Federated single sign-on

Note: This functionality is now automatically available with the Professional and Enterprise packages.

Why switch to single sign-on (SSO)?

• Enhanced security
• Reduced administration costs
• Improved user experience

When new users sign in to the Bazaarvoice Portal using SSO, user accounts are created automatically using your corporate identity provider (IdP) base settings.

What happens next?

• You’ll no longer need to manually set up user accounts in Portal. New user accounts are automatically created for users from your organization who sign in to Portal for the first time using SSO.
• User profiles will be populated with information from your corporate IdP account.
• Your Bazaarvoice account will be linked to your corporate IdP so that you can update a user’s credentials (name or password) through your corporate IdP account. You will only need to manage one set of credentials.

SSO setup

To integrate your IdP with Bazaarvoice SSO, complete the following steps.

Add an SSO app to your identity provider

1. Sign in to your corporate IdP account, such as Azure AD, Okta, or Ping.
2. Give your SSO application a descriptive name, for example, “Bazaarvoice SSO”. You will then be prompted to add SSO application details. Add sample credentials for now.
   Note: You will be required to add the actual SAML values (provided during setup) in step four of the setup wizard.

   

3. During setup, Bazaarvoice provides the sign-in user attributes, which you must map to your corporate IdP attributes. These will vary depending on your IdP:

   Azure AD Mappings

   

   Ping One Mappings

   

   Okta Mappings

   

4. (Optional) Set up group access to your IdP portal if applicable. Add all users who need access to the Bazaarvoice Portal to this user group.
   Note: Members in this group can access the Bazaarvoice platform in their personal dock and will be able to sign in to Bazaarvoice solutions through single sign-on once enabled.

Create a new SSO configuration

To get started:

1. Sign in to the Bazaarvoice Portal .
2. From the Portal menu located in the upper-left corner, select Users & Permissions.
   Note: Only Account Administrators can access Users & Permissions.
3. Select the Single sign-on tab.
4. Select Create SSO Configuration in the upper-right corner. The five-step SSO setup wizard will guide you through the following tasks:
   • Configuration setup
   • Base permissions
   • Identity provider settings
   • SAML protocol settings
   • Email domains

   

Five-step wizard

To complete the five-step wizard, follow the instructions in this video or in the written steps that follow.

Step 1: Add configuration details

Add your SSO configuration details:

• Specify a unique configuration name.

• Select your identity provider, for example, Okta. If your IdP is not listed, select Other.

  

Step 2: Assign base permissions

Assign Base permission details for any of your Bazaarvoice products. This step will apply base level permissions for all newly created users within your domain.

Note: If specific permissions are applied to a single user account, the user permissions will override the configuration base permissions.

1. Set base permissions in the following sections:
   • Portal permissions
   • Base instances—Select which instances users can access.
   • Base solutions—Select which Bazaarvoice solutions users can access.
   • Base portal roles—Assign base roles to users. Roles will only appear when solutions are assigned.
   • Social Commerce-Assign Social Commerce settings
2. Select Save and continue.
   Note: The first time a new user signs in using SSO, a new account is created automatically using these base settings. You’ll no longer have to create new users (with your domain name) manually. These accounts can subsequently be edited if necessary.

   

Step 3: Copy identity provider settings

1. Copy the Issuer URI from your IdP account and paste it into the Identity provider issuer URI field. For example, https://your-idp.endurancecycles.com.
2. Copy the SP-initiated SSO URL (not the IdP-initiated SSO URL) from your IdP account and paste it into the Identity provider issuer URI field. For example, https://your-idp.endurancecycles.com/your-idp-path/.
   Caution: To avoid a configuration error, ensure that you copy and paste the exact Issuer URI and SSO URL.
3. Upload a valid and up-to-date x.509 certificate issued by your corporate IdP in Identity provider settings.
   Note: This x.509 certificate is a text file that authenticates the identity of your users and your IdP. It must be a valid file type such as: .pem, .cer, .crt, .cert, .der, .p7b, .p7c, .p12.

   

Note: You must enter all information required in this step before being able to select Save and continue.

Step 4: Copy SAML protocol settings

1. Copy your SAML protocol settings using the Copy buttons and paste them into the configuration section of your corporate IdP.
   Note: For further support from your identity provider, refer to the documentation for Azure AD , Ping , or Okta .
2. Replace the sample ACS and URI values you entered earlier with these SAML protocol values:
   • ACS (Assertion Consumer Service) URI
   • Audience URL
   • Default Relay State
3. Confirm you have completed this step by checking the box beside “I have added the above information to my IdP’s configuration section”.

4. Select Save and continue.

   

Step 5: Add and verify email domains

You will now add and verify your email domains, for example, endurancecycles.com.

1. Add your domains by selecting the Add domain link.
2. Verify your domains.
   • To test or enable your configuration, at least one of your domains must be verified.
   • A verification token will be automatically populated, allowing you to create a .txt record following the domain list table.
   • Copy this token and add it to your domain’s DNS settings.
   Note: Depending on your domain provider, it could take hours to several days to verify your domain. Return to this page to check if your domain has been verified.
3. Test your configuration.
   • Once you have at least one verified domain, you are ready to test and enable your configuration.
   • Test your configuration by selecting Test configuration. You will then be signed out of the Bazaarvoice portal and redirected to the Portal sign in page, where you will sign in to Portal using your corporate email address.
   Note: If testing is successful, you will return directly to the setup wizard. If there is a problem, you can sign in using your username and password as normal.
4. Enable your configuration. To enable your configuration for everyone in your organization, select Finish.
   Caution: Once your configuration is enabled, you will no longer be able to test it.

