Single Sign-On (SSO)

SSO Setup and Usage

Danger

This guide is intended for system administrators. If you lack the necessary technical expertise, please contact your IT department for assistance.

Overview

The Prevu3D Cloud Platform supports secure Single Sign-On (SSO) via industry-standard protocols:

• SAML 2.0 – for authentication and user sign-in.

• SCIM 2.0 – for automatic user and group provisioning.

Supported Identity Providers

Any identity provider that fully supports the SAML 2.0 and/or SCIM 2.0 protocols should be compatible with Prevu3D, including Okta, Google Workspace, OneLogin, Ping Identity, and others. Prevu3D’s implementation follows the official SAML 2.0 and SCIM 2.0 specifications, ensuring broad compatibility with modern identity systems.

We have thoroughly tested integration with:

• Microsoft Entra ID (formerly Azure Active Directory)

• JumpCloud (English)

Note

• Each Prevu3D organization supports only one connection to one (1) identity provider at a time.

• The SSO feature is included in the Enterprise subscription. Contact sales@prevu3d.com to enable it for your organization.

SAML 2.0 – Authentication Setup

Prerequisites

To configure SAML-based SSO with Prevu3D, you will need:

• Admin access to your Prevu3D organization.

• Access to your IdP with permission to configure applications.

Steps

1. Sign in to your Prevu3D account (using your email address and password)

2. Go to the Settings tab

3. Select the SSO tab from the menu on the left

Can't access the “SSO” tab?

1. If it’s missing, you are not an organization administrator.

2. If it’s grayed out, your organization has not subscribed to the SSO feature.

4. Copy the following values from the SSO tab and paste them into your IdP configuration:

   • Service Provider Endpoint

   • Service Provider Entity ID

5. Retrieve the following from your IdP and enter them on the Prevu3D SSO tab:

   • SAML Certificate (PEM format)

   • SAML Endpoint URL

6. If SCIM is not enabled, define the following SAML attribute mappings:

   1. First name

   2. Last name

   3. Role (optional – see Role Mapping below)

      

Warning

These attributes are optional when SCIM provisioning is enabled and configured. SCIM automatically manages user details.

7. Click Save at the bottom of the page.

8. Perform a test sign-in from your IdP to verify the configuration.

Role Mapping (optional)

You can assign Prevu3D organization-level roles via a custom SAML attribute (e.g., Prevu3DRole):

• Admin – Full permissions across the company

• Guest – No default access (must be granted at the project level)

If no role attribute is provided, a default role is applied. For security reasons, we recommend setting this to Guest.

Warning

If SCIM is enabled, role assignment should instead be handled via SCIM.

Group Mapping (optional)

It is also possible to map groups from your IdP system to Prevu3D groups to simplify access management for people in your organization. The following steps guide you through mapping your groups.

• Configure your IdP to pass group memberships via a SAML attribute.

• Enter this attribute on the Prevu3D SSO tab.

• In the “Groups” section of Prevu3D, click “Edit group” and specify the SAML group value expected by your IdP.

• This mapping is applied to users when they sign in to Prevu3D Cloud. If the user is already signed in, they should sign out and sign back in for access changes to take effect.

Info

• Group mapping is applied at sign-in. Users must sign out and sign back in to apply the updated access.

• Ensure that the group is granted some access; for more information, see the groups section.

Warning

• If SCIM is enabled, group creation and membership assignment should instead be handled via SCIM.

SCIM 2.0 – Provisioning Setup

Prevu3D supports user and group provisioning via the SCIM 2.0 protocol (System for Cross-Domain Identity Management).

Prerequisites

• Your organization must be on the Enterprise plan.

• Your IdP must support SCIM (e.g., Azure AD/Entra, Okta, JumpCloud).

What SCIM enables

• User provisioning – New users are automatically created in Prevu3D

• User deprovisioning – Users are disabled or removed when they are disabled in your IdP

• Group assignment – Groups and roles can be centrally managed from your IdP

Setup Guide

1. Sign in to your Prevu3D account as an organization administrator.

2. Go to the Settings tab

3. Select the SSO tab from the menu on the left

4. Scroll to the SCIM Provisioning section and enable it.

   

5. You will find:

   • SCIM Base URL (Entra ID users, please see the warning below)

   • Bearer Token

Info

You can also rotate the bearer token when required for security or credential rotation.

Important

When configuring SCIM with Entra ID (Azure AD), you must append ?aadOptscim062020 to the end of the SCIM Base URL provided by Prevu3D.

6. In your identity provider (e.g., Microsoft Entra ID):

   • Open the Prevu3D enterprise application.

   • Enable SCIM provisioning.

   • Enter the SCIM Base URL and Bearer Token obtained from the SSO tab.

7. Configure attribute mappings for:

   • userName, givenName, familyName, email

   • Optional: groups, roles, active

8. Save your configuration

   Your IdP will now automatically sync users and groups with Prevu3D based on the provisioning schedule.

Definitions

• IdP, Identity Provider: refers to the system that registers all users and enables connection to various other services. This is your source of truth for your organization, users, and groups. E.g.: Azure AD, JumpCloud…

• SP, Service Provider: refers to the service application that consumes SSO information, in this case Prevu3D Cloud.

• SSO, Single Sign-On: refers to a mechanism that allows users to obtain their credentials from a single portal and distribute user management configuration across multiple applications.

• SAML, Security Assertion Markup Language: an industry-wide protocol that enables the use of SSO across multiple cloud-based platforms.

• SCIM, System for Cross-Domain Identity Management: protocol for provisioning users and groups.