Configure SSO and SCIM for Bluebeam Accounts | Entra ID

Applies to:

  • Revu 21

SSO and SCIM provide seamless access for your users and allow you to manage all workspace members through your identity provider. This guide provides instructions for the IT Admin to configure SSO for their organization if they use Microsoft Entra ID as an identity provider (IdP). If you use Okta Workforce Identity Cloud as an IdP, see Configuring SSO and SCIM for Bluebeam Accounts | Okta Workforce Cloud.

You can choose to configure SSO only and not configure SCIM. However, if you want to configure SCIM, you must first configure SSO.

Requirements

The ability to configure SSO and SCIM is only available if your organization:

  • Has purchased or converted a minimum of 50 seats to a Bluebeam subscription plan.
  • Is not already configured to use SSO with Bluebeam products and services. If your organization already has SSO configured, contact us before continuing.
  • Uses Microsoft Entra ID or Okta Workforce Identity Cloud as an identity provider (IdP).
  • Is not utilizing Studio Prime integrations.

If you meet these requirements and want to enable SSO and SCIM for your organization, have the Org Admin log in to Org Admin and perform the following steps to request access to configure SSO and SCIM:

  1. Under Accounts, select the account you want to manage.

  2. Select Account Settings, and from the top of the active window, select Security.

  3. Next to SSO Configuration, select Request Access.

  4. Provide the requested information.

After we receive your request, we'll verify that your organization qualifies for SSO and SCIM integration. After verification, we'll contact you to continue the process and set up an IT Admin who will perform the SSO and SCIM configuration.

Overview

This guide includes the configuration of SSO for access to Bluebeam products and services, as well as the information that needs to be exchanged between Bluebeam and your IdP.

SSO configuration should be performed by the IT administrator for your organization. If your organization uses Entra ID, this should be the person who manages Entra ID for your organization and has the Global Administrator, Application Administrator, or Cloud Application Administrator role.

You must coordinate with Technical Support to ensure the administrator has the proper IT Admin permissions for Org Admin to perform these configurations. A user who has Org Admin permissions cannot configure SSO.

We suggest the IT administrator not use their own email account for their IdP admin or their BluebeamIT Admin account, but instead create a general or service account for administration purposes for both services. Further, they should:

  • Add the service account to Org Admin as an Org Admin.
  • Verify they can log in to Org Admin using the service account credentials.
  • Provide this account to Technical Support to be granted IT Admin permissions.

Accept your Bluebeam invitation

When you're ready to start your configuration, follow these steps to log in to Org Admin for the first time.

You must use the Org Admin link specified in the procedure. This link directs you to an Org Admin interface specific to SSO and SCIM configuration. If you log in to any other Org Admin URL, the configuration won't be successful.
  1. When you receive the Welcome email, click Manage Your Account to log in to Org Admin.
  2. Sign in to the region you selected when you requested SSO access.
  3. Enter your Bluebeam ID (BBID) and select Next.
  4. Enter your password, select Sign In, and provide the requested credentials.

Configure SSO

SSO configuration requires that you perform procedures in the Entra ID console and in Org Admin.

If your organization already has SSO configured and wants to configure SCIM, contact us before continuing.

Export user list from your IdP and prepare to reconcile users

As part of SSO configuration, you'll be asked to reconcile the users in your organization listed in your IdP against the list of users in your organization who have Bluebeam IDs (BBIDs). Use this procedure to export your user list and load it into our CSV template for the SSO reconciliation process.

  1. Export your user list from Entra ID using their instructions.
  2. Open the exported user list.
  3. Download and open our CSV template.
  4. Copy the required user information from the exported user list to the defined cells of our template.

    Entra ID Field NameCSV Template Corresponding Column
    surnamelastName
    givenNamefirstName

    mail

    		email
  5. Find any rows in the file that contain empty cells, determine whether those users need BBIDs, and take the following actions:
    • If the empty cell appears in a row for a user who doesn't need a BBID and SSO/SCIM provisioning, you can delete the row.
    • If the empty cell appears in a row for a user who needs a BBID and SSO/SCIM provisioning:
      1. Find their entry in your IdP and provide the missing value.
      2. Export your user list from your IdP again, and go to Step 4 above.
    If you didn't have to perform Steps a and b for any users, continue to Step 6.
  6. Save the CSV file for use when you configure SSO in Org Admin.

