Configure SSO for Bluebeam Accounts | OIDC

Applies to:

  • Revu 21

Single sign-on (SSO) provides seamless access for your users by allowing them to access Bluebeam products using their IdP login credentials.

Bluebeam officially supports SSO configuration for the following IdPs:

Revu is compatible with other IdPs that use OpenID Connect (OIDC) as an authentication protocol, but those configurations aren't supported, and SCIM enablement isn't available. While this document provides simple guidance for using our generic OIDC connector to configure SSO for a compatible but unsupported IdP, Bluebeam Support won't be able to troubleshoot if you have issues configuring SSO for an unsupported IdP, and you may need to disable SSO.

Bluebeam doesn't support Security Assertion Markup Language (SAML) for managing authentication.

Requirements

The ability to configure SSO is only available if your organization:

  • Has purchased or converted a minimum of 10 seats to a Bluebeam subscription plan.
  • Is not already configured to use SSO with Bluebeam products and services. If your organization already has SSO configured, contact us before continuing.

If you meet these requirements and want to enable SSO for your organization, have the Org Admin log in to Org Admin and perform the following steps to request access to configure SSO:

  1. In your web browser, type the Org Admin URL that Closedcorresponds with your region:

  2. Under Accounts, select the account you want to manage.

  3. Select Settings.

    If your organization doesn't meet the requirements for SSO configuration, the Request Access button isn't available and you can't proceed.

  4. Next to SSO Configuration, select Request Access.

  5. Provide the requested information.

After we receive and process your request, you can proceed to SSO configuration.

Claim and verify domains

To configure SSO, first claim and then verify the domain your organization owns and that you want to link with your Bluebeam account. To link more than one domain to your Bluebeam account, perform this procedure separately for each of those domains. You cannot configure SSO until you've claimed and verified at least one domain.

This procedure requires that you copy information from Org Admin and paste it into a new TXT record for your DNS server. You should be prepared to log in to the DNS server for each domain you want to claim to prepare for that step.

  • You may claim up to 500 domains. If the Domain Ownership page shows you've already claimed and verified 500 domains, you must remove a domain from the list before you can complete this procedure and claim and verify another domain.
  • After you use a listed domain as part of an SSO configuration, you cannot remove it from the list.

To claim and verify your domain, follow these steps:

  1. In Org Admin, select Accounts, and then select the account you want to manage.
  2. Select Settings.
  3. Next to Domain Ownership, select Manage.
  4. Select Claim Domain.
  5. Enter the domain name you want to claim (e.g. company.com), and select Claim.
  6. From the Verify Domain dialog, select Copy next to each field and paste the information to a new TXT record for your DNS server.
  7. Wait at least five minutes, then select Check Verification.

Perform this procedure for each domain you want to claim and verify.

You can't start SSO configuration while the domain status is "Pending," but you don't have to wait for the domain to be verified to claim additional domains.

The domain status could remain "Pending" for up to 72 hours while DNS propagation for these changes takes place across all servers on the internet. During this time, you can periodically log in to Org Admin and follow these steps to check for the status change to "Verified:"

  1. In Org Admin, select Accounts, and then select the account you want to manage.
  2. Select Settings.
  3. Next to Domain Ownership, select Manage.
  4. On the Domain Ownership page, select the three dots under Actions, then select Check Verification.

If the domain status is still "Pending" after 72 hours, first verify that you entered information into the TXT record correctly. If the TXT record is correct, contact us.

Configure SSO

SSO configuration requires that you perform a series of procedures within your IdP before you complete configuration in Org Admin.

Create a web application for SSO and collect information for SSO configuration

To configure SSO for your Bluebeam account, you must create an application for SSO in your IdP. This section describes the general workflow and information you'll need to create the application. For detailed information about creating an SSO application in your IdP, consult the documentation for your IdP.

In general, be prepared to provide the following:

  • When presented with configuration options, select the option for OIDC.
  • When prompted, provide the following sign-in redirect URIs:

    • https://signin.bluebeam.com/oauth2/v1/authorize/callback

    • https://id.bluebeam.com/oidc/callback

    • https://signin.bluebeamstudio.co.uk/oauth2/v1/authorize/callback

    • https://signin.bluebeamstudio.de/oauth2/v1/authorize/callback

    • https://signin.bluebeamstudio.se/oauth2/v1/authorize/callback

    • https://signin.bluebeamstudio.com.au/oauth2/v1/authorize/callback

    • https://id.bluebeam.com/oidctest/callback

  • When prompted for required user attributes, use the following:

    • family_name

    • given_name

    • email

    • preferred_username

  • Be sure the application is accessible for for all users managed by the IdP.

