Configure SSO for Bluebeam Accounts | Entra ID

Applies to:

  • Revu 21

Single sign-on (SSO) provides seamless access for your users by allowing them to access Bluebeam products using their IdP login credentials. This guide provides instructions for the IT Admin to configure SSO for their organization if they use Microsoft Entra ID as an identity provider (IdP). If you use Okta Workforce Identity Cloud as an IdP, see Configuring SSO for Bluebeam Accounts | Okta Workforce Identity Cloud.

If you use an IdP other than Entra ID or Okta Workforce Identity Cloud, see Configuring SSO for Bluebeam Accounts | Generic OIDC for information about SSO configuration for unsupported but compatible IdPs.

You can choose to configure SSO only and not configure SCIM. However, if you want to configure SCIM, you must first configure SSO.

Requirements

The ability to configure SSO is only available if your organization:

  • Has purchased or converted a minimum of 10 seats to a Bluebeam subscription plan.
  • Is not already configured to use SSO with Bluebeam products and services. If your organization already has SSO configured, contact us before continuing.
  • Uses Microsoft Entra ID or Okta Workforce Identity Cloud as an identity provider (IdP).

If you meet these requirements and want to enable SSO for your organization, have the Org Admin log in to Org Admin and perform the following steps to request access to configure SSO and SCIM:

  1. In your web browser, type the Org Admin URL that Closedcorresponds with your region:

  2. Under Accounts, select the account you want to manage.

  3. Select Settings.

    If your organization doesn't meet the requirements for SSO configuration, the Request Access button isn't available and you can't proceed.

  4. Next to SSO Configuration, select Request Access.

  5. Provide the requested information.

After we receive and process your request, you can proceed to SSO configuration. If you selected I want to use SCIM, Bluebeam Support will contact you to let you know if you can proceed with SCIM activation or if further action is required.

You can configure SSO before you receive information related to SCIM.

Overview

This guide includes the configuration of SSO for access to Bluebeam products and services, as well as the information that needs to be exchanged between Bluebeam and your IdP.

SSO configuration should be performed by the IT administrator for your organization.

If your organization uses Entra ID, this should be the person who manages Entra ID for your organization and has the Global Administrator, Application Administrator, or Cloud Application Administrator role.

Configure SSO

SSO configuration requires that you perform procedures in the Entra ID console and in Org Admin.

Export user list from your IdP and prepare to reconcile users

As part of SSO configuration, you'll be asked to reconcile the users in your organization listed in your IdP against the list of users in your organization who have Bluebeam IDs (BBIDs). Use this procedure to export your user list and load it into our CSV template for the SSO reconciliation process.

  1. Export your user list from Entra ID using their instructions.
  2. Open the exported user list.
  3. Download and open our CSV template.
  4. Copy the required user information from the exported user list to the defined cells of our template.

    Entra ID Field NameCSV Template Corresponding Column
    surnamelastName
    givenNamefirstName

    mail
    or
    userPrincipalName

    		email

    If you configure SSO for your users' email addresses, be sure you copy values from the "mail" column in the Entra ID export file to the "email" column in our CSV template.

    If you configure SSO for your users' UPN values, be sure their UPNs are in email address format and that you copy values from the "userPrincipalName" column in the Entra ID export file to the "email" column in our CSV template.

  5. Find any rows in the file that contain empty cells, determine whether those users need BBIDs, and take the following actions:
    • If the empty cell appears in a row for a user who doesn't need a BBID, you can delete the row.
    • If the empty cell appears in a row for a user who needs a BBID:
      1. Find their entry in your IdP and provide the missing value.
      2. Export your user list from your IdP again, and go to Step 4 above.
        3. If you didn't have to perform Steps a and b for any users, continue to Step 6.
  6. Save the CSV file for use when you configure SSO in Org Admin.

Configure SSO in Org Admin

To complete SSO configuration, set up SSO access to Bluebeam products and services for end users in your organization who are listed with your IdP. You'll also reconcile the list of your users in Entra ID with the list of your users in our system who have BBIDs to ensure your end users' Entra IDs match their BBIDs.

To configure SSO, go to Org Admin, and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Settings.

  3. Next to SSO Configuration, select Configure.
  4. Select Microsoft as your identity provider.
  5. When prompted, log in to Entra as the admin for your organization, select Consent on behalf of your organization, then select Accept to allow Bluebeam to create an application in your instance.
  6. In Org Admin, select Continue.
  7. In the SSO Configuration dialog, specify the domain(s) you want configured to your account, and select Next.
  8. To "Map service provider attribute to available fields," keep the default entries for First Name and Last Name. For Email, you may select "email" or "upn."

    The value you select for the Email field attribute determines whether your users are synced to their email addresses or their UPN. Ensure the following:

    • That the Email attribute field value is in an email address format. If it isn't in an email address format, you will receive an error when you reconcile.

    • If you select the "email" attribute here, all users will sync to the "email" value set for them in Entra ID. You must ensure you upload the values from the "email" column from the user list you exported in Export user list from your IdP and prepare to reconcile users to the "mail" column in our CSV template. If you intend to configure SCIM, you must use the "mail" attribute during that configuration.

    • If you select the "upn" attribute here, all users will sync to the "userPrincipalName" value set for them in Entra ID. You must ensure you upload the values from the "userPrincipalName" column from the user list you exported in Export user list from your IdP and prepare to reconcile users to the "email" column in our CSV template. If you intend to configure SCIM, you must use the "userPrincipalName" attribute during that configuration.

