HomeEngagementContentDiscoveryOther resources
Guides

Unified SSO for Azure Active Directory

Suggest Edits

👍

Welcome note

Unified login is in the process of being applied to all users throughout September 2025.

Access the pre-existing documentation here: Administration.

Single sign-on (SSO) authentication for Azure Active Directory (Azure AD) lets your team access Bloomreach using their existing company credentials.

This guide walks you through configuring Azure AD as your identity provider using SAML 2.0 authentication.

Prerequisites

Before configuring SSO in Azure AD, ensure you have:

  • Admin role in Bloomreach
  • Admin access to Azure AD identity provider
  • Active SSO feature on your Bloomreach account (contact your Customer Success Manager for activation)

Configure Azure AD SSO

To use Azure AD SSO login, you must first configure it in your Azure AD dashboard.

📘

Info

You'll switch between Azure AD and Bloomreach multiple times during this configuration. Keep both dashboards open to streamline the process

  1. Azure AD: Create and set up the enterprise application (Step 1-3).
  2. Bloomreach: Download service provider metadata (Step 4).
  3. Azure AD: Upload metadata, configure claims, and get metadata URL (Step 5-7).
  4. Bloomreach: Complete the configuration (Step 8).

Step 1: Create an enterprise application

Go to your Azure AD dashboard and access enterprise applications:

  1. Go to Manage > Enterprise Applications from the left menu.
  2. Click + New application.
  3. Select + Create your own application.
Azure AD Enterprise Applications page with New application button highlighted.

Creating new application in Azure AD Enterprise Applications page.

Step 2: Set up the application

In the modal window, configure your new application:

  1. Enter a name (for example, "Bloomreach").
  2. Select Integrate any other application you don't find in the gallery (Non-gallery).
  3. Click Create.
Create application dialog with Bloomreach name and Non-gallery option selected.

Create application with the application name.

Step 3: Select SAML authentication

Configure SSO for the application:

  1. From the left Manage menu, select Single sign-on.
  2. Choose SAML from the available sign-on methods.
Single sign-on method selection page with SAML option highlighted.

Choose SAML in single sign-on optoins.

Step 4: Enable SSO and download service provider metadata

Switch to Bloomreach to enable SSO and download service provider metadata:

  1. Go to Administration > Settings > Single sign-on > Preferences.
  2. Enable the Single sign-on integration toggle.
  3. Click Download service provider metadata.
  4. Save the file as service-provider-metadata.xml
Bloomreach SSO settings with Download service provider metadata button highlighted.

Enable SSO and download service provider metadata from Bloomreach settings.

Step 5: Upload metadata

Return to Azure AD and:

  1. Click Upload metadata file.
  2. Select the XML file you downloaded from Data hub.
  3. Review the Basic SAML Configuration extracted from the metadata.
  4. Click Save.
Azure AD SAML configuration with Upload metadata file button highlighted.

Upload metadata to Azure AD.

Step 6: Configure attributes and claims

Set up the required user attributes for authentication:

  1. Go to the Attributes & Claims section.
  2. Click Edit.
Azure AD Attributes and Claims section with Edit button highlighted.

Attributes and claims in Azure AD.

  1. Remove all Additional claims (keep the Required claim unchanged).
  2. Add three new claims using + Add new claim. Claims are listed in the table below.

Configure mandatory claims and verify that they match the values exactly:

Claim nameSourceSource attribute
emailAttributeuser.userprincipalname
first_nameAttributeuser.givenname
last_nameAttributeuser.surname

Configure optional claims:

  • Mobile phone claim (user.mobilephone) if you have mobile phone data available.
  • Email address claim (user.email) and unique name ID claim if users can't receive emails to the email addresses defined in the user.userprincipalname field.
Attributes and Claims page with Add new claim button highlighted.

Add a new claim to Azure AD.

Step 7: Get metadata URL

Get the metadata URL from Azure AD:

  1. Go to SAML Signing Certificate.
  2. Copy the App Federation Metadata URL to your clipboard. You'll need it in the next step.
SAML Signing Certificate panel showing App Federation Metadata URL.

Copy the App federation metadata URL to the clipboard.

Step 8: Complete the configuration

Finish the configuration in Bloomreach:

  1. Go to Administration > Settings > Preferences.
  2. Paste the URL into the Metadata URL field under Identity provider metadata.
  3. Click Apply URL. Verify that the metadata contains a valid single sign-on URL and that the encryption/signing certificates haven't expired.
  4. Click Save changes.
Bloomreach Identity provider metadata configuration with certificate details.

Paste the metadata URL to Bloomreach.

  1. Go to Administration > Settings > Security > Authentication settings.
  2. Enable single sign-on as an allowed authentication method.
  3. Optionally disable other authentication methods to enforce SSO.
  4. Click Save changes.
Bloomreach Authentication settings with Single sign-on checkbox highlighted.

Enable SSO in Bloomreach.

All users you assign to the application in Azure AD can now log in to the Bloomreach application and access their subscribed Bloomreach products using Azure AD SSO.

Next steps

  1. Assign users to the application in Azure AD.
  2. Assign user roles via SSO (see Unified SSO authorization for Azure AD).
  3. Test the SSO login with a test user.
  4. Communicate the change to your team.

Updated about 6 hours ago