To collect information you'll need for SSO configuration in Org Admin, follow these steps:

  1. Find the following information in your IdP and paste it elsewhere for use during SSO configuration:

    • Issuer URI

    • Authorization Endpoint URI

    • JWKS URI

    • Application ID (Client ID)

    • Client Secret

    • Token Endpoint

    • UserInfo Endpoint (if available)

  2. In your IdP, select the default Authorization server.

Export user list from your IdP and prepare to reconcile users

As part of SSO configuration, you'll be asked to reconcile the users in your organization listed in your IdP against the list of users in your organization who have Bluebeam IDs (BBIDs). Use this procedure to export your user list and load it into our CSV template for the SSO reconciliation process.

  1. Export your list from your IdP using their instructions.
  2. Open the exported user list.
  3. Download and open our CSV template.
  4. Copy the required user information from the exported user list to the defined cells of our template.

    Attribute claim
    		CSV Template Corresponding Column
    family_namelastName
    given_namefirstName

    email

    or

    preferred_username

    		email
  5. Find any rows in the file that contain empty cells, determine whether those users need BBIDs, and take the following actions:
    • If the empty cell appears in a row for a user who doesn't need a BBID, you can delete the row.
    • If the empty cell appears in a row for a user who needs a BBID:
      1. Find their entry in your IdP and provide the missing value.
      2. Export your user list from your IdP again, and go to Step 4 above.
        3. If you didn't have to perform Steps a and b for any users, continue to Step 6.
  6. Save the CSV file for use when you configure SSO in Org Admin.

Configure SSO in Org Admin

To complete SSO configuration, set up SSO access to Bluebeam products and services for end users in your organization who are listed with your IdP. You'll also reconcile the list of your users in your IdP with the list of your users in our system who have BBIDs to ensure your end users' IDs in your IdP match their BBIDs.

To configure SSO, go to Org Admin and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Settings.

  3. Next to SSO Configuration, select Configure.
  4. Select OpenID Connect.
  5. When prompted, provide the following requested information that you collected from your SSO app earlier:
    • Issuer
    • Authorization Endpoint
    • Token Endpoint
    • JWKS IRI
    • Userinfo Endpoint
    • Client ID
    • Client Secret
  6. Select Submit.
  7. In the OpenID Connect Configuration dialog, specify the verified domain(s) you want configured to your account, and select Next.
  8. To "Map service provider attribute to available fields," keep the default entries for "First Name" and "Last Name." For "Email mapping," select either "email" or select "UPN" if mapping to preferred_username.
  9. Select Sign in to Test SSO
  10. When prompted, use an account that has a Studio BBID to log in.
    The tests "Connection" and "User Attributes" must be successful before you can continue. Verify the values expected for "User Attributes" are consistent with your mapping selection.
  11. Return to Org Admin.
  12. Select Continue.
  13. Select Next to provide a list of your users and complete the SSO configuration.
  14. Upload the CSV file you created earlier.
  15. Select Next.
    Select Finish Later to save your progress, leave this procedure, and continue at a later time.
  16. When prompted, click Close to continue SSO configuration.

You'll be returned to the Settings tab, where you can verify that the domain(s) you selected for your organization appear and then continue SSO configuration.

We'll cross reference BBIDs we find within your organization with user IDs for your organization in Okta Workforce Identity Cloud. We'll send you an email with the subject "Continue SSO Configuration" when this process completes and you can start the reconciliation process necessary to complete SSO configuration.

The following issues with data in the CSV file could cause errors when you upload the file:

  • The CSV file is empty.
  • Reading the CSV file encountered an error.
  • The CSV file is missing at least one required column: email, firstName, or lastName column(s) could not be found.
  • There was a problem reading the CSV file around row [row number].
  • The CSV file at row [row number] did not contain enough columns of data to process the email, firstName, and/or lastName columns.
  • The CSV file at row [row number] contains an invalid email address "jsmith," where a valid email address was expected (e.g. jsmith@example.com).

