Configure SCIM for Bluebeam Accounts | Okta Workforce Identity Cloud

Applies to:

  • Revu 21

After you successfully configure SSO, you can choose to configure SCIM to create a connection between Org Admin and your IdP. This connection allows you to manage the Bluebeam users (and their Bluebeam Plans) in your organization through your IdP.

If you want to configure SCIM, you must first configure SSO.

This guide provides instructions for the IT Admin to configure SCIM for their organization if they use Okta Workforce Identity Cloud as an identity provider (IdP). If you use Microsoft Entra ID as an IdP, see Configuring SCIM for Bluebeam Accounts | Entra ID.

After SCIM configuration, if you need to remove end users from a user group or move end users to another user group in your IdP, be sure those users sign out of Revu before you make the change. Doing so releases their licenses for the Bluebeam Plan associated with the user group they're signed in to. If they don't sign out of Revu and release those licenses before you make this change, you risk exceeding your allowed number of seats for one or more of your Bluebeam Plans.
This configuration requires you to perform steps in Org Admin and in your IdP.

Before you consider SCIM configuration

When you configure SCIM, you'll create and add users to SCIM groups within your IdP. Only add users to SCIM groups that you want managed by the account you're configuring for SCIM. Users managed under different accounts or by outside external parties will be moved to your SCIM account.

When adding users to SCIM groups, follow these rules:

  • Only add users to your SCIM group that fall under the domains your SSO configuration manages.

  • Don't add users managed outside your organization or users managed under a separate Bluebeam account to your SCIM group.

  • If your organization has multiple Bluebeam accounts and you want to manage all users via SCIM, reach out to registration@bluebeam.com before you configure SCIM. They can assist you with merging the accounts.

Create user groups in Okta Workforce Identity Cloud

Before you continue, be sure you understand the advice specified in Before you consider SCIM configuration.

If you use Okta Workforce Identity Cloud as an IdP, configuring SCIM requires that you create one or more user groups in Okta Workforce Identity Cloud based on Bluebeam Plans for your organization. New users should be added to the user group associated with the Bluebeam Plan they need. Users in your organization who are already assigned to a Bluebeam Plan should be placed into the user group associated with their existing plan.

  1. Create user groups for the following Bluebeam Plans.
    • Bluebeam Basics
    • Bluebeam Core
    • Bluebeam Complete
    • Bluebeam Unpaid Collaborator (For users you want to manage with SCIM but don't currently need a Bluebeam Plan. Placing these users into this group also allows you to easily move them to a Bluebeam Plan if needed in the future.)
  2. Assign users to the appropriate group based on their Bluebeam Plans.
    Don't add the IT Admin user to any of the end user groups created above. Doing so will change the administrator's permission level from IT Admin to Org Admin, which will prevent the configuration from continuing without involvement from Technical Support.
    Assign users to only one user group. No user should be assigned to multiple user groups.

Start configuration in Org Admin

You must use the Org Admin link specified in the procedure. This link directs you to an Org Admin interface specific to SSO and SCIM configuration. If you log in to any other Org Admin URL, the configuration won't be successful.

To start SCIM configuration, go to Org Admin, sign in to the region you selected when you requested SSO access, and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Settings.

  3. Next to SCIM Provisioning, select Configure.
  4. Next to SCIM Connector Base URL, select Copy Link, and save the link for use later in the configuration.
  5. Select Generate Token.
  6. Enter a "friendly" name for your token, then select Generate.
  7. Select Copy then paste and save the generated token to a secure location for use later in the configuration.
    Perform this step before you close the token window. After you close the token window, you won't be shown the token again, and you can't recover it.
  8. Optional: Select Allow External User Management if you want to permit users from outside your company domain.
    You can manage these users only through Org Admin.

Continue SCIM configuration in the Okta Admin Console

The SCIM configuration procedures continue in the Okta Admin Console where you will need to take the following actions:

  • Create an Okta application for SCIM

  • Configure and provision the SCIM application

Create an Okta application for SCIM

To create an Okta application for SCIM, follow these steps:

  1. In the Okta Admin Console, go to Applications > Applications and select Browse App Catalog.

  2. Search for and select SCIM 2.0 Test App (Header Auth).

  3. Select + Add Integration.

  4. Under General Settings, apply the following settings:

    • Application Label: Enter a descriptive name for the application.

    • Application Visibility: Select this option.

    • Browser plugin auto-submit: Clear this option if selected.

  5. Select Next.

  6. Under Sign-On Options Required, change the sign-on method to Secure Web Authentication, and select Administrator sets username and password.

    All other fields can remain blank or at their default values.

  7. Under Credentials Details:

    • Set Application username format to email.

    • Set Update application username on to Create and update.

  8. Click Done.

To configure and provision the Okta application for SCIM, open the application you created above and follow these steps:

  1. Select the Provisioning tab for the application you created for SCIM.

  2. Configure credentials as follows:

    1. Select Configure API Integration.

    2. Select Enable API Integration.

    3. Enter the Base URL you copied from Org Admin.

  3. When prompted for the API Token type "Bearer " (including the space after) then paste the token you copied from Org Admin.