   

Edit SSO configuration

To update your configuration:

1. If you have successfully enabled SSO for your configuration, sign in to Portal using FSSO . If you haven’t yet completed setup and enabled SSO for your configuration, sign in with your username and password .
2. From the Portal menu located in the upper-left corner, select Users & Permissions > Single sign-on. A table listing your SSO configurations appears. The State column will show one of four labels:
   • Draft – You have created this configuration but not completed the five-step wizard yet.
   • Testing – You have initiated the test flow for this configuration and it is currently being tested.
   • Enabled – You have successfully completed setup and can now use this configuration to sign in with SSO.
   • Disabled – This configuration can no longer be used to sign in with SSO.

   

3. From the list view, select the SSO configuration you want to edit. The configuration details page appears.

   

4. Make the required changes in any of the following sections:
   • Configuration setup—Edit your configuration name.
   • Base permissions—Edit the lowest level of access rights assigned only to new users for all products.
   • SAML protocol settings—Copy the SAML protocol settings provided and add them to your IdP’s account configuration.
   • Domain verification—Add or disable domains.
   Tip: If you want to change your identity provider, we advise setting up a new configuration using the new IdP.
5. Select Update configuration to save your changes.

Disable SSO configuration

To disable your IdP configuration:

1. Sign in to the Bazaarvoice Portal .
2. From the Portal menu located in the upper-left corner, select Users & Permissions.
3. Select the Single sign-on tab. A list of SSO configurations appears.
4. From the list view, select the SSO configuration you want to disable. The configuration details page appears.
5. To deactivate SSO for everyone (whose email matches your corporate email domains in this SSO configuration) select Delete.
   Note: If a configuration is disabled, all existing users in that domain will need to create a new password using the Forgot password link to sign in.

Manage users and permissions

Account Administrators can manage the company’s users and access permissions (to Bazaarvoice solutions) through Portal.

Note: As an Account Administrator, you may be able to view but not edit some users. This happens when a user has access to more sites than you. If you cannot select a username, then that user must have higher level access to at least one site for which you are not an Account Administrator. To update the status of your permissions, contact Bazaarvoice Support to open a support ticket.

In Users & Permissions, Account Administrators can do the following:

• View a user’s status—Users are assigned one of the following statuses: Active, Locked out, Provisioned, Recovery, Staged, or Suspended.
• Update a user’s account—You can modify Bazaarvoice solutions, instances, and assigned roles by editing the Permissions fields.
• Disable users—If you disable users, they will no longer have access to Bazaarvoice solutions, and the suspended status is assigned.
• View user accounts—Federated users who have been disabled in their corporate IdP account may still appear in the list view, but won’t be able to sign in.

Note: A potential feature that automatically removes users from the list is currently being considered. Register your interest with your Bazaarvoice representative if this could benefit your team.

You cannot create a new account using an email address that belongs to an active single sign-on (SSO) federated domain. New user accounts are created automatically the first time a user signs in to Bazaarvoice through their corporate IdP.

Common Questions

No. Once enabled, you’ll no longer be able to sign in to Portal using your existing Bazaarvoice password. Instead, you must sign in through your IdP.

When new users sign in to Portal using SSO, user accounts are created automatically using profile information from their IdP’s default settings.

Users should reach out to their CSM before changing their email address. When the user signs in using their new email address, a new user account will be created (using Just–in-Time provisioning). The user's previous permissions will be merged to the new account.

Yes. Federated users can be deleted manually from Portal. However, this is not recommended. Once a user is deleted, all audit history will be lost. Additionally, users who are deleted will be recreated the first time they sign in through their IdP. To completely remove a user, you must delete their IdP credentials.

Your Bazaarvoice account is now linked to your corporate IdP, so you can access Bazaarvoice solutions using your company’s credentials. Update your name or password in your corporate IdP account and your Bazaarvoice Portal account will be updated automatically.

From the Portal menu , select Users & Permissions. Select your name to view your account details, access rights, and assigned roles. Note that you can only view this page as an Account Administrator.

If you’re not assigned the Account Administrator role, sign in to Portal, go to your Profile page and select View Administrators to discover who can assign you this role.

To change your domain(s), access the configuration details page by following the steps in the Edit SSO configuration section. Navigate to the Email domains section where a list of your domains will appear. To change a domain, select the trash can icon beside the domain you want to change and then select the Add domain link to add the updated domain.

To verify your domain(s), go to the Email domains section of your configuration setup. Bazaarvoice will provide you with a token which will allow you to create a .txt record . This should then be added to your domain’s DNS settings. The length of time it takes to complete verification will depend on your domain provider.

If you’re unable to verify any of your domains, please contact Bazaarvoice Support , your CSM, or your TSM.

No. However, if you delete one of your domains and need to re-add it at a later stage, you will need to generate the .txt record again.