Use the information from the displayed error message to determine the cause of the error, correct the error, then generate and upload the CSV file again.

Reconcile user identities in your IdP with BBIDs in your organization

To complete your SSO configuration, ensure that the user identities within your IdP match the BBIDs in the Bluebeam user database for users in your organization. If you continue SSO configuration without performing the reconciliation process, unmatched users will lose access to their existing Studio Projects and Sessions.

When the "Continue SSO Configuration" email arrives, open it and select Continue SSO Configuration to open Org Admin to the Security tab in Account Settings. On the Security tab, next to SSO Configuration, select Continue to see a list of users in your account we couldn't match with users in our database.

Reconciliation is an important and required process for SSO enablement. If you have a large number of users in your organization and a large number of those users are listed as "Not Matched," reconciliation could take 20 minutes or longer.

Why are some users listed as "Not Matched"?

Users could be listed as "Not Matched" for a variety of reasons. For example, the list of BBIDs we have stored could include users who are either no longer with your organization, have had name changes, or had mistakes in their email address when originally added. Reconciliation allows you to evaluate the users listed as "Not Matched" to determine whether they should be provisioned for SSO and SCIM access or if the configuration process can ignore those users.

You must reconcile unmatched email addresses before you can continue SSO and SCIM configuration.

When you see this screen, you can:

  • Select Re-upload User List if your CSV file contains errors you need to correct.
  • Select Save & Finish Later if you want to save your progress and address the unmatched users later.
  • Select one or more users to ignore and not configure for SSO, because they are either no longer with your organization or don't need subscription access to Bluebeam products and services.
  • Select one or more users to update the New Bluebeam ID From Directory field. This action would be necessary if a user needs subscription access to Bluebeam products and services, and their email information changed with your organization but their BBID in our database did not change.
Reconciliation matches users' BBIDs with their IdP login credentials. Updating a user's current BBID so it matches their IdP login credentials will require that user to access our services with their IdP credentials moving forward. Be sure to contact those users and tell them to use their organization credentials as their new BBID and, if necessary, log out of any Sessions and log in again using their new BBID.

Why does a user appear multiple times?

If a user appears multiple times but in different Studio regions, reconcile that user for each region to ensure they don't lose access to those Studio Projects or Studio Sessions.

When to "Ignore Users"

Many unmatched users are those who are either no longer in your organization or don't need a BBID. When you see the list of unmatched users, hover over the information icon () next to an unmatched user's current Bluebeam ID to review their Studio activity. The information displayed is:

  • Last Studio Login
  • Sessions Owned
  • Session Attended
  • Projects Owned
  • Project Memberships

If you determine that a user is either a former employee or otherwise doesn't require SSO access to Bluebeam products and services, select "Not Matched," then select "Ignore User" to exclude the user from SSO configuration for your organization.

To ignore more than one user, select multiple users and select "Ignore User."

When to edit New Bluebeam ID From Directory

If a user needs to be updated, select Edit, select Not Matched, and provide the user's email address from the IdP. After you update the matching information, notify the user(s) that they will need to use the new BBID going forward and, if necessary, log out and log back in using the new BBID.

Select Show All Users to verify that every user in the list is either "Ignored" or indicates "No Change."

Activate SSO

After you ignore or update unmatched users, select Activate to complete SSO configuration.

Disable SSO

Use Org Admin if you need to disable SSO for your organization.

Disable SSO for your organization

If needed, you can disable SSO for your organization. Be sure you want to do so, because this action cannot easily be undone.

If you disable SSO, the following occurs:
  • All configurations made during SSO setup will be lost.
  • Your users will no longer be able to sign in to Bluebeam products using the SSO provider for your organization.
  • Your users must use their BBID and password to sign in to Bluebeam products.
  • All user IDs must be managed individually through accounts.bluebeam.com.

To disable SSO, follow these steps:

  1. From the left sidebar menu in Org Admin, select Settings.
  2. Turn off the toggle next to SSO Configuration.

Subscription

Revu 21

SSO

OIDC

This guide contains information and procedures for IT Admins to configure SSO for their organizations if they manage identities with an unsupported IdP that requires the Generic OIDC connector.