Configure SSO in Org Admin

To complete SSO configuration, set up SSO access to Bluebeam products and services for end users in your organization who are listed with your IdP. You'll also reconcile the list of your users in Entra ID with the list of your users in our system who have BBIDs to ensure your end users' Entra IDs match their BBIDs.

If your organization already has SSO configured and wants to configure SCIM, contact us before continuing.
You must use the Org Admin link specified in the procedure. This link directs you to an Org Admin interface specific to SSO and SCIM configuration. If you log in to any other Org Admin URL, the configuration won't be successful.

To configure SSO, go to Org Admin, sign in to the region you selected when you requested SSO access, and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Account Settings, and from the top of the active window, select Security.
  3. Next to SSO Configuration, select Configure.
  4. Select Microsoft as your identity provider.
  5. When prompted, log in to Entra as the admin for your organization, select Consent on behalf of your organization, then select Accept to allow Bluebeam to create an application in your instance.
  6. In Org Admin, select Continue.
  7. In the SSO Configuration dialog, specify the domain(s) you want configured to your account, and select Next.
  8. To "Map service provider attribute to available fields," keep the default entries.
  9. Select Done.
  10. Select Continue to provide a list of your users and complete the SSO configuration.
  11. Upload the CSV file you created earlier.
  12. Select Next.
    Select Finish Later to save your progress, leave this procedure, and continue at a later time.
  13. When prompted, click Close to continue SSO configuration.

You'll be returned to the Security tab, where you can verify that the domain(s) you selected for your organization appear and then continue SSO configuration.

We'll cross reference BBIDs we find within your organization with user IDs for your organization in Entra ID. We'll send you an email with the subject "Continue SSO Configuration" when this process completes and you can start the reconciliation process necessary to complete SSO configuration.

The following issues with data in the CSV file could cause errors when you upload the file:

  • The CSV file is empty.
  • Reading the CSV file encountered an error.
  • The CSV file is missing at least one required column: email, firstName, or lastName column(s) could not be found.
  • There was a problem reading the CSV file around row [row number].
  • The CSV file at row [row number] did not contain enough columns of data to process the email, firstName, and/or lastName columns.
  • The CSV file at row [row number] contains an invalid email address "jsmith," where a valid email address was expected (e.g. jsmith@example.com).

Use the information from the displayed error message to determine the cause of the error, correct the error, then generate and upload the CSV file again.


Reconcile user identities in your IdP with BBIDs in your organization

To complete your SSO configuration, ensure that the user identities within your IdP match the BBIDs in the Bluebeam user database for users in your organization. If you continue SSO configuration without performing the reconciliation process, unmatched users will lose access to their existing Studio Projects and Sessions.

When the "Continue SSO Configuration" email arrives, open it and select Continue SSO Configuration to open Org Admin to the Security tab in Account Settings. On the Security tab, next to SSO Configuration, select Continue to see a list of users in your account we couldn't match with users in our database.

Reconciliation is an important and required process for SSO enablement. If you have a large number of users in your organization and a large number of those users are listed as "Not Matched," reconciliation could take 20 minutes or longer.

Why are some users listed as "Not Matched"?

Users could be listed as "Not Matched" for a variety of reasons. For example, the list of BBIDs we have stored could include users who are either no longer with your organization, have had name changes, or had mistakes in their email address when originally added. Reconciliation allows you to evaluate the users listed as "Not Matched" to determine whether they should be provisioned for SSO and SCIM access or if the configuration process can ignore those users.

You must reconcile unmatched email addresses before you can continue SSO and SCIM configuration.

When you see this screen, you can:

  • Select Re-upload User List if your CSV file contains errors you need to correct.
  • Select Save & Finish Later if you want to save your progress and address the unmatched users later.
  • Select one or more users to ignore and not configure for SSO, because they are either no longer with your organization or don't need subscription access to Bluebeam products and services.
  • Select one or more users to update the New Bluebeam ID From Directory field. This action would be necessary if a user needs subscription access to Bluebeam products and services their email information changed with your organization, but their BBID in our database did not change.
Reconciliation matches users' BBIDs with their IdP login credentials. Updating a user's current BBID so it matches their IdP login credentials will require that user to access our services with their IdP credentials moving forward. Be sure to contact those users and tell them to use their organization credentials as their new BBID and, if necessary, log out of any Sessions and log in again using their new BBID.

