Login
      Back to home
      1. Help Center
      2. 1 - Get started with Bluestone PIM
      3. Login

      Single sign-on (SSO)

      Increase security and ensure convenient access

      Introduction

      How SSO works in Bluestone PIM

      How to set up an SSO connection

      User provisioning and management

      Log in with SSO

      Troubleshooting & FAQ


      Introduction

      Single Sign-On (SSO) is an authentication method that allows your team members to securely log in to Bluestone PIM using their primary company credentials.

      Instead of remembering a separate password for Bluestone PIM, your team can log in using the same identity provider (IdP) they already use, such as Microsoft/Azure AD. This provides a simpler, one-click login experience and reduces time spent on password reset requests.

      By connecting your company's login system to Bluestone PIM, you can manage all user access from one central location. This allows you to enforce your company's specific security policies, such as password complexity rules or Multi-Factor Authentication (MFA), directly from your company's login system.

      It also streamlines onboarding and off-boarding, as PIM access can be granted or revoked directly from your central directory as part of your standard IT process.

      How SSO works in Bluestone PIM

      Our SSO feature works by creating a secure link between your company's email domain and your organization's login service. We manage this connection using a concept called "Realms," which is a rule that links one or more of your company email domains to your login service.

      To ensure a secure and reliable connection, we support services that use the modern OpenID Connect (OIDC) standard. This includes common providers like Microsoft Entra ID (formerly Azure AD), Zitadel, Google Workspace, and many others.

      This system also simplifies user onboarding through automatic provisioning. When a user logs in for the first time with their company SSO, Bluestone PIM will automatically create their user account. This removes the need for you to manually create accounts for all your users. Please see User provisioning and management for details.

      How to set up an SSO connection

      Setting up an SSO connection involves configuring your organization's login service and then providing the necessary details to Bluestone PIM to activate the link.

      First, you will need to register Bluestone PIM as a new application within your login service's admin panel (such as Microsoft Entra ID or Zitadel). During this process, your service will require you to provide a Redirect URI (also called a Callback URL). Please contact your Bluestone PIM representative to get the specific Redirect URI for your environment.

      Once you have configured the application on your side, you will need to gather the following three pieces of information from your provider:

      • Issuer URL (the unique URL for your login service)
      • Client ID (the unique identifier for the Bluestone PIM application)
      • Client Secret (a secure password for the application)

      After you have this information, the connection can be activated. For most customers, this is done by securely sharing these credentials, along with your company's email domain(s), with the Bluestone PIM Support team. For technical partners and administrators, these settings can also be configured directly via the Admin API. Please contact us for API documentation.

      As part of the setup, we strongly recommend that an administrator configures a "Default Role" within your organization's settings in Bluestone PIM. This ensures that when new users log in via SSO for the first time, they are automatically granted a standard set of permissions (e.g., "Read-Only") and can access the PIM immediately.

      User provisioning and management

      The SSO connection streamlines user onboarding. When a person from your organization logs in via SSO for the very first time, Bluestone PIM automatically creates their user account, sourcing their name and email address from your organization's login service.

      Upon creation, the new user is assigned default roles based on the configuration of the organization(s) they are joining. This "Default Role" (e.g., "Read-Only") is an optional setting configured by an administrator on the organization itself, not as part of the SSO setup. If an organization has a default role defined, new users will automatically receive the permissions granted this role. If no default role is set, the user will have no initial permissions and must be assigned roles manually.

      It is important to note that only the initial user creation is automated. All ongoing permission and role management is handled inside Bluestone PIM. If you need to grant a user additional access or change their role, a PIM administrator must make this change within the Bluestone PIM user management settings. These permissions are not synchronized from your organization's login service.

      If a user account with the same email address already exists in Bluestone PIM (for example, from a previous password-based login), the SSO login will simply be linked to their existing account. Their current permissions and roles will be preserved.

      Log in with SSO

      When SSO is configured for your organization, the login process will be simple and familiar.

      Do the following:

      1. Go to the relevant Bluestone PIM environment, e.g.  https://app.bluestonepim.com/ 
      2. Enter your company email address and click Continue:

      3. Now - the next step depends on whether auto-redirect is enabled or not for your organization:
        1. If "auto-redirect" is not enabled, or if multiple login options are available, you will be presented with a Sign in with... button at the bottom.
          Click this button to continue:



        2. If your organization has enabled "auto-redirect," and you are not already logged in to your company's system - you will be taken directly to your company's standard login page (like the Microsoft or Google sign-in page).
        3. If your organization has enabled "auto-redirect," and you are already logged in to your company's system, Bluestone PIM is automatically opened.

       

      Troubleshooting & FAQ

      • Why am I not redirected to my company's login page automatically?
        Auto-redirect is an optional setting for an SSO connection. If it is not enabled, you will need to click the "Sign in with..." button after entering your email address. If your organization uses multiple SSO providers, you may also be asked to choose which one to use.
      • I see an error that my email is missing or doesn't match.
        To log in, the email address you enter on the PIM login page must exactly match the email address registered in your company's login service. If you see this error, please click "Go back to enter correct email" and try again, ensuring there are no typos. If the problem persists, please contact your internal IT administrator to confirm your email is configured correctly in your organization's SSO system.
      • I logged in successfully, but I see an error message saying I don't have any roles assigned.
        This means your new account was created successfully, but it doesn't have any permissions assigned to it yet. To access Bluestone PIM, an administrator within your organization must assign you the correct role. Please contact your internal Bluestone PIM administrator or IT department to have them grant you access.