Single Sign-on (SSO) Process Overview

This article applies to:

  • Revu 21
  • Studio
  • Bluebeam Cloud

Single sign-on (SSO) is in an early access phase and only available to active customers who have purchased or converted a minimum of 100 seats to a Bluebeam subscription plan.

Customers can choose to implement SSO for their Bluebeam subscriptions, which will allow them to log into Revu 21, Studio, and Bluebeam Cloud with their SSO credentials instead of a Bluebeam ID (BBID). Bluebeam currently supports SSO configuration only for Microsoft Entra ID (formerly Azure Active Directory) and Okta AD.

Please note the following:

  • Studio Prime integrations are not yet compatible with SSO, so you should consider that before qualifying. For Partners, reach out to your Channel Account Manager for details. If you are not a Partner, send an email to support@bluebeam.com or reach out to your Account Manager.
  • Bluebeam does not yet support System for Cross-domain Identity Management (SCIM) for managing user identities.
  • Bluebeam does not yet support Security Assertion Markup Language (SAML) for managing authentication.

When you determine that your organization qualifies for SSO integration, you can start the following process.

The process to enable SSO requires action from Bluebeam and your SSO administrator. As such, the process may take some time to complete.

1. Request SSO integration for your organization

The SSO administrator for your organization must download and fill out the Single Sign-on Request Form, then return the completed form to support@bluebeam.com.

The SSO administrator should use their Microsoft Entra ID or Okta identity provider information, which should be an email address, to ensure a valid email address is provided when they sign into Studio. Using this value is important, because we use email addresses to match users with their existing Projects and Sessions in Bluebeam Studio.

After we receive your request, we’ll verify that your organization qualifies for SSO integration before we continue the process.

2. Initial SSO configuration process

Bluebeam Technical Support adds the SSO administrator to the SSO Admin group in the Bluebeam Okta instance for the region the SSO administrator wants to use. Afterward:

  1. The SSO administrator creates the SSO application in either Okta or Microsoft Entra ID.
  2. The SSO administrator logs into the Bluebeam accounts page and enters information from the Okta or Microsoft Entra ID application they created.
  3. Bluebeam validates the information and sends a user report to the SSO administrator.

3. Reconciliation process

During the reconciliation process, the SSO administrator verifies that our Studio email list in the user report matches their users’ email addresses for Microsoft Entra ID or Okta identity provider information. These email addresses must match the users’ Studio BBID email addresses. Use the Single Sign-on User List Preconfiguration document to learn how to reconcile the BBID email addresses listed in the user report with their AD email addresses/identity provider information.

4. Testing/Activation

After the SSO administrator verifies that all AD or identity provider email addresses match the list of Studio users, the SSO administrator can choose to perform a pilot test with a small subset of users or activate SSO for all users at once. Bluebeam and/or the Partner will need to coordinate a day/time for the customer to test or activate SSO.

For full activation, Bluebeam Engineering will activate SSO for all users.

5. Post integration activation support

Reach out directly to support@bluebeam.com and indicate in the email the issue is related to SSO post-activation.