Unified SSO authorization for Okta
Welcome note
Unified login is in the process of being applied to all users throughout September 2025.
Access the pre-existing documentation here: Administration.
SSO authorization is an extension of SSO authentication. It enables you to define user privileges and control what they can access within Bloomreach products.
This guide explains how to configure SSO authorization for Okta.
Note
The SSO authorization uses
role_mappingto determine user permissions. For role mapping configuration details, see the Unified SSO overview guide.
Prerequisites
Before configuring SSO authorization for Okta, you must complete the SSO authentication setup in Okta. You’ll also need:
- Admin role in Bloomreach.
- Admin access to your Okta account.
- Understanding of your organization's role structure.
- Active SSO feature enabled on your account.
Configure role mapping in Okta
Add the role mapping attribute
Okta sends the role_mapping value as a SAML attribute. This value must match the mapping role names you configure in Bloomreach.
- Access your Okta administration dashboard.
- Go to Applications.
- Select your Bloomreach SSO application and go to the General tab.
- Find SAML Settings and click Edit.
- Click Next to reach the Configure SAML section.
- Scroll to Attribute Statements.
- Add a new attribute:
- Name:
role_mapping. - Name format: Basic.
- Value: Select your preferred value (for example,
user.division).
- Name:
- Click Next and then Finish.
Role mapping configuration in Okta.
The role_mapping value will be included in the SAML claim. The value comes from a user profile field, user group, or fixed string value. The value must match the mapping role names you configure in Bloomreach.
Sarah's division in Okta is "Product Management." When you configure role_mapping to use user.division, Okta sends "Product Management" during login. You'll map this value to permissions in Bloomreach next.
Set up authorization in Bloomreach
Configure mapping roles in Bloomreach to connect identity provider values with application permissions.
Create mapping roles
- Navigate to Administration > Users > Mapping roles.
- Click New mapping role.
- Enter a mapping role name that exactly matches the
role_mappingvalue from your identity provider to the “Incoming role name” field. - Add an optional description for the mapping role.
- In the Permissions section, select an application (for example, Engagement).
- Choose at least one scope:
- Workspace: Applies to all projects within a workspace.
- Project: Applies to specific projects.
- Select one or more roles for the chosen scope.
- Click Add permission to add roles for additional scopes or applications.
- Click Save.
Important
The role mapping must include all scopes and roles that users with this mapping will need.
Create role mapping in Bloomreach.
Sarah's Okta sends "Product Management" as her role_mapping value. In Bloomreach, you create a mapping role with "Product Management" as the incoming role name and assign it Campaign Editor access in Engagement. When Sarah logs in, she automatically receives these permissions.
Enable SSO authorization
After creating and configuring the role mapping setup, activate SSO authorization in Bloomreach.
Important prerequisite
- Before enabling SSO authorization, verify that mapping roles in Bloomreach match
role_mappingclaim values in Okta. Incorrect configuration can prevent login access.
- Go to Administration > Settings > Single sign-on > Preferences.
- Scroll to the bottom of the page.
- Enable Single sign-on authorization.
- Click Save changes.
Enable SSO authorization in Bloomreach.
Users with the SSO Account Admin role can disable this option later if needed.
Next steps
- Invite your users to use the SSO login
- Manage user access and user roles
Updated about 6 hours ago