Single Sign-On (SSO)

SSO Setup & usage


Danger

This guide is intended for system administrators. If you lack the required technical knowledge, reach out to your IT department for assistance.

Specifications

  • The Prevu3D Cloud Platform supports SSO login through the SAML 2.0 protocol which is widely used in the industry, and is supported by all major Identity Providers. Prevu3D’s implementation has been tested on :

    • Azure AD

    • Jumpcloud

  • Prevu3D supports only one (1) Identity Provider linked to one (1) organization.

  • Organizations willing to have the SSO integration should have the SSO subscription first, which is included with the enterprise level subscription. Contact the sales team (sales@prevu3d.com) to get this feature added to your organization.

  • Prevu3D does not support active provisioning (SCIM) at the moment, meaning old users won’t be deprovisioned. However, those users won’t be able to login anymore to the system, since their access will be removed from your IdP (Identity Provider).

Configuration

Prerequisites

To setup the SSO integration with Prevu3D, you will need to have the following access:

  • Access as Admin to the Prevu3D Organization you wish to integrate.

  • Access to your IdP configuration with the ability to update its configuration.

Steps

  1. Login to your Prevu3D Account with your username and password.

  2. Go to the Organization tab on the top.

  3. Click on the SSO tab on the left menu.

SSO tab not accessible?

  1. If you don’t see it at all, you are not an Admin of the organization.

  2. If the Tab is grayed out, the SSO subscription is not enabled on your account. Please contact the sales team to subscribe to the SSO feature.

  1. On this tab, grab the Service Provider Endpoint and the Service Provider Entity ID and copy them into your Identity Provider configuration.

  2. From your Identity Provider get the following information and input them in the SSO configuration on the SSO Tab. a. Your IdP’s SAML certificate in the PEM format b. SAML Endpoint URL

  1. Indicate the attributes names to map user attributes to the user.

    1. First Name

    2. Last Name

    3. Role (Optional, see below)

  1. Hit the save button at the bottom of the page. You should be able to trigger a test login from your IdP now to ensure the SSO feature has been configured correctly.

Organization Roles Mapping

You can map organization level roles from your Identity Provider. The roles will be applied when the user logs in. To map Prevu3D roles to users via your IdP, create a custom SAML attribute on the user that can be named the way you want. For example, you could name it Prevu3DRole.

This SAML attribute can have of the following values:

  • Admin that will have all permissions in the organization (settings, invitations, managing all projects)

  • Guest that will have no access to any resource of the organization, and that should be manually invited to projects (or use the group mapping, see below)

You can also configure the default role which should be applied to the user when this attribute is not provided. We recommend Guest for safety reason.

Groups mapping

It is also possible to map groups from your IdP system to Prevu3D groups in order to facilitate the access management for people of your organization. The following steps will guide you through the mapping of your groups.

  • Make your IdP transmit the user groups list in an attribute.

  • Configure this attribute on the SSO Tab.

  • Apply the mapping on the Prevu3D group by pressing Edit group and enter the SAML group value expected from your IdP system.

  • This mapping will be applied to the users when they login to Prevu3D Cloud. If the user is already logged in, they should logout and login again to apply the access changes.

Info

  • Prevu3D recommends that your IdP transmits only the groups that are relevant to manage access in the Prevu3D Cloud Platform.

  • Make sure the group is provisioned with some access, refer to the groups section for more details.

Definitions

  • IdP, Identity Provider : refers to the system that registers all the users and allows the connection to various other services. This is your source of truth for your organization, users and groups. Eg : Azure AD, Jumpcloud...

  • SP, Service Provider : refers to the service application that will consume SSO information, in this case, Prevu3D Cloud.

  • SSO, Single Sign-on : refers to a mechanism allowing users to have their login information from a single portal, and allowing to spread the user management configuration across multiple applications.

  • SAML, Security Assertion Markup Language : a widely-used protocol in the industry allowing the use of SSO on multiple cloud based platforms.