Why does a user appear multiple times?

If a user appears multiple times but in different Studio regions, reconcile that user for each region to ensure they don't lose access to those Studio Projects or Studio Sessions.

When to "Ignore Users"

Many unmatched users are those who are either no longer in your organization or don't need a BBID. When you see the list of unmatched users, hover over the information icon () next to an unmatched user's current Bluebeam ID to review their Studio activity. The information displayed is:

  • Last Studio Login
  • Sessions Owned
  • Session Attended
  • Projects Owned
  • Project Memberships
  • Studio Markups Created

If you determine that a user is either a former employee or otherwise doesn't require SSO access to Bluebeam products and services, select "Not Matched," then select "Ignore User" to exclude the user from SSO configuration for your organization.

To ignore more than one user, select multiple users and selecting "Ignore User."

When to edit New Bluebeam ID From Directory

If a user needs to be updated, select Edit, select "Not Matched," and provide the user's email address from the IdP. After you update the matching information, notify the user(s) that they will need to use the new BBID going forward and, if necessary, log out and log back in using the new BBID.

Select Show All Users to verify that every user in the list is either "Ignored" or indicates "No Change."

Activate SSO

After you ignore or update unmatched users, select Activate to complete SSO configuration and continue to SCIM configuration.

Configure SCIM

After you successfully configure SSO, you can choose to configure SCIM to create a connection between Org Admin and your IdP. This connection allows you to manage the Bluebeam users (and their Bluebeam Plans) in your organization through your IdP.

After SCIM configuration, if you need to remove end users from a user group or move end users to another user group in your IdP, be sure those users sign out of Revu before you make the change. Doing so releases their licenses for the Bluebeam Plan associated with the user group they're signed in to. If they don't sign out of Revu and release those licenses before you make this change, you risk exceeding your allowed number of seats for one or more of your Bluebeam Plans.
This configuration requires you to perform steps in Org Admin and in your IdP.

Before you consider SCIM configuration

When you configure SCIM, you'll create and add users to SCIM groups within your IdP. Only add users to SCIM groups that you want managed by the account you're configuring for SCIM. Users managed under different accounts or by outside external parties will be moved to your SCIM account.

When adding users to SCIM groups, follow these rules:

  • Only add users to your SCIM group that fall under the domains your SSO configuration manages.

  • Don't add users managed outside your organization or users managed under a separate Bluebeam account to your SCIM group.

  • If your organization has multiple Bluebeam accounts and you want to manage all users via SCIM, reach out to registration@bluebeam.com before you configure SCIM. They can assist you with merging the accounts.

Create groups in Entra ID

Before you continue, be sure you understand the advice specified in Before you consider SCIM configuration.

If you use Entra ID as an IdP, configuring SCIM requires that you create one or more user groups in Entra ID based on Bluebeam Plans for your organization. New users should be added to the user group associated with the Bluebeam Plan they need. Users in your organization who are already assigned to a Bluebeam Plan should be placed into the user group associated with their existing plan.

  1. Create user groups for the following Bluebeam Plans.
    • Bluebeam Basics
    • Bluebeam Core
    • Bluebeam Complete
    • Bluebeam Unpaid Collaborator (For users you want to manage with SCIM but don't currently need a Bluebeam Plan. Placing these users into this group also allows you to easily move them to a Bluebeam Plan if needed in the future.)
  2. Assign users to the appropriate group based on their Bluebeam Plans.
    Don't add the IT Admin user to any of the end user groups created above. Doing so will change the administrator's permission level from IT Admin to Org Admin, which will prevent the configuration from continuing without involvement from Technical Support.
    Assign users to only one user group. No user should be assigned to multiple user groups.

For more information about user groups, see the Microsoft support site article for creating and managing groups in Entra ID.

Start configuration in Org Admin

You must use the Org Admin link specified in the procedure. This link directs you to an Org Admin interface specific to SSO and SCIM configuration. If you log in to any other Org Admin URL, the configuration won't be successful.

