|This topic is not relevant to all Bluescape members and may not apply to all Organizations. If you’re unsure whether your Organization has this capability, please reach out to your IT department.|
Single Sign-On (SSO) allows you to sign into Bluescape and other applications from a centralized identity provider (IDP), simplifying both member experience and management. Bluescape supports SSO via IDPs using the SAML 2.0 standard.
The following is a list of current certified SAML IDPs for Bluescape:
- Ping Identity
With the Bluescape IDP login, the member is sent to the Bluescape identity service to enter their email address and password and are then redirected to the main page of the portal after they are authenticated. This method uses the portal.apps.us.bluescape.com URL or an equivalent. The member’s credentials are stored and managed by the Bluescape Service and must adhere to Bluescape’s password requirements.
SSO login is handled via a different login URL or an SSO application that handles the password prompting and authorizing. If the SSO service (for example, Okta) approves the login, then the member is redirected to the portal home page. In this setup, the SSO provider, is responsible for managing the member’s credentials.
- Security control : Each member has only one username/password combination, so they are less likely to write it down, which is a major security breach.
- More efficient member experience : A single username/password combination gives members access to a slew of applications and websites. Members no longer need to remember and enter multiple sets of credentials.
- Reduced demand on the Support team : Since members need to remember only one set of credentials, they are less likely to have to contact Support to reset their passwords.
- By default, members have access to all Organizations set up with the same SSO application.
- You cannot transfer workspaces between Organizations that do not use the same specific SSO application.
- SSO members do not show up in a Bluescape Organization until they log in the first time via the SSO application or unless they are added manually through the portal. Although this is done deliberately, it can make collaboration with new members confusing.
Most Bluescape members are assigned to one Organization and the company’s SSO provider is connected to it. All members added to the SSO provider application have access to their company’s Organization, as shown in the image below.
Companies with a private instance can have multiple Organizations. In this situation, there are three options for how the company’s members see Organizations in Bluescape.
Option 1: The SSO provider has one application that points at every Bluescape Organization, so all SSO members have access to every Organization. Member account management is handled through the SSO provider.
Option 2: There is one SSO application created for each of the company’s Bluescape Organizations. Members only see the SSO applications they have been added to. Members account management is handled through the SSO provider. Each Bluescape Organization is completely segregated from all others; members in one Organization cannot see members in another. This option is rarely used because it requires multiple SSO applications on the members’ SSO dashboard.
Option 3: The SSO service has one application and it is configured on Bluescape’s side with a Primary Organization. See below for more details.
SSO setup has an option to include a Primary Organization. When configured with an SSO provider that points at multiple Bluescape Organizations, new members to the SSO application are only added to the Primary Organization. In order to access any of the other Organizations associated with the SSO application, the member needs to be added manually through the portal, as shown in the image below.
ADFS SSO has Bluescape Organization as the primary Organization.
The Bluescape-Engineering and Sales Organizations also use ADFS SSO.
Allie Armstrong is added to ADFS SSO and then logs in. At this point, she only has access to the Bluescape Organization.
The Bluescape-Engineering Organization Admin then invites her to their Organization. She now has access to Bluescape and Bluescape-Engineering, but not to Sales.
Emily Brown was part of the Bluescape and Sales Organizations before SSO was enabled. She continues to have access to these, and only these, two Organizations after SSO is implemented.
There are two main ways a member can start using Bluescape in an Organization linked to an SSO provider.
Note: New members must log in via the Identity Provider Initiated dashboard before they can access Bluescape via the Service Provider/Bluescape-initiated method. This sets up the member’s account in Bluescape.
The member through their IDP should have a dashboard of all the supported applications in the company. If the member is provisioned by the IDP Admin to use Bluescape, they can click on the Bluescape application icon to launch the Bluescape portal. At this point, the member does not have to log in because they are already signed in through their identity provider.
If the member launches Bluescape directly (either by URL to the portal or a link to a workspace), they are directed to the Bluescape login page. They enter their email address and then they are given a choice to log in using Bluescape’s identity service or their company’s SSO provider. SSO-enabled members need to select their company’s SSO provider, at which point they will be redirected to their SSO provider’s login page. After entering their SSO credentials they will be sent back to the Bluescape service.
Now that you’ve learned the basics about SSO, the next step is to work with your Bluescape Customer Success Manager (CSM) to review your SSO and Members Management requirements.