Bluebeam Single Sign-On (SSO) Configuration for Microsoft Azure AD

Introduction

Thank you for your interest in leveraging Bluebeam support for single sign-on (SSO) to enhance security, improve the user experience, and reduce support costs. The step-by-step instructions in this document will help to ensure successful configuration of SSO leveraging the Microsoft OpenID Connect Protocol (OIDC) when using Microsoft Azure Active Directory (Azure AD).

Configuring SSO requires that your organization has at least 100 seats on either a Basics, Core, or Complete Bluebeam Plan and that end users are using versions in Core Support (see Supported versions and support tiers).

With subscription, named user licenses can access offline mode for up to 14 days — even with SSO. To refresh their token, the user will need to sign in again after the grace period. For more information, see this article.

If you have any questions regarding these instructions, you can contact us.

Overview

This guide will help you set up your SSO configuration, and will walk you through gathering and entering some information that will be sent to/from Bluebeam and your organization’s Azure AD.

SSO configuration supports multi-factor authentication (MFA) as defined by the identity provider.

Important considerations before you begin:

  • You’ll need the Active Directory Global Administrator to grant permissions for the application.
  • Pay close attention to avoid any inconsistencies between the email of a user in your Azure AD and the email used in an existing Bluebeam ID (BBID), which can be caused by things like name changes or adjustments to account information.
    Please let us know if you need assistance in matching any user email addresses. We can double-check the admin’s name/email with the Account Manager or consult the licensing system.
  • If you need a list of users who have been deactivated in your organization, please let us know when you submit your setup request to our Support team.

Preparing for setup

First, you’ll need to contact our Support team to let us know you’ll be configuring SSO. Once you’ve been added in our system, you’ll see a new option in accounts.bluebeam.com that will allow you to securely submit the necessary information.

Inputs for home system

  1. Redirect URI. You’ll need to enter the URI into your Azure AD:
Region Redirect URI
U.S. https://signin.bluebeam.com/oauth2/v1/authorize/callback
U.K. https://signin.bluebeamstudio.co.uk/oauth2/v1/authorize/callback
Germany https://signin.bluebeamstudio.de/oauth2/v1/authorize/callback
Sweden https://signin.bluebeamstudio.se/oauth2/v1/authorize/callback
Australia https://signin.bluebeamstudio.com.au/oauth2/v1/authorize/callback

Outputs to send to the Bluebeam system

You’ll need to share these with the Bluebeam SSO Engineering team using our secure form through your accounts.bluebeam.com page.
  1. Client Secret Value
  2. Application Client ID
  3. OpenID Connect (OIDC) metadata file
  4. Domains list
    • Separate from the list below, Bluebeam will need a list of all domains managed in your Azure AD.

Configuring your Azure AD

To set up Azure AD for OpenID Connect (OIDC):

  1. Go to https://portal.azure.com/.
  2. Click Azure Active Directory.
  3. Click App registrations in the sidebar, then click + New registration.
  4. Enter an application name (for example, OKTA SSO), and click Register.
    Add New Application
  5. Click Authentication in the sidebar, then click + Add a Platform, and click Web.
  6. Consult the chart above to find your Redirect URI. Input the link, and click Configure.
  7. At the bottom of the Authentication page, select the checkboxes for Access tokens and ID tokens. Then click Save.
  8. Take note of the following values. It may be helpful to open a text editing program, like Notepad or Word, to copy and paste the following values. They’ll be needed later:
    1. Click Certificates & secrets in the sidebar, then click + New client secret (i.e., Enter a Description, Set the Expiration, Select Add). Copy the Client Value & Secret ID into your notes.
    2. Click Overview in the sidebar, and under Essentials, copy the Application (client) ID into your notes.
  9. Click Token configuration in the sidebar. Then click + Add optional claim.
    Add the following claims to both ID and Access tokens:

    • Claim: family_nameToken type: ID
    • Claim: family_nameToken type: Access
    • Claim: given_name, Token type: ID
    • Claim: given_name, Token type: Access
    • Claim: preferred_username, Token type: ID
    • Claim: preferred_username, Token type: Access
    The token must have the preferred_username/email, first name, last name, username (i.e., email) Claims above for creating a user in Bluebeam’s system. Please let us know if your system uses any other Claims.
  10. Click API permissions in the sidebar, and click + Add a permission.
  11. Click Microsoft Graph at the top of the page, then click Delegated Permissions.
    You will need the Active Directory Global Administrator to grant these permissions for the application.
  12. Select checkboxes for the following permissions:
    • OpenId permission: openid
    • OpenId permission: profile
    • User: User.Read
    • User: User.Read.All

Your application is now set up in Azure AD.

Restricting SSO to application

To restrict the SSO only to users who are assigned to this application:

  1. Go to https://portal.azure.com/.
  2. Select Azure Active Directory.
  3. Click Enterprise Applications in the sidebar.
  4. Select the Application you created (ex. Okta SSO)
  5. Click Properties in the sidebar.
  6. Toggle Assignment required? to Yes.

Restricting SSO to application

Find the OIDC metadata document

To find your OIDC metadata document:

  1. Select Azure Active Directory.
  2. Select App Registrations in the side bar.
  3. Select your Application then Endpoints at the top.
    Application endpoints
  4. Copy the OpenID Connect metadata document (with the format https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration) into your notes.

Submitting information to Bluebeam

Once you’ve gathered all the information in the Outputs to send to Bluebeam’s systems section, you can submit them through our secure form. To submit:

  1. Sign in to accounts.bluebeam.com with your BBID.
    If you don’t see the SSO Identity Provider section, make sure you’re using the same BBID that you provided to Support.
  2. Next to SSO Identity Provider, click Change.
  3. Enter the following information for your organization:
    • Company Name
    • Client Id
    • Client Secret
    • Issuer
    • Domains list (separated by commas)

  1. When you’re ready for SSO to be configured, click Save.

Once submitted, this information will be reviewed by our internal teams, and Bluebeam Tech Support will reach out to coordinate an activation timeline.

How-To

SSO

Revu 21

Revu 20

Revu 2019

Revu 2018

Learn how to start configuring your Revu licenses for SSO with Microsoft Azure.