To start SCIM configuration, go to Org Admin, sign in to the region you selected when you requested SSO access, and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Account Settings, and from the top of the active window, select Security.
  3. Next to SCIM Provisioning, select Configure.
  4. Next to SCIM Connector Base URL, select Copy Link, and save the link for use later in the configuration.
  5. Select Generate Token.
  6. Enter a "friendly" name for your token, then select Generate.
  7. Select Copy then paste and save the generated token to a secure location for use later in the configuration.
    Perform this step before you close the token window. After you close the token window, you won't be shown the token again, and you can't recover it.
  8. Optional: Select Allow External User Management if you want to permit and manage users from outside your company domain.
    You can manage these users only through Org Admin.

Continue SCIM configuration in the Entra admin center

The SCIM configuration procedures continue in the Microsoft Entra admin center. You will need to:

  • Create an enterprise application
  • Map specified attributes between Entra ID and Bluebeam
  • Assign users to groups and complete provisioning

Create an enterprise application

  1. Log in to the Microsoft Entra admin center with an account that has Global Administrator, Application Administrator, or Cloud Application Administrator permissions.
  2. Go to Identity > Applications > Enterprise applications > All applications.
  3. Select New application.
  4. Select Create your own application.
    1. Provide a name for your application.
      Keep the default selection of Integrate any other application you don't find in the gallery (Non-gallery).
    2. Select Create.
      An overview page for the application you created appears, and you can start provisioning.
  5. Select Provisioning, then select Get started.
    1. Under Provisioning Mode, select Automatic.
    2. Select Admin Credentials.
    3. Copy and paste the SCIM Connector Base URL you saved earlier into the Tenant URL field.
    4. Copy and paste the Token you generated and saved earlier into the Secret Token field.
    5. Select Test Connection to verify our system communicates with Entra ID.
    6. Select Save to save your provisioning progress and enable you to specify the attributes to map between Entra ID and Bluebeam.

Map attributes between Entra ID and Bluebeam

We require only the following attributes to be mapped for SCIM configuration.

Microsoft Entra ID Attribute Mappings

This procedure allows you to remove the attributes that are unnecessary for SCIM configuration.

  1. Select Mappings then select Provision Microsoft Entra ID Users.
  2. Remove the following attributes:
    • Attributes that start with "addresses"
    • Attributes that start with "phoneNumbers"
    • Attributes that start with "urn"
    • The "name.formatted" attribute
    • The "displayName" attribute
    • The "title" attribute
    • The "emails[type eq "work"].value" attribute
  3. Verify the remaining attributes match those in the image above.
  4. At the top of the Attribute Mapping page, select Save, and select Yes to confirm your mapping selections.
  5. At the top of the Entra ID page, select Home then select Manage Microsoft Entra ID to assign users to the security groups you created earlier.

Add the security groups to the enterprise application and provision users

The final step for SCIM configuration requires that you add the user groups you created for Bluebeam Plans, into which you've already assigned users, to the enterprise application you created to communicate with Bluebeam. To add groups to an enterprise application in Entra ID, see this Microsoft support site article.

After you add groups to your application:

  1. Return to the Users and groups page for the application you created.
  2. Verify the email address for the IT Admin is not part of any user group. If so, remove the email address from the group.
  3. Under Manage, select Provisioning.
  4. Select Start provisioning.
Select View provisioning details to see provisioning progress.

Verify synced user groups and SCIM users

After provisioning completes in your IdP, return to Org Admin and verify your users are provisioned and synced correctly by Bluebeam Plan.

The Synced Groups tab won't appear in Org Admin until your IdP completes its first provisioning cycle.

To verify synced user groups, follow these steps:

  1. From the left sidebar menu in Org Admin, select Users.
  2. From the top of the active window, select Synced Groups to see a list of the groups you created in your IdP.
  3. Select Edit.
  4. Specify the appropriate Bluebeam Plan for each Synced Group that contains users.

    Don't assign "IT Admin" or "Org Admin" to a synced group.

    A Bluebeam Plan could contain multiple serial numbers. Be sure you select all serial numbers for each plan.

