Bluebeam Single Sign-On (SSO) Configuration for Okta

Introduction

Thank you for your interest in leveraging Bluebeam support for single sign-on (SSO) to enhance security, improve the user experience, and reduce support costs. The step-by-step instructions in this document will help ensure successful configuration of SSO leveraging the Microsoft OpenID Connect Protocol (OIDC) when using Okta Active Directory (Okta AD).

Configuring SSO requires that your organization has at least 100 seats on either a Basics, Core, or Complete Bluebeam Plan and that end users are using versions in Core Support (see Supported versions and support tiers).
With subscription, named-user licenses can access offline mode for up to 14 days — even with SSO. To refresh their token, the user will need to sign in again after the grace period. For more information, see this article.

If you have any questions regarding these instructions, you can contact us.

Overview

This guide will help you set up your SSO configuration, and will walk you through gathering and entering some information that will be sent to/from Bluebeam and your Okta instance.

SSO configuration supports multi-factor authentication (MFA) as defined by the identity provider.

Preparing for setup

First, you’ll need to contact our Support team to let us know you’ll be configuring SSO. Once you’ve been added in our system, you’ll see a new option in accounts.bluebeam.com that will allow you to securely submit the necessary information.

Configuring your Okta instance

To setup Bluebeam SSO with Okta:

  1. In the Admin Console for the Okta org that represents the Identity Provider, go to Applications > Applications.
  2. Click Create App Integration.
  3. On the Create a new app integration page, select OIDC – OpenID Connect as the Sign-in method. You need a trusted client, so select Web Application as the Application type.
  4. Enter a name for your application (for example, Bluebeam SSO).
  5. Make sure Authorization Code is selected.
  6. In the Sign-in redirect URIs section, add the callback URL for your region:
    Region Redirect URI
    U.S. https://signin.bluebeam.com/oauth2/v1/authorize/callback
    U.K. https://signin.bluebeamstudio.co.uk/oauth2/v1/authorize/callback
    Germany https://signin.bluebeamstudio.de/oauth2/v1/authorize/callback
    Sweden https://signin.bluebeamstudio.se/oauth2/v1/authorize/callback
    Australia https://signin.bluebeamstudio.com.au/oauth2/v1/authorize/callback

  7. In the Assignments section, you can select everyone, or limit access by groups.
  8. Click Save.
  9. Lastly, be sure to collect the following information for your records:
    • Client ID
    • Client Secret
    • Well-known Config Url. For Okta, this appears in the form
      https://{Customer-Okta-Org-Url}/.well-known/openid-configuration

Bluebeam SSO is now set up with your Okta instance.

Submitting information to Bluebeam

Once you’ve gathered all of the info in the Outputs to send to Bluebeam’s systems section, you can submit them through our secure form. To submit:

  1. Sign in to accounts.bluebeam.com with your BBID.
    If you don’t see the SSO Identity Provider section, make sure you’re using the same BBID that you provided to Support.
  2. Next to SSO Identity Provider, click Change.
  3. Enter the following information about your organization:
    • Company Name
    • Client Id
    • Client Secret
    • Issuer
    • Domains list (separated by commas)

  1. When you’re ready for SSO to be configured, click Save.

Once submitted, this information will be reviewed by our internal teams, and Bluebeam Tech Support will reach out to coordinate an activation timeline.

How-To

SSO

Revu 21

Revu 20

Revu 2019

Revu 2018

Learn how to start configuring your Revu licenses for SSO with Okta.