Configure SSO for Bluebeam Accounts | Okta Workforce Identity Cloud

Applies to:

  • Revu 21

SSO provides seamless access for your users by allowing them to access Bluebeam products using their IdP login credentials. This guide provides instructions for the IT Admin to configure SSO and SCIM for their organization if they use Okta Workforce Identity Cloud as an identity provider (IdP). If you use Microsoft Entra ID as an IdP, see Configuring SSO for Bluebeam Accounts | Entra ID.

Requirements

The ability to configure SSO is only available if your organization:

  • Has purchased or converted a minimum of 50 seats to a Bluebeam subscription plan.
  • Is not already configured to use SSO with Bluebeam products and services. If your organization already has SSO configured, contact us before continuing.
  • Uses Microsoft Entra ID or Okta Workforce Identity Cloud as an identity provider (IdP).

If you meet these requirements and want to enable SSO and SCIM for your organization, have the Org Admin log in to Org Admin and perform the following steps to request access to configure SSO and SCIM:

  1. In your web browser, type the Org Admin URL that Closedcorresponds with your region:

  2. Under Accounts, select the account you want to manage.

  3. Select Settings.

    If your organization doesn't meet the requirements for SSO configuration, the Request Access button isn't available and you can't proceed.

  4. Next to SSO Configuration, select Request Access.

  5. Provide the requested information.

After we receive and process your request, you can proceed to SSO configuration. If you selected "I want to use SCIM," Bluebeam Support will contact you to let you know if you can proceed with SCIM activation or if further action is required.

You can configure SSO before you receive information related to SCIM.

Overview

This guide includes the configuration of SSO for access to Bluebeam products and services, as well as the information that needs to be exchanged between Bluebeam and your IdP.

SSO configuration should be performed by the IT administrator for your organization.

If your organization uses Entra ID, this should be the person who manages Entra ID for your organization and has the Global Administrator, Application Administrator, or Cloud Application Administrator role.

Accept your Bluebeam invitation

When you're ready to start your configuration, follow these steps to log in to Org Admin for the first time.

  1. When you receive the Welcome email, click Manage Your Account to log in to Org Admin.
  2. Sign in to the region you selected when you requested SSO access.
  3. Enter your Bluebeam ID (BBID) and select Next.
  4. Enter your password, select Sign In, and provide the requested credentials.

Claim and verify domains

To configure SSO , first claim and then verify the domain your organization owns and that you want to link with your Bluebeam account. To link more than one domain to your Bluebeam account, perform this procedure separately for each of those domains. You cannot configure SSO until you've claimed and verified at least one domain.

This procedure requires that you copy information from Org Admin and paste it into a new TXT record for your DNS server. You should be prepared to log in to the DNS server for each domain you want to claim to prepare for that step.

  • You may claim only 50 domains. If the Domain Ownership page shows you've already claimed and verified 50 domains, you must remove a domain from the list before you can complete this procedure and claim and verify another domain.
  • After you use a listed domain as part of an SSO configuration, you cannot remove it from the list.
You must use the Org Admin link specified in the procedure. This link directs you to an Org Admin interface specific to SSO and SCIM configuration. If you log in to any other Org Admin URL, the configuration won't be successful.

To claim and verify your domain, follow these steps:

  1. In Org Admin, select Accounts, and then select the account you want to manage.
  2. Select Settings.
  3. Next to Domain Ownership, select Manage.
  4. Select Claim Domain.
  5. Enter the domain name you want to claim (e.g. company.com), and select Claim.
  6. From the Verify Domain dialog, select Copy next to each field and paste the information to a new TXT record for your DNS server.
  7. Wait at least five minutes, then select Check Verification.

Perform this procedure for each domain you want to claim and verify.

You can't start SSO configuration while the domain status is "Pending," but you don't have to wait for the domain to be verified to claim additional domains.

The domain status could remain "Pending" for up to 72 hours while DNS propagation for these changes takes place across all servers on the internet. During this time you can periodically log in to Org Admin and follow these steps to check for the status change to "Verified:"

  1. In Org Admin, select Accounts, and then select the account you want to manage.
  2. Select Settings.
  3. Next to Domain Ownership, select Manage.
  4. On the Domain Ownership page, select the three dots under Actions, then select Check Verification.

If the domain status is still "Pending" after 72 hours, first verify that you entered information into the TXT record correctly. If the TXT record is correct, contact us.

Configure SSO

SSO configuration requires that you perform a series of procedures in the Okta Admin Console before you complete configuration in Org Admin.

Configure OIDC for Okta

To configure OIDC in Okta, follow these steps:

  1. In the Okta Admin Console, go to Security > API, and edit the default Authorization Server.

  2. Under Access Policies, select Add Policy and provide the following values:

    • Name: Default
    • Description: Default
    • Assign to: Select All clients

  3. Select Create Policy.

  4. On the policy you created, select Add Rule.

  5. On the Add Rule page, enter Default as the Rule name, and retain all other selections.

  6. Select Create rule.

Create an Okta application for SSO and collect information for SSO configuration

To create an Okta application for SSO, follow these steps:

  1. In the Okta Admin Console, go to Applications > Applications > + Create App Integration.

  2. On the Create a new app integration page, specify the following:

    • Sign-in method: OIDC - OpenID Connect

    • Application type: Web Application

  3. Select Next.

  4. On the New Web App Integration page, take the following actions:

    • Enter an App integration name for your OIDC SSO application.

