Skip to main content

Single Sign-On Documentation

SSO Setup & usage

danger

This guide is intended for system administrators. If you lack the required technical knowledge, reach out to your IT department for assistance.

Specifications

  • The Prevu3D Cloud Platform supports SSO login through the SAML 2.0 protocol which is widely used in the industry, and is supported by all major Identity Providers. Prevu3D’s implementation has been tested on :
    • Azure AD
    • Jumpcloud
  • Prevu3D supports only one (1) Identity Provider linked to one (1) organization.
  • Organizations willing to have the SSO integration should have the SSO subscription first, which is included with the enterprise level subscription. Contact the sales team (sales@prevu3d.com) to get this feature added to your organization.
  • Prevu3D does not support active provisioning (SCIM) at the moment, meaning old users won’t be deprovisioned. However, those users should not be able to login anymore to the system since their access will be removed from your IdP (Identity Provider).

Configuration

Prerequisites

To setup the SSO integration with Prevu3D, you will need to have the following access:

  • Access as Admin to the Prevu3D Organization you wish to integrate,
  • Access to your IdP configuration with the ability to update its configuration.

Steps

  1. Login to your Prevu3D Account with your username and password.

  2. Go to the Organization tab on the top.

  3. Click on the SSO tab on the left menu.


    If you can’t access the SSO tab: a. If you don’t see it at all, you are not an Admin of the organization. b. If the Tab is grayed out, the SSO subscription is not enabled on your account. Please contact the sales team to subscribe to the SSO feature.

  4. On this tab, grab the Service Provider Endpoint and the Service Provider Entity ID and copy them into your Identity Provider configuration.

  5. From your Identity Provider get the following information and input them in the SSO configuration on the SSO Tab. a. Your IdP’s SAML certificate in the PEM format b. SAML Endpoint URL


  6. Indicate the attributes names to map user attributes to the user. a. First Name b. Last Name c. Role (Optional, see below)


  7. Hit the save button at the bottom of the page. You should be able to trigger a test login from your IdP now to ensure the SSO feature has been configured correctly.


Organization Roles Mapping

You can map organization level roles from your Identity Provider. The roles will be applied when the user logs in. To map Prevu3D roles to users via your IdP, create a custom SAML attribute on the user that can be named the way you want. For example, you could name it Prevu3DRole.

This SAML attribute can have of the following values:

  • Admin that will have all permissions in the organization (settings, invitations, managing all projects)
  • ProjectManager that will be allowed to create projects, folders and manage all the projects in the organization (edition, deletion...)
  • BillingManager that will only have access to the billing features
  • Guest that will have no access to any resource of the organization, and that should be manually invited to projects (or use the folders roles mapping, see below)

You can also configure the default role which should be applied to the user when this attribute is not provided.

Permissions Matrix


Groups mapping

It is also possible to map groups to folders in order to facilitate the access management for people of your organization. The following steps will guide you through the mapping of your IdP groups to Prevu3D project folders.

  1. Make your IdP transmit the user groups list in an attribute.
  2. Configure this attribute on the SSO Tab.
  3. Apply the mapping on the Share Menu of folders.

Prevu3D recommends that your IdP transmits only the groups that are relevant to manage access in the Prevu3D Cloud Platform.

Once the configuration is enabled, you can go to folders, right click on them or use the contextual menu (three dots on the right) and click the SAML Group Links link on the bottom left. From there, you can add mapping for these folders between SAML Groups and a role for this group on the given folder.






This mapping will be applied to the users of this group when they login to Prevu3D Cloud. If the user is already logged in, they should logout and login again to apply the access changes.

Definitions

  • IdP, Identity Provider : refers to the system that registers all the users and allows the connection to various other services. This is your source of truth for your organization, users and groups. Eg : Azure AD, Jumpcloud...
  • SP, Service Provider : refers to the service application that will consume SSO information, in this case, Prevu3D Cloud.
  • SSO, Single Sign-on : refers to a mechanism allowing users to have their login information from a single portal, and allowing to spread the user management configuration across multiple applications.
  • SAML : a widely-used protocol in the industry allowing the use of SSO on multiple cloud based platforms.
Last updated on