for Microsoft Entra ID (formerly Azure Active Directory).

📘

Note

The SSO authorization uses role_mapping to determine user permissions. For role mapping configuration details, see the Unified SSO overview guide.

Prerequisites

Before configuring SSO authorization for Microsoft Entra ID, you must complete the SSO authentication setup first. You will also need:

  • Admin role in Bloomreach.
  • Admin access to your Microsoft Entra ID account.
  • Understanding of your organization’s role structure.
  • Active SSO feature enabled on your account.

Configure role mapping in Microsoft Entra ID

Add the role mapping claim in Microsoft Entra ID

Microsoft Entra ID sends the role_mapping value as a SAML attribute. This value must match the mapping role names you configure in Bloomreach.

  1. Open the Microsoft Entra admin center.
  2. Go to Manage > Enterprise Applications.
  3. Select your Bloomreach SSO application.
  4. From the Manage menu, select Single sign-on.
  5. Click Edit in the Attributes & Claims section.
  6. Click + Add new claim.
  7. Configure the new claim:
    • Name: role_mapping.
    • Source: Attribute.
    • Source attribute: Select your preferred value (for example, user.department).
  8. Click Save.
Azure AD Attributes and Claims section showing role_mapping claim with user.department value highlighted.

Role mapping claims in Microsoft Entra ID.

Example:

Sarah's department in Microsoft Entra ID is "Product Management." When you configure role_mapping to use user.department, Microsoft Entra ID sends "Product Management" during login. You'll map this value to permissions in Bloomreach next.

Using group membership for role mapping

Use Microsoft Entra ID group membership instead of user attributes. This allows sending multiple groups as part of the claim and gives you more flexibility when assigning roles based on group combinations.

Azure AD Group Claims configuration panel with Filter groups checkbox and role_mapping field highlighted.

Group role mapping claims in Microsoft Entra ID.

Set up authorization in Bloomreach

Configure role mapping in Bloomreach to connect identity provider values with application permissions.

Create role mapping

  1. Go to Administration > Users > Mapping roles.
  2. Click New mapping role.
  3. Enter a mapping role name that exactly matches the role_mapping value from your identity provider to the “Incoming role name” field.
  4. Add an optional description for the mapping role.
  5. In the Permissions section, select an application (for example, Engagement).
  6. Choose at least one scope (the part this role can access in Bloomreach):
    • Workspace: Users can access all projects within a workspace.
    • Project: Users can access only the specific projects you select.
  7. Select one or more roles for the chosen scope.
  8. Click Add permission to add roles for additional scopes or applications.
  9. Click Save to finish role mapping setup.
🚧

Important

The role mapping must include all scopes and roles that users with this mapping will need.

Bloomreach New role mapping dialog showing incoming role name field and Engagement application selected.

Create role mapping in Bloomreach.

Example:

Sarah's Microsoft Entra ID sends "Product Management" as her role_mapping value. In Bloomreach, you create a mapping role with "Product Management" as the incoming role name and assign it Campaign Editor access in Engagement. When Sarah logs in, she automatically receives these permissions.

Enable SSO authorization

After creating and configuring the role mapping setup, activate SSO authorization in Bloomreach.

Important prerequisites

  • You have created a role mapping setup containing the SSO admin role so you don't lock yourself out of the configuration.
  • Mapping roles in Bloomreach exactly match the role_mapping claim values in Microsoft Entra ID.
  • Incorrect configuration can prevent login access.

To enable it:

  1. Go to Administration > Settings > Single sign-on > Preferences.
  2. Scroll to the bottom of the page.
  3. Enable Single sign-on authorization.
  4. Click Save changes.
Bloomreach SSO settings with Enable Single sign-on authorization toggle highlighted.

Enable SSO authorization in Bloomreach.

Users with the SSO Account Admin role can disable this option later if needed.

Next steps


© Bloomreach, Inc. All rights reserved.