    • Select Authorization Code as the Grant Type.

    • Add the following Sign-in redirect URIs:

      • https://signin.bluebeam.com/oauth2/v1/authorize/callback

      • https://id.bluebeam.com/oidc/callback

      • https://signin.bluebeamstudio.co.uk/oauth2/v1/authorize/callback

      • https://signin.bluebeamstudio.de/oauth2/v1/authorize/callback

      • https://signin.bluebeamstudio.se/oauth2/v1/authorize/callback

      • https://signin.bluebeamstudio.com.au/oauth2/v1/authorize/callback

      • https://id.bluebeam.com/oidctest/callback

      Do not remove the default entry (http://localhost:8080/authorization-code/callback) from the list.

    • Under Assignments:

      • Select Allow everyone in your organization to access.

      • Select Enable immediate access with Federation Broker Mode.

  5. Select Save.

  6. To configure user authentication, go to the Sign on tab for the application.

  7. Scroll to User Authentication and select an authorization method.

  8. Select Save.

To collect information you'll need for SSO configuration, follow these steps:

  1. Select the General tab and copy the following information and paste it elsewhere for use during SSO configuration:

    • Client ID

    • Client Secret

  2. From the side navigation, go to Security > API and select the default Authorization server.

  3. On the Settings page, select Edit and change the Metadata URI to replace "oauth-authorization-server" with "openid-configuration".

  4. Copy the updated Metadata URI and paste it into your web browser to display information you'll need later for SSO configuration.

    You can use a "pretty print" browser extension to better display the content from the Metadata URI and more easily find the information you'll need for SSO configuration.

Export user list from your IdP and prepare to reconcile users

As part of SSO configuration, you'll be asked to reconcile the users in your organization listed in your IdP against the list of users in your organization who have Bluebeam IDs (BBIDs). Use this procedure to export your user list and load it into our CSV template for the SSO reconciliation process.

  1. Export your user list from Okta Workforce Identity Cloud using their instructions.
  2. Open the exported user list.
  3. Download and open our CSV template.
  4. Copy the required user information from the exported user list to the defined cells of our template.
    Okta Workforce Identity CloudField NameCSV Template Corresponding Column
    Last NamelastName
    First NamefirstName
    Primary emailemail
  5. Find any rows in the file that contain empty cells, determine whether those users need BBIDs, and take the following actions:
    • If the empty cell appears in a row for a user who doesn't need a BBID, you can delete the row.
    • If the empty cell appears in a row for a user who needs a BBID:
      1. Find their entry in your IdP and provide the missing value.
      2. Export your user list from your IdP again, and go to Step 4 above.
    If you didn't have to perform Steps a and b for any users, continue to Step 6.
  6. Save the CSV file for use when you configure SSO in Org Admin.

Configure SSO in Org Admin

To complete SSO configuration, set up SSO access to Bluebeam products and services for end users in your organization who are listed with your IdP. You'll also reconcile the list of your users in Entra IDOkta Workforce Cloud with the list of your users in our system who have BBIDs to ensure your end users' Entra IDsOkta user IDs match their BBIDs.

To configure SSO, go to Org Admin and follow these steps:

  1. Under Accounts, select the account you want to manage.

  2. Select Settings.

  3. Next to SSO Configuration, select Configure.
  4. Select OpenID Connect.
  5. When prompted, provide the following requested information displayed when you pasted the Metadata URI into your web browser earlier:
    • Issuer
    • Authorization Endpoint
    • Token Endpoint
    • JWKS IRI
    • Userinfo Endpoint (required for Okta)
    • OpenID Provider Metadata Endpoints
    • Client ID
    • Client Secret
  6. Select Submit.
  7. In the OpenID Connect Configuration dialog, specify the verified domain(s) you want configured to your account, and select Next.
  8. To "Map service provider attribute to available fields," keep the default entries.
  9. Select Sign in to Test SSO.
  10. When prompted, use an account that has a Studio BBID to log in.
    The tests "Connection" and "User Attributes" must be successful before you can continue.
  11. Return to Org Admin.
  12. Select Continue.
  13. Select Next to provide a list of your users and complete the SSO configuration.
  14. Upload the CSV file you created earlier.
  15. Select Next.
    Select Finish Later to save your progress, leave this procedure, and continue at a later time.
  16. When prompted, click Close to continue SSO configuration.

You'll be returned to the Settings tab, where you can verify that the domain(s) you selected for your organization appear and then continue SSO configuration.

We'll cross reference BBIDs we find within your organization with user IDs for your organization in Okta Workforce Identity Cloud. We'll send you an email with the subject "Continue SSO Configuration" when this process completes and you can start the reconciliation process necessary to complete SSO configuration.