  4. Select Test API Credentials.

  5. Upon successful verification, select Save.

  6. From the Settings menu, select To App.

  7. Next to Provisioning to App, select Edit then enable the following choices:

    • Create Users
    • Update User Attributes
    • Deactivate Users

  8. Click Save.

  9. Under Attribute Mappings for your app, remove all attributes except the following:

    • userName

    • givenName

    • familyName

    • preferredLanguage

  10. From the application top menu, select the Push Groups tab.

  11. Select + Push groups > + Find groups by name.

  12. Search for and add a user group you created earlier, then select Save or select Save & Add Another to add more user groups.

    Perform this step for each group you want to add to the application, and select Save after you add the last user group.

When the Push Status is Active, return to Org Admin and verify synced user groups and SCIM users.

The status change could take a while to be reflected in Org Admin. If the status change takes longer than 30 minutes, return to Okta and select Push Groups again.

Verify synced user groups and SCIM users

After provisioning completes in your IdP, return to Org Admin and verify your users are provisioned and synced correctly by Bluebeam Plan.

The Synced Groups tab won't appear in Org Admin until your IdP completes its first provisioning cycle.
Org Admin automatically assigns end users who are members of those SCIM groups to the Unpaid Collaborator plan, even if those users are assigned a Bluebeam plan. To avoid users losing their subscription access, perform this step to assign the SCIM groups to their appropriate Bluebeam plans as soon as possible.

To verify synced user groups, follow these steps:

  1. From the left sidebar menu in Org Admin, select Users.
  2. From the top of the active window, select Synced Groups to see a list of the groups you created in your IdP.
  3. Select Edit.
  4. Specify the appropriate Bluebeam Plan for each Synced Group that contains users.

    Don't assign "IT Admin" or "Org Admin" to a synced group.

    A Bluebeam Plan could contain multiple serial numbers. Be sure you select all serial numbers for each plan.

  5. Select Save Changes.
  6. Select Done.

To verify provisioned users' information, follow these steps:

  1. From the top of the active window, select Users to see a list of the Bluebeam users in your organization.
  2. Under User Overview, view user information and verify that they display the following:
    • The user type of "SCIM End User."
    • The status of "Active."
    • The correct Contract/Plan associated with their group that was synced with their IdP.
    • The "Server Region" that matches the region selected when requesting SSO and SCIM access.
      This region is the license region for SCIM provisioned users regardless of their locations. Be sure you tell your users that they must now select this region when they sign in to Revu, but they can sign in to any Studio region.

Communicate sign in changes to users

Provisioning your user accounts for SCIM could affect how your users sign in to Revu. When you requested SSO and SCIM access, you specified a single region to store license information for your organization, even if you have users in multiple regions. You should inform end users in your organization of the following:

  • The region associated with their Revu accounts after SCIM provisioning.
  • When they sign in to Revu, they must select this region, even if they've signed in to another region in the past.
    If they don't sign in to the correct region, their Bluebeam account information in Revu will appear as "Unpaid," and they'll be unable to access any paid features associated with their Bluebeam Plan.
  • Their geographic location may not match this region.
  • They can sign in to any Studio region by following the steps below:
    1. In Revu, open the Studio panel.
    2. From the Choose Server dropdown, select the Studio Server that you'd like to sign into.
    3. Ensure the "Use my Revu login credentials" checkbox is cleared, and select Sign In.
    4. Enter your BBID email and password and select Sign In.

Disable SCIM

Use Org Admin if you need to disable SSO for your organization.

If you configured SCIM for your organization, you may disable SCIM and keep SSO configured, but if you want to disable SSO, you must first disable SCIM.

Disable SCIM for your organization

If needed, you can disable SCIM for your organization, regardless of whether you want to keep SSO enabled.

Disabling SCIM requires that you stop provisioning from your IdP before you disable SCIM in Org Admin. If you disable SCIM in Org Admin before you stop provisioning in your IdP, SCIM provisioning will continue for your Bluebeam account until you disable it from your IdP.

Stop provisioning from Okta Workforce Identity Cloud

To stop provisioning from the Okta Admin Console, follow these steps:

  1. Log in to the Okta Admin Console.

  2. Select Applications > Applications.

  3. Select the dropdown next to the SCIM application for your organization and select Deactivate.

Disable SCIM in Org Admin

To disable SCIM in Org Admin follow these steps:

  1. From the left sidebar menu in Org Admin, select Account Settings.
  2. From the top of the active window, select Security.
  3. Turn off the toggle next to SCIM Provisioning.
  4. When prompted, confirm (or cancel) the disabling SCIM.

When you disable SCIM in Org Admin, the following occurs:

  • Org Admin reverts to its default, pre-SCIM provisioning behavior, which cannot easily be undone.

  • Synced groups will be cleared.

Subscription

Revu 21

SCIM

This guide contains information and procedures for IT Admins to configure SCIM for their organizations if they manage identities with Okta Workforce Identity Cloud.