Legacy SSO End of Life (EOL) effective August 31, 2026

Bluebeam is committed to improving your experience allowing your users to authenticate using your company’s identity provider credentials. As a result, Legacy SSO (SSO 1.0) will reach end of life (EOL) on August 31, 2026.

After August 31, 2026, the only path forward if your client secret expires will be to move to SSO 2.0.

To continue using SSO and to enable the ability to use SCIM to manage users, contact us and let us know you plan to migrate to SSO 2.0.

Benefits of transitioning to SSO 2.0

Transitioning to SSO 2.0 provides you with these benefits:

  • Self managed client secrets mean expirations will no longer be an issue.

  • Better security with domain validation.

  • The ability to enable SCIM for automated user provisioning and deprovisioning.

  • The ability to enable or disable SSO and SCIM from Org Admin.

Next steps

To ensure minimal downtime, we encourage you to begin preparing now. If you'd like, we can preconfigure your transition to SSO 2.0 on the back end, allowing for a streamlined switch.

  • Please confirm your preferred shutdown date for Legacy SSO.

  • Please review Configuring SSO and SCIM for Bluebeam Accounts documentation for more information.

  • Plan for and implement SSO 2.0 before your client secret expires.

  • Contact us to let us know you plan to migrate to SSO 2.0.

Frequently asked questions

As part of our ongoing efforts to improve security and user management, we are retiring Legacy SSO and transitioning customers to SSO 2.0 with SCIM. In addition, SSO 2.0 offers enhanced scalability, functionality, and efficiency, while providing full control over user management and configuration.

We recognize that transitioning to a new system requires coordination, and we're committed to making this process as smooth as possible. Because you performed reconciliation during the Legacy SSO process, the reconciliation steps for SSO 2.0 is expedited. If you have questions regarding the transition process, please reach out to your account manager or Technical Support for more information.

Before August 31, 2026

Customers who use Legacy SSO need to migrate to SSO 2.0 to take advantage of improved security and functionality.

After August 31, 2026

Legacy SSO will move to End of Life status, and users won't be able to authenticate using their company’s identity provider credentials when their client secret expires.

Bluebeam officially supports SSO configuration for the following IdPs:

Revu is compatible with other IdPs that use OpenID Connect (OIDC) as an authentication protocol, but those configurations aren't supported, and SCIM enablement isn't available. Bluebeam Support won't be able to troubleshoot if you have issues configuring SSO for an unsupported IdP, and you may need to disable SSO.

Bluebeam doesn't support Security Assertion Markup Language (SAML) for managing authentication.

The ability to configure SSO is only available if your organization:

  • Has purchased or converted a minimum of 10 seats to a Bluebeam subscription plan.
  • Is not already configured to use SSO with Bluebeam products and services. If your organization already has SSO configured, contact us before continuing.
  • Uses Microsoft Entra ID or Okta Workforce Identity Cloud as an identity provider (IdP).

Other IdPs are compatible but not supported. For more information, click here.

Only users with the IT Admin role in Org Admin and the Tenant Admin role on the tenant can configure SSO and SCIM. The Org Admin who requests SSO will automatically be made an IT/Tenant Admin.

  • Minimum seats: 10

  • Maximum domains: 500 per SSO configuration

  • SSO support level: Parent account (but inherited by child accounts)

  • SCIM support:

    • Parent account only

    • Users must all be under one account

    • Users must all be using the same license region

  • Multi-tenant: Not supported (separate parent accounts required)

  • Child account SCIM: Not supported

Before we remove the IdP for all regions, we need the following information:

  • From which region should your subscriptions be managed? Please consider the following:

    • The region should align with the primary region from which your company operates.

    • If your end users work from a different server region from where your company operates, you may want to select that region.

    • When you create a tenant with a region, you cannot change the region later.

  • Will any members need to switch to a different Studio server after this transition? Please note the following:

    • The subscription region and Studio region should be independent if users require access to a different Studio server.

    • By default, Revu signs users into Studio using their license credentials, but they must disable this default and select the correct Studio region manually.

No. Bluebeam doesn't currently support multiple tenant configurations under a single organization.

If you need independently managed SSO and SCIM for different business units or subsidiaries, the following applies:

  • You must split those tenants into separate parent accounts with separate Org Admin accounts.

  • Each parent account would have its own SSO and SCIM configuration.

No. Each organization manages its own SSO and SCIM setup through the parent account. Child accounts inherit configurations from the parent account configuration.

If you need separate SSO and SCIM configurations for child accounts, you must restructure your accounts so each child company becomes a parent account with a separate Org Admin account.

Subscription

Revu 21

SSO

SCIM

Legacy SSO customers must transition to SSO 2.0 by August 31, 2026. This article provides detailed information about the transition.