HomeEngagementContentDiscoveryOther resources
Guides

Unified SSO login and user management

Suggest Edits

👍

Welcome note

Unified login is in the process of being applied to all users throughout September 2025.

Access the pre-existing documentation here: Administration.

This guide explains how users log in to Bloomreach via single sign-on (SSO), how roles are assigned during authentication, and how to manage user SSO access. Additionally, we will explain how to access your account when SSO login fails due to its misconfiguration.

Prerequisites

Before logging in with SSO and managing SSO access for your users, you must have:

  • Configured SSO integration with your identity provider (Okta, Azure AD, or other).
  • Set up SSO authentication for your identity provider (Okta, Azure AD, or other).
  • Verified your domain for SSO access.

SSO login methods

Your users can log in to the Bloomreach platform with SSO using the following methods:

  • Through the identity provider dashboard (for example, Okta).
  • By clicking Continue with SAML SSO on the Bloomreach login page.

Existing users switching to SSO login

Existing users can switch to SSO authentication for accounts where SSO is enabled. If a user has access to multiple accounts on your instance and only one account has SSO enabled, SSO authentication will work only for that account. Settings in different accounts don't affect each other.

Emergency access

If the SSO login fails and you need to access the account to fix SSO issues, see the emergency access section.

Manage user access

Adding users

  1. Invite users to your Bloomreach organization first.
  2. Assign them to the SSO application in your identity provider.
  3. Users must log in to Bloomreach using SSO to authenticate.
  4. Once authenticated, users access the Bloomreach products according to their permissions.

External users

If you want internal users to authenticate with SSO while maintaining separate access for external partners or clients, enable the external access option in Bloomreach Administration. External users can then access the platform without requiring SSO authentication.

To determine which users can access SSO, refer to the Access Management article on identity domains and the process for verifying domain members.

Manage user roles

When SSO authorization is enabled, user role management depends on the user's last login method:

  • For users whose last login method was SSO, you can manage roles only through the role_mapping attribute.
  • For users whose last login method was email or Google, you can manage roles directly in the Bloomreach application.

❗️

Warning

If the user attempts to log in using SSO and no role_mapping is received during login, the user won’t be allowed to log in.

Role assignment during login

When users log in through SSO, user roles are assigned automatically. Users gain their permissions based on the matched mapping role. For more information about role mapping setup, see the Azude AD or Okta SSO authorization articles.

📘

Note

If a user role changes in the identity provider system, it’s automatically synced with Bloomreach. Users will receive the new role during the next SSO login.

Changing user roles

For users logged in using SSO, you can manage user roles through the identity provider or in Bloomreach:

  • Changes made to the identity provider configuration enable you to assign different roles to specific users.
  • Changing mapping roles in Bloomreach will affect all users associated with the mapping role.

Change user role for a single user (in your identity provider)

Update the role_mapping field value for a specific user in your identity provider. This affects individual users without impacting others in the same mapping role. Learn how to change the role_mapping in Azure AD or Okta SSO authorization guides.

Change user role for a group of users by modifying the mapping role (in Bloomreach)

  1. Go to Administration > Users > Mapping roles.
  2. Select the mapping role to modify.
  3. Update the assigned roles.
  4. Click Save.

User role will change for all users associated with the modified mapping role.

Role synchronization

  • Role changes take effect during the next user login.
  • Role propagation can take up to 60 seconds.
  • Users must log out and log back in to receive updated permissions

📘

Notes

  • Custom roles work with SSO for granular access control.
  • Product-specific permissions are managed within each application.

Emergency access for SSO Account Admins

If SSO configuration issues (incorrect role mapping, disabled SSO, or identity provider issues) prevent login, SSO account admins can request emergency access.

To request emergency access:

  1. Go to your Bloomreach instance URL and add /recovery-access at the end of the URL.
    Example: https://app.exponea.com/recovery-access.
  2. Check your email for a recovery link.
  3. Use the link to log in and fix SSO configuration issues.

This recovery mechanism ensures you can always regain access to fix authorization problems.

Updated about 6 hours ago