Single Sign-On Overview

Support Note
This topic is not relevant to all Bluescape members and may not apply to all Organizations. If you’re unsure whether your Organization has this capability, please contact your IT department.

What is Single Sign-On?

Single Sign-On (SSO) allows you to sign in to Bluescape and other applications from a centralized identity provider (IDP), simplifying member experience and management. Bluescape supports SSO via IDPs using the SAML 2.0 standard.

what is single sign-on

Current List of Bluescape SAML IDPs

The following is a list of current certified SAML IDPs for Bluescape:

What’s the difference between using the Bluescape IDP login and SSO?

With the Bluescape IDP login, the member is sent to the Bluescape identity service to enter their email address and password and are then redirected to the portal’s main page after they are authenticated. This method uses the URL or an equivalent. The member’s credentials are stored and managed by the Bluescape Service and must adhere to Bluescape’s password requirements.

SSO login is handled via a different URL or an SSO application that runs password prompting and authorizing. If the SSO service (for example, Okta) approves the login, the member is redirected to the portal home page. In this setup, the SSO provider manages the member’s credentials.

What are the benefits of using SSO with Bluescape?

  • Security control: Each member has only one username/password combination, so they are less likely to write it down, which is a significant security breach.
  • More efficient member experience: A single username/password combination gives members access to several applications and websites. Members no longer need to remember and enter multiple sets of credentials.
  • Reduced demand on the Support team: Since members need to remember only one set of credentials, they are less likely to have to contact Support to reset their passwords.

What are the limitations of using SSO with Bluescape?

  • By default, members can access all Organizations set up with the same SSO application.
  • You cannot transfer workspaces between Organizations that do not use the same specific SSO application.
  • SSO members do not show up in a Bluescape Organization until they log in the first time via the SSO application or unless they are added manually through the portal. Although this is done deliberately, it can confuse collaboration with new members.

SSO Features

Standard Configuration

Most Bluescape members are assigned to one Organization, and the company’s SSO provider is connected. All members added to the SSO provider application have access to their company’s Organization, as shown in the image below.

SSO standard config

Companies with a private instance can have multiple Organizations. In this situation, there are three options for how the company’s members see Organizations in Bluescape.

  • Option 1: The SSO provider has one application that points at every Bluescape Organization so that all SSO members can access every Organization. Member account management is handled through the SSO provider.

  • Option 2: One SSO application is created for each of the company’s Bluescape Organizations. Members only see the SSO applications they have been added to. Members’ account management is handled through the SSO provider. Each Bluescape Organization is completely segregated from all others; members in one Organization cannot see members in another. This option is rarely used because it requires multiple SSO applications on the members’ SSO dashboard.

  • Option 3: The SSO service has one application, and it is configured on Bluescape’s side with a Primary Organization. See below for more details.

Primary Organization Functionality

SSO setup has the option to include a Primary Organization. When configured with an SSO provider that points at multiple Bluescape Organizations, new members to the SSO application are only added to the Primary Organization. To access any other Organizations associated with the SSO application, the member must be added manually through the portal, as shown in the image below.

SSO primary org functionality


ADFS SSO has Bluescape Organization as the primary Organization.

The Bluescape-Engineering and Sales Organizations also use ADFS SSO.

Allie Armstrong is added to ADFS SSO and then logs in. At this point, she only has access to the Bluescape Organization.

The Bluescape-Engineering Organization Admin then invites her to their Organization. She now has access to Bluescape and Bluescape-Engineering, but not to Sales.

Emily Brown was part of the Bluescape and Sales Organizations before SSO was enabled. She continues to have access to these, and only these, two Organizations after SSO is implemented.

Logging In Through SSO

A member can start using Bluescape in an Organization linked to an SSO provider in two main ways.

Note: New members must log in via the Identity Provider Initiated dashboard before accessing Bluescape via the Service Provider/Bluescape-initiated method. This sets up the member’s account in Bluescape.

Identity Provider Initiated

The member, through their IDP, should have a dashboard of all the supported applications in the company. If the IDP Admin allows the member to use Bluescape, they can click on the Bluescape application icon to launch the Bluescape portal. The member does not have to log in because they are already signed in through their identity provider.

Service Provider/Bluescape Initiated

If the member launches Bluescape directly (either by URL to the portal or a link to a workspace), they are directed to the Bluescape login page. They enter their email address, and then they can log in using Bluescape’s identity service or their company’s SSO provider. SSO-enabled members must select their company’s SSO provider, at which point they will be redirected to their SSO provider’s login page. After entering their SSO credentials, they will be returned to the Bluescape service.

Enabling SSO

Now that you’ve learned the basics about SSO, the next step is to work with your Bluescape Customer Success Manager (CSM) to review your SSO and Members Management requirements.

Where to Next?

Not what you were looking for? Reply below or Search the community and discover more Bluescape.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.