    Alert your users that, after SSO configuration is complete, they must log in with whichever sync value you chose, either the "email" or "upn" value.

  9. Select Done.
  10. Select Continue to provide a list of your users and complete the SSO configuration.
  11. Upload the CSV file you created earlier.
  12. Select Next.
    Select Finish Later to save your progress, leave this procedure, and continue at a later time.
  13. When prompted, click Close to continue SSO configuration.

You'll be returned to the Settings tab, where you can verify that the domain(s) you selected for your organization appear and then continue SSO configuration.

We'll cross reference BBIDs we find within your organization with user IDs for your organization in Entra ID. We'll send you an email with the subject "Continue SSO Configuration" when this process completes and you can start the reconciliation process necessary to complete SSO configuration.

The following issues with data in the CSV file could cause errors when you upload the file:

  • The CSV file is empty.
  • Reading the CSV file encountered an error.
  • The CSV file is missing at least one required column: email, firstName, or lastName column(s) could not be found.
  • There was a problem reading the CSV file around row [row number].
  • The CSV file at row [row number] did not contain enough columns of data to process the email, firstName, and/or lastName columns.
  • The CSV file at row [row number] contains an invalid email address "jsmith," where a valid email address was expected (e.g. jsmith@example.com).

Use the information from the displayed error message to determine the cause of the error, correct the error, then generate and upload the CSV file again.


Reconcile user identities in your IdP with BBIDs in your organization

To complete your SSO configuration, ensure that the user identities within your IdP match the BBIDs in the Bluebeam user database for users in your organization. If you continue SSO configuration without performing the reconciliation process, unmatched users will lose access to their existing Studio Projects and Sessions.

When the "Continue SSO Configuration" email arrives, open it and select Continue SSO Configuration to open Org Admin to the Settings page. Next to SSO Configuration, select Continue to see a list of users in your account we couldn't match with users in our database.

Reconciliation is an important and required process for SSO enablement. If you have a large number of users in your organization and a large number of those users are listed as "Not Matched," reconciliation could take 20 minutes or longer.

Why are some users listed as "Not Matched"?

Users could be listed as "Not Matched" for a variety of reasons. For example, the list of BBIDs we have stored could include users who are either no longer with your organization, have had name changes, or had mistakes in their email address when originally added. Reconciliation allows you to evaluate the users listed as "Not Matched" to determine whether they should be provisioned for SSO access or if the configuration process can ignore those users.

You must reconcile unmatched email addresses before you can continue SSO configuration.

When you see this screen, you can:

  • Select Re-upload User List if your CSV file contains errors you need to correct.
  • Select Save & Finish Later if you want to save your progress and address the unmatched users later.
  • Select one or more users to ignore and not configure for SSO, because they are either no longer with your organization or don't need subscription access to Bluebeam products and services.
  • Select one or more users to update the New Bluebeam ID From Directory field. This action would be necessary if a user needs subscription access to Bluebeam products and services their email information changed with your organization, but their BBID in our database did not change.
Reconciliation matches users' BBIDs with their IdP login credentials. Updating a user's current BBID so it matches their IdP login credentials will require that user to access our services with their IdP credentials moving forward. Be sure to contact those users and tell them to use their organization credentials as their new BBID and, if necessary, log out of any Sessions and log in again using their new BBID.

Why does a user appear multiple times?

If a user appears multiple times but in different Studio regions, reconcile that user for each region to ensure they don't lose access to those Studio Projects or Studio Sessions.

When to "Ignore Users"

Many unmatched users are those who are either no longer in your organization or don't need a BBID. When you see the list of unmatched users, hover over the information icon () next to an unmatched user's current Bluebeam ID to review their Studio activity. The information displayed is:

  • Last Studio Login
  • Sessions Owned
  • Session Attended
  • Projects Owned
  • Project Memberships

If you determine that a user is either a former employee or otherwise doesn't require SSO access to Bluebeam products and services, select "Not Matched," then select "Ignore User" to exclude the user from SSO configuration for your organization.

To ignore more than one user, select multiple users and selecting "Ignore User."

When to edit New Bluebeam ID From Directory

If a user needs to be updated, select Edit, select "Not Matched," and provide the user's email address from the IdP. After you update the matching information, notify the user(s) that they will need to use the new BBID going forward and, if necessary, log out and log back in using the new BBID.

Select Show All Users to verify that every user in the list is either "Ignored" or indicates "No Change."

Activate SSO

After you ignore or update unmatched users, select Activate to complete SSO configuration. If you want to continue to SCIM configuration for your organization, see Configure SCIM for Bluebeam Accounts.

Disable SSO

Use Org Admin if you need to disable SSO for your organization.

If you configured SCIM for your organization, you may disable SCIM and keep SSO configured, but if you want to disable SSO, you must first disable SCIM.

Disable SSO for your organization

If needed, you can disable SSO for your organization. Be sure you want to do so, because this action cannot easily be undone.

If you disable SSO, the following occurs:
  • All configurations made during SSO setup will be lost.
  • Your users will no longer be able to sign in to Bluebeam products using the SSO provider for your organization.
  • Your users must use their BBID and password to sign in to Bluebeam products.
  • All user IDs must be managed individually through accounts.bluebeam.com.

To disable SSO, follow these steps:

  1. From the left sidebar menu in Org Admin, select Settings.
  2. Turn off the toggle next to SSO Configuration.

Subscription

Revu 21

SSO

This guide contains information and procedures for IT Admins to configure SSO for their organizations if they manage identities with Microsoft Entra ID.