Configure SCIM for Bluebeam Accounts | Entra ID

Applies to:

  • Revu 21

After you successfully configure SSO, you can choose to configure SCIM to create a connection between Org Admin and your IdP. This connection allows you to manage the Bluebeam users (and their Bluebeam Plans) in your organization through your IdP.

If you want to configure SCIM, you must first configure SSO.

This guide provides instructions for the IT Admin to configure SCIM for their organization if they use Microsoft Entra ID as an identity provider (IdP). If you use Okta Workforce Identity Cloud as an IdP, see Configuring SCIM for Bluebeam Accounts | Okta Workforce Cloud.

After SCIM configuration, if you need to remove end users from a user group or move end users to another user group in your IdP, be sure those users sign out of Revu before you make the change. Doing so releases their licenses for the Bluebeam Plan associated with the user group they're signed in to. If they don't sign out of Revu and release those licenses before you make this change, you risk exceeding your allowed number of seats for one or more of your Bluebeam Plans.
This configuration requires you to perform steps in Org Admin and in your IdP.

Before you consider SCIM configuration

When you configure SCIM, you'll create and add users to SCIM groups within your IdP. Only add users to SCIM groups that you want managed by the account you're configuring for SCIM. Users managed under different accounts or by outside external parties will be moved to your SCIM account.

When adding users to SCIM groups, follow these rules:

  • Only add users to your SCIM group that fall under the domains your SSO configuration manages.

  • Don't add users managed outside your organization or users managed under a separate Bluebeam account to your SCIM group.

  • If your organization has multiple Bluebeam accounts and you want to manage all users via SCIM, reach out to registration@bluebeam.com before you configure SCIM. They can assist you with merging the accounts.

Create groups in Entra ID

Before you continue, be sure you understand the advice specified in Before you consider SCIM configuration.

If you use Entra ID as an IdP, configuring SCIM requires that you create one or more user groups in Entra ID based on Bluebeam Plans for your organization. New users should be added to the user group associated with the Bluebeam Plan they need. Users in your organization who are already assigned to a Bluebeam Plan should be placed into the user group associated with their existing plan.

  1. Create user groups for the following Bluebeam Plans.
    • Bluebeam Basics
    • Bluebeam Core
    • Bluebeam Complete
    • Bluebeam Unpaid Collaborator (For users you want to manage with SCIM but don't currently need a Bluebeam Plan. Placing these users into this group also allows you to easily move them to a Bluebeam Plan if needed in the future.)
  2. Assign users to the appropriate group based on their Bluebeam Plans.
    Don't add the IT Admin user to any of the end user groups created above. Doing so will change the administrator's permission level from IT Admin to Org Admin, which will prevent the configuration from continuing without involvement from Technical Support.
    Assign users to only one user group. No user should be assigned to multiple user groups.

For more information about user groups, see the Microsoft support site article for creating and managing groups in Entra ID.

Start configuration in Org Admin

You must use the Org Admin link specified in the procedure. This link directs you to an Org Admin interface specific to SSO and SCIM configuration. If you log in to any other Org Admin URL, the configuration won't be successful.

To start SCIM configuration, go to Org Admin, sign in to the region you selected when you requested SSO access, and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Settings.

  3. Next to SCIM Provisioning, select Configure.
  4. Next to SCIM Connector Base URL, select Copy Link, and save the link for use later in the configuration.
  5. Select Generate Token.
  6. Enter a "friendly" name for your token, then select Generate.
  7. Select Copy then paste and save the generated token to a secure location for use later in the configuration.
    Perform this step before you close the token window. After you close the token window, you won't be shown the token again, and you can't recover it.
  8. Optional: Select Allow External User Management if you want to permit users from outside your company domain.
    You can manage these users only through Org Admin.

Continue SCIM configuration in the Entra admin center

The SCIM configuration procedures continue in the Microsoft Entra admin center. You will need to:

  • Create an enterprise application
  • Map specified attributes between Entra ID and Bluebeam
  • Assign users to groups and complete provisioning

Create an enterprise application

  1. Log in to the Microsoft Entra admin center with an account that has Global Administrator, Application Administrator, or Cloud Application Administrator permissions.
  2. Go to Identity > Applications > Enterprise applications > All applications.
  3. Select New application.
  4. Select Create your own application.
    1. Provide a name for your application.
      Keep the default selection of Integrate any other application you don't find in the gallery (Non-gallery).
    2. Select Create.
      An overview page for the application you created appears, and you can start provisioning.
  5. Select Provisioning, then select Get started.
    1. Under Provisioning Mode, select Automatic.
    2. Select Admin Credentials.
    3. Copy and paste the SCIM Connector Base URL you saved earlier into the Tenant URL field.
    4. Copy and paste the Token you generated and saved earlier into the Secret Token field.
    5. Select Test Connection to verify our system communicates with Entra ID.
    6. Select Save to save your provisioning progress and enable you to specify the attributes to map between Entra ID and Bluebeam.

Map attributes between Entra ID and Bluebeam

We require only the following attributes to be mapped for SCIM configuration.

Microsoft Entra ID Attribute Mappings

This procedure allows you to specify the userName attribute and remove any attributes that are unnecessary for SCIM configuration.