The following issues with data in the CSV file could cause errors when you upload the file:

  • The CSV file is empty.
  • Reading the CSV file encountered an error:...
  • The CSV file is missing at least one required column: email, firstName, or lastName column(s) could not be found.
  • There was a problem reading the CSV file around row [row number].
  • The CSV file at row [row number] did not contain enough columns of data to process the email, firstName, and/or lastName columns.
  • The CSV file at row [row number] contains an invalid email address "jsmith," where a valid email address was expected (e.g. jsmith@example.com).

Use the information from the displayed error message to determine the cause of the error, correct the error, then generate and upload the CSV file again.

Reconcile user identities in your IdP with BBIDs in your organization

To complete your SSO configuration, ensure that the user identities within your IdP match the BBIDs in the Bluebeam user database for users in your organization. If you continue SSO configuration without performing the reconciliation process, unmatched users will lose access to their existing Studio Projects and Sessions.

When the "Continue SSO Configuration" email arrives, open it and select Continue SSO Configuration to open Org Admin to the Security tab in Account Settings. On the Security tab, next to SSO Configuration, select Continue to see a list of users in your account we couldn't match with users in our database.

Reconciliation is an important and required process for SSO enablement. If you have a large number of users in your organization and a large number of those users are listed as "Not Matched," reconciliation could take 20 minutes or longer.

Why are some users listed as "Not Matched"?

Users could be listed as "Not Matched" for a variety of reasons. For example, the list of BBIDs we have stored could include users who are either no longer with your organization, have had name changes, or had mistakes in their email address when originally added. Reconciliation allows you to evaluate the users listed as "Not Matched" to determine whether they should be provisioned for SSO and SCIM access or if the configuration process can ignore those users.

You must reconcile unmatched email addresses before you can continue SSO and SCIM configuration.

When you see this screen, you can:

  • Select Re-upload User List if your CSV file contains errors you need to correct.
  • Select Save & Finish Later if you want to save your progress and address the unmatched users later.
  • Select one or more users to ignore and not configure for SSO, because they are either no longer with your organization or don't need subscription access to Bluebeam products and services.
  • Select one or more users to update the New Bluebeam ID From Directory field. This action would be necessary if a user needs subscription access to Bluebeam products and services their email information changed with your organization, but their BBID in our database did not change.
Reconciliation matches users' BBIDs with their IdP login credentials. Updating a user's current BBID so it matches their IdP login credentials will require that user to access our services with their IdP credentials moving forward. Be sure to contact those users and tell them to use their organization credentials as their new BBID and, if necessary, log out of any Sessions and log in again using their new BBID.

Why does a user appear multiple times?

If a user appears multiple times but in different Studio regions, reconcile that user for each region to ensure they don't lose access to those Studio Projects or Studio Sessions.

When to "Ignore Users"

Many unmatched users are those who are either no longer in your organization or don't need a BBID. When you see the list of unmatched users, hover over the information icon () next to an unmatched user's current Bluebeam ID to review their Studio activity. The information displayed is:

  • Last Studio Login
  • Sessions Owned
  • Session Attended
  • Projects Owned
  • Project Memberships

If you determine that a user is either a former employee or otherwise doesn't require SSO access to Bluebeam products and services, select "Not Matched," then select "Ignore User" to exclude the user from SSO configuration for your organization.

To ignore more than one user, select multiple users and selecting "Ignore User."

When to edit New Bluebeam ID From Directory

If a user needs to be updated, select Edit, select "Not Matched," and provide the user's email address from the IdP. After you update the matching information, notify the user(s) that they will need to use the new BBID going forward and, if necessary, log out and log back in using the new BBID.

Select Show All Users to verify that every user in the list is either "Ignored" or indicates "No Change."

Activate SSO

After you ignore or update unmatched users, select Activate to complete SSO configuration and continue to SCIM configuration. If you want to configure SCIM for your organization, see Configure SCIM for Bluebeam Accounts.

Disable SSO

Use Org Admin if you need to disable SSO for your organization.

If you configured SCIM for your organization, you may disable SCIM and keep SSO configured, but if you want to disable SSO, you must first disable SCIMfirst disable SCIM.

Disable SSO for your organization

If needed, you can disable SSO for your organization. Be sure you want to do so, because this action cannot easily be undone.

If you disable SSO, the following occurs:
  • All configurations made during SSO setup will be lost.
  • Your users will no longer be able to sign in to Bluebeam products using the SSO provider for your organization.
  • Your users must use their BBID and password to sign in to Bluebeam products.
  • All user IDs must be managed individually through accounts.bluebeam.com.

To disable SSO, follow these steps:

  1. From the left sidebar menu in Org Admin, select Settings.
  2. Turn off the toggle next to SSO Configuration.

Subscription

Revu 21

SSO

This guide contains information and procedures for IT Admins to configure SSO for their organizations if they manage identities with Okta Workforce Identity Cloud.