Single Sign-on (SSO) process overview
Applies to:
- Revu 21
- Bluebeam Cloud
Single sign-on (SSO) is in an early access phase and only available to active customers who have purchased or converted a minimum of 50 seats to a Bluebeam subscription plan.
Customers can choose to implement SSO for their Bluebeam subscriptions, which will allow them to log into Revu 21, Studio, and Bluebeam Cloud with their SSO credentials instead of a Bluebeam ID (BBID). Bluebeam currently supports SSO configuration only for Microsoft Entra ID (formerly Azure Active Directory) and Okta AD.
- Studio Prime integrations are not yet compatible with SSO, so you should consider that before qualifying. For Partners, reach out to your Channel Account Manager for details. If you are not a Partner, send an email to support@bluebeam.com or reach out to your Account Manager.
- Bluebeam doesn't fully support System for Cross-domain Identity Management (SCIM) for managing user identities. If you're interested in implementing SCIM, please contact support@bluebeam.com to determine if your organization qualifies.
- Bluebeam does not yet support Security Assertion Markup Language (SAML) for managing authentication.
1. Request SSO integration for your organization
The SSO administrator for your organization must download and fill out the Single Sign-on Request Form, then return the completed form to support@bluebeam.com.
The SSO administrator should use their Entra ID or Okta identity provider information, which should be an email address, to ensure a valid email address is provided when they sign into Studio. Using this value is important, because we use email addresses to match users with their existing Projects and Sessions in Bluebeam Studio.
2. Initial SSO configuration process
Bluebeam Technical Support adds the SSO administrator to the SSO Admin group in the Bluebeam Okta instance for the region the SSO administrator wants to use. Afterward:
- The SSO administrator creates the SSO application in either Okta or Azure.
- The SSO administrator logs into the Bluebeam accounts page and enters information from the Okta or Azure application they created.
- Bluebeam validates the information and sends a user report to the SSO administrator.
3. Reconciliation process
During the reconciliation process, the SSO administrator verifies that our Studio email list in the user report matches their users’ email addresses for Entra ID or Okta identity provider information. These email addresses must match the users’ Studio BBID email addresses. Use the Single Sign-on User List Preconfiguration document to learn how to reconcile the BBID email addresses listed in the user report with their AD email addresses/identity provider information.
4. Testing/Activation
After the SSO administrator verifies that all AD or identity provider email addresses match the list of Studio users, the SSO administrator can choose to perform a pilot test with a small subset of users or activate SSO for all users at once. Bluebeam and/or the Partner will need to coordinate a day/time for the customer to test or activate SSO.
For full activation, Bluebeam Engineering will activate SSO for all users.
5. Post integration activation support
Reach out directly to support@bluebeam.com and indicate in the email the issue is related to SSO post-activation.