  5. Select Save Changes.
  6. Select Done.

If needed, select Force Group Sync to re-evaluate the synced groups and all assigned users in your organization to ensure they're assigned to the proper license. This process could take a few minutes.

You can select Force Group Sync only once every 30 minutes. If you need to re-evaluate the synced groups, and the button isn't available, you must wait for the 30-minute time limit to expire before you can select the button again.

To verify provisioned users' information, follow these steps:

  1. From the top of the active window, select Users to see a list of the Bluebeam users in your organization.
  2. Under User Overview, view user information and verify that they display the following:
    • The user type of "SCIM End User."
    • The status of "Active."
    • The correct Contract/Plan associated with their group that was synced with their IdP.
    • The "Server Region" that matches the region selected when requesting SSO and SCIM access.
      This region is the license region for SCIM provisioned users regardless of their locations. Be sure you tell your users that they must now select this region when they sign in to Revu, but they can sign in to any Studio region.

Communicate sign in changes to users

Provisioning your user accounts for SCIM could affect how your users sign in to Revu. When you requested SSO and SCIM access, you specified a single region to store license information for your organization, even if you have users in multiple regions. You should inform end users in your organization of the following:

  • The region associated with their Revu accounts after SCIM provisioning.
  • When they sign in to Revu, they must select this region, even if they've signed in to another region in the past.
    If they don't sign in to the correct region, their Bluebeam account information in Revu will appear as "Unpaid," and they'll be unable to access any paid features associated with their Bluebeam Plan.
  • Their geographic location may not match this region.
  • They can sign in to any Studio region by following the steps below:
    1. In Revu, open the Studio panel.
    2. From the Choose Server dropdown, select the Studio Server that you'd like to sign into.
    3. Ensure the "Use my Revu login credentials" checkbox is cleared, and select Sign In.
    4. Enter your BBID email and password and select Sign In.

Disable SSO and SCIM

Use Org Admin if you need to disable SCIM and/or SSO for your organization.

You may disable SCIM and keep SSO configured, but if you want to disable SSO, you must first disable SCIM.

Disable SCIM for your organization

If needed, you can disable SCIM for your organization, regardless of whether you want to keep SSO enabled.

Disabling SCIM requires that you stop provisioning from your IdP before you disable SCIM in Org Admin. If you disable SCIM in Org Admin before you stop provisioning in your IdP, SCIM provisioning will continue for your Bluebeam account until you disable it from your IdP.

Stop provisioning from Entra ID

To stop provisioning from the Entra ID admin center, follow these steps:

  1. Log in to the Microsoft Entra admin center with an account that has Global Administrator, Application Administrator, or Cloud Application Administrator permissions.
  2. Go to Identity > Applications > Enterprise applications > All applications.
  3. Select the application you created for SCIM configuration.
  4. At the top of the active window, select Stop provisioning.

Disable SCIM in Org Admin

To disable SCIM in Org Admin follow these steps:

  1. From the left sidebar menu in Org Admin, select Account Settings.
  2. From the top of the active window, select Security.
  3. Turn off the toggle next to SCIM Provisioning.
  4. When prompted, confirm (or cancel) the disabling of SCIM.

When you disable SCIM in Org Admin, the following occurs:

  • Org Admin reverts to its default, pre-SCIM provisioning behavior, which cannot easily be undone.

  • Synced groups will be cleared.

Disable SSO for your organization

If you configured SCIM for your organization, you must first disable SCIM before you can disable SSO.

If needed, you can disable SSO for your organization. Be sure you want to do so, because this action cannot easily be undone.

If you disable SSO, the following occurs:
  • All configurations made during SSO setup will be lost.
  • Your users will no longer be able to sign in to Bluebeam products using the SSO provider for your organization.
  • Your users must use their BBID and password to sign in to Bluebeam products.
  • All user IDs must be managed individually through accounts.bluebeam.com.

To disable SSO, follow these steps:

  1. From the left sidebar menu in Org Admin, select Account Settings.
  2. From the top of the active window, select Security.
  3. Turn off the toggle next to SSO Configuration.

Subscription

Revu 21

SSO

SCIM

This guide contains information and procedures for IT Admin s to configure SSO and SCIM for their organizations if they manage identities with Microsoft Entra ID.