  1. Select Mappings then select Provision Microsoft Entra ID Users.
  2. For the "userName" attribute, ensure the Source attribute in Entra ID is either "mail" or "userPrincipalName," depending on which Source attribute you selected (either "mail" or "userPrincipalName")during SSO reconciliation, then select OK.
    The userName source attribute must match the attribute type you selected (either email or UPN) when you configured SSO, or SCIM will not function correctly.
  3. Remove the following attributes:
    • Attributes that start with "addresses"
    • Attributes that start with "phoneNumbers"
    • Attributes that start with "urn"
    • The "name.formatted" attribute
    • The "displayName" attribute
    • The "title" attribute
    • The "emails[type eq "work"].value" attribute
  4. Verify the remaining attributes match those in the image above.
  5. At the top of the Attribute Mapping page, select Save, and select Yes to confirm your mapping selections.
  6. At the top of the Entra ID page, select Home then select Manage Microsoft Entra ID to assign users to the security groups you created earlier.

Add the security groups to the enterprise application and provision users

The final step for SCIM configuration requires that you add the user groups you created for Bluebeam Plans, into which you've already assigned users, to the enterprise application you created to communicate with Bluebeam. To add groups to an enterprise application in Entra ID, see this Microsoft support site article.

After you add groups to your application:

  1. Return to the Users and groups page for the application you created.
  2. Verify the email address for the IT Admin is not part of any user group. If so, remove the email address from the group.
  3. Under Manage, select Provisioning.
  4. Select Start provisioning.
Select View provisioning details to see provisioning progress.

Verify synced user groups and SCIM users

After provisioning completes in your IdP, return to Org Admin and verify your users are provisioned and synced correctly by Bluebeam Plan.

The Synced Groups tab won't appear in Org Admin until your IdP completes its first provisioning cycle.
Org Admin automatically assigns end users who are members of those SCIM groups to the Unpaid Collaborator plan, even if those users are assigned a Bluebeam plan. To avoid users losing their subscription access, perform this step to assign the SCIM groups to their appropriate Bluebeam plans as soon as possible.

To verify synced user groups, follow these steps:

  1. From the left sidebar menu in Org Admin, select Users.
  2. From the top of the active window, select Synced Groups to see a list of the groups you created in your IdP.
  3. Select Edit.
  4. Specify the appropriate Bluebeam Plan for each Synced Group that contains users.

    Don't assign "IT Admin" or "Org Admin" to a synced group.

    A Bluebeam Plan could contain multiple serial numbers. Be sure you select all serial numbers for each plan.

  5. Select Save Changes.
  6. Select Done.

To verify provisioned users' information, follow these steps:

  1. From the top of the active window, select Users to see a list of the Bluebeam users in your organization.
  2. Under User Overview, view user information and verify that they display the following:
    • The user type of "SCIM End User."
    • The status of "Active."
    • The correct Contract/Plan associated with their group that was synced with their IdP.
    • The "Server Region" that matches the region selected when requesting SSO and SCIM access.
      This region is the license region for SCIM provisioned users regardless of their locations. Be sure you tell your users that they must now select this region when they sign in to Revu, but they can sign in to any Studio region.

Communicate sign in changes to users

Provisioning your user accounts for SCIM could affect how your users sign in to Revu. When you requested SSO and SCIM access, you specified a single region to store license information for your organization, even if you have users in multiple regions. You should inform end users in your organization of the following:

  • The region associated with their Revu accounts after SCIM provisioning.
  • When they sign in to Revu, they must select this region, even if they've signed in to another region in the past.
    If they don't sign in to the correct region, their Bluebeam account information in Revu will appear as "Unpaid," and they'll be unable to access any paid features associated with their Bluebeam Plan.
  • Their geographic location may not match this region.
  • They can sign in to any Studio region by following the steps below:
    1. In Revu, open the Studio panel.
    2. From the Choose Server dropdown, select the Studio Server that you'd like to sign into.
    3. Ensure the "Use my Revu login credentials" checkbox is cleared, and select Sign In.
    4. Enter your BBID email and password and select Sign In.

Disable SCIM

Use Org Admin if you need to disable SSO for your organization.

If you configured SCIM for your organization, you may disable SCIM and keep SSO configured, but if you want to disable SSO, you must first disable SCIM.

Disable SCIM for your organization

If needed, you can disable SCIM for your organization, regardless of whether you want to keep SSO enabled.

Disabling SCIM requires that you stop provisioning from your IdP before you disable SCIM in Org Admin. If you disable SCIM in Org Admin before you stop provisioning in your IdP, SCIM provisioning will continue for your Bluebeam account until you disable it from your IdP.

Stop provisioning from Entra ID

To stop provisioning from the Entra ID admin center, follow these steps:

  1. Log in to the Microsoft Entra admin center with an account that has Global Administrator, Application Administrator, or Cloud Application Administrator permissions.
  2. Go to Identity > Applications > Enterprise applications > All applications.
  3. Select the application you created for SCIM configuration.
  4. At the top of the active window, select Stop provisioning.

Disable SCIM in Org Admin

To disable SCIM in Org Admin follow these steps:

  1. From the left sidebar menu in Org Admin, select Account Settings.
  2. From the top of the active window, select Security.
  3. Turn off the toggle next to SCIM Provisioning.
  4. When prompted, confirm (or cancel) the disabling of SCIM.

When you disable SCIM in Org Admin, the following occurs:

  • Org Admin reverts to its default, pre-SCIM provisioning behavior, which cannot easily be undone.

  • Synced groups will be cleared.

Subscription

Revu 21

SCIM

This guide contains information and procedures for IT Admins to configure SCIM for their organizations if they manage identities with Microsoft Entra ID.