|This topic is not relevant to all Bluescape users and may not apply to all Organizations. If you’re unsure whether your Organization has this capability, please reach out to your IT department.|
Single Sign-On (SSO) allows you to sign into Bluescape and other applications from a centralized identity provider (IDP), simplifying both user experience and management. Bluescape supports SSO via IDPs using the SAML 2.0 standard.
The following is a list of current certified SAML IDPs for Bluescape:
- Ping Identity
With the Bluescape IDP login, the user is sent to the Bluescape identity service to enter their email address and password and are then redirected to the main page of the portal after they are authenticated. This method uses the portal.apps.us.bluescape.com URL or an equivalent. The user’s credentials are stored and managed by the Bluescape Service and must adhere to Bluescape’s password requirements.
SSO login is handled via a different login URL or an SSO application that handles the password prompting and authorizing. If the SSO service (for example, Okta) approves the login, then the user is redirected to the portal home page. In this setup, the SSO provider, is responsible for managing the user’s credentials.
- Security control : Each user has only one username/password combination, so they are less likely to write it down, which is a major security breach.
- More efficient user experience : A single username/password combination gives users access to a slew of applications and websites. Users no longer need to remember and enter multiple sets of credentials.
- Reduced demand on the Support team : Since users need to remember only one set of credentials, they are less likely to have to contact Support to reset their passwords.
- By default, users have access to all Organizations set up with the same SSO application.
- You cannot transfer workspaces between Organizations that do not use the same specific SSO application.
- SSO users do not show up in a Bluescape Organization until they log in the first time via the SSO application or unless they are added manually through the portal. Although this is done deliberately, it can make collaboration with new users confusing.
Most Bluescape users are assigned to one Organization and the company’s SSO provider is connected to it. All users added to the SSO provider application have access to their company’s Organization, as shown in the image below.
Companies with a private instance can have multiple Organizations. In this situation, there are three options for how the company’s users see Organizations in Bluescape.
Option 1: The SSO provider has one application that points at every Bluescape Organization, so all SSO users have access to every Organization. User account management is handled through the SSO provider.
Option 2: There is one SSO application created for each of the company’s Bluescape Organizations. Users only see the SSO applications they have been added to. User account management is handled through the SSO provider. Each Bluescape Organization is completely segregated from all others; users in one Organization cannot see users in another. This option is rarely used because it requires multiple SSO applications on the users’ SSO dashboard.
Option 3: The SSO service has one application and it is configured on Bluescape’s side with a Primary Organization. See below for more details.
SSO setup has an option to include a Primary Organization. When configured with an SSO provider that points at multiple Bluescape Organizations, new users to the SSO application are only added to the Primary Organization. In order to access any of the other Organizations associated with the SSO application, the user needs to be added manually through the portal, as shown in the image below.
ADFS SSO has Bluescape Organization as the primary Organization.
The Bluescape-Engineering and Sales Organizations also use ADFS SSO.
Allie Armstrong is added to ADFS SSO and then logs in. At this point, she only has access to the Bluescape Organization.
The Bluescape-Engineering Organization Admin then invites her to their Organization. She now has access to Bluescape and Bluescape-Engineering, but not to Sales.
Emily Brown was part of the Bluescape and Sales Organizations before SSO was enabled. She continues to have access to these, and only these, two Organizations after SSO is implemented.
There are two main ways a user can start using Bluescape in an Organization linked to an SSO provider.
Note: New users must log in via the Identity Provider Initiated dashboard before they can access Bluescape via the Service Provider/Bluescape-initiated method. This sets up the user’s account in Bluescape.
The user through their IDP should have a dashboard of all the supported applications in the company. If the user is provisioned by the IDP Admin to use Bluescape, they can click on the Bluescape application icon to launch the Bluescape portal. At this point, the user does not have to log in because they are already signed in through their identity provider.
If the user launches Bluescape directly (either by URL to the portal or a link to a workspace), they are directed to the Bluescape login page. They enter their email address and then they are given a choice to log in using Bluescape’s identity service or their company’s SSO provider. SSO-enabled users need to select their company’s SSO provider, at which point they will be redirected to their SSO provider’s login page. After entering their SSO credentials they will be sent back to the Bluescape service.
Now that you’ve learned the basics about SSO, the next step is to work with your Bluescape Customer Success Manager (CSM) to review your SSO and User Management requirements.