Single Sign-On (SSO)

SSO Setup & usage

Danger

This guide is intended for system administrators. If you lack the required technical knowledge, reach out to your IT department for assistance.

Overview

The Prevu3D Cloud Platform supports secure Single Sign-On (SSO) via industry-standard protocols:

• SAML 2.0 – for authentication and user login.

• SCIM 2.0 – for automatic user and group provisioning.

Supported Identity Providers

Any Identity Provider that fully supports the SAML 2.0 and/or SCIM 2.0 protocols should be compatible with Prevu3D — including Okta, Google Workspace, OneLogin, Ping Identity, and others. Prevu3D’s implementation follows the official SAML 2.0 and SCIM 2.0 specifications, ensuring broad compatibility across modern identity systems.

We have thoroughly tested integration with:

• Microsoft Entra ID (formerly Azure Active Directory)

• JumpCloud

Note

• Each Prevu3D organization supports a connection to only one (1) Identity Provider at a time.

• The SSO feature is included with the Enterprise subscription. Contact sales@prevu3d.com to activate it for your organization.

SAML 2.0 – Authentication Setup

Prerequisites

To configure SAML-based SSO with Prevu3D, you’ll need:

• Admin access to your Prevu3D organization.

• Access to your IdP with permission to configure applications.

Steps

1. Log in to your Prevu3D account (with your email and password)

2. Go to the Setting tab

3. Select the SSO tab from the left-hand menu

Can’t access the SSO tab?

1. If it’s missing, you’re not an organization admin.

2. If it’s greyed out, your organization is not subscribed to the SSO feature.

4. Copy the following values from the SSO tab and paste them into your IdP configuration:

   • Service Provider Endpoint

   • Service Provider Entity ID

5. Retrieve the following from your IdP and paste into the Prevu3D SSO tab:

   • SAML Certificate (PEM format)

   • SAML Endpoint URL

6. If SCIM is not enabled, define the following SAML attribute mappings:

   1. First Name

   2. Last Name

   3. Role (Optional - see Role Mapping below)

      

Warning

These attributes are optional if SCIM provisioning is enabled and configured. SCIM will manage user details automatically.

7. Click Save at the bottom of the page.

8. Perform a test login from your IdP to verify the configuration.

Role Mapping (Optional)

You can assign Prevu3D organization-level roles via a custom SAML attribute (e.g., Prevu3DRole):

• Admin – Full permissions across the organization

• Guest – No default access (must be granted project-level access)

If no role attribute is provided, a default role will apply. We recommend setting this to Guest for safety.

Warning

If SCIM is enabled, role assignment should be handled through SCIM instead.

Group Mapping (Optional)

It is also possible to map groups from your IdP system to Prevu3D groups in order to facilitate the access management for people of your organization. The following steps will guide you through the mapping of your groups.

• Configure your IdP to transmit group memberships via a SAML attribute.

• Enter this attribute in the Prevu3D SSO tab.

• In the Groups section of Prevu3D, click Edit group and specify the SAML group value expected from your IdP.

• This mapping will be applied to the users when they login to Prevu3D Cloud. If the user is already logged in, they should logout and login again to apply the access changes.

Info

• Group mapping is applied at login. Users must log out and back in to apply updated access.

• Make sure the group is provisioned with some access, refer to the groups section for more details.

Warning

• If SCIM is enabled, group creation and member assignment should be handled through SCIM instead.

SCIM 2.0 – Provisioning Setup

Prevu3D supports user and group provisioning via the System for Cross-domain Identity Management (SCIM 2.0) protocol.

Prerequisites

• Your organization must be on the Enterprise plan.

• Your IdP must support SCIM (e.g., Azure AD/Entra, Okta, JumpCloud).

What SCIM Enables

• User provisioning – New users are automatically created in Prevu3D

• User deprovisioning – Users are disabled or removed when deactivated in your IdP

• Group assignment – Groups and roles can be centrally managed from your IdP

Setup Instructions

1. Log in to your Prevu3D account as an organization admin.

2. Go to the Setting tab

3. Select the SSO tab from the left-hand menu

4. Scroll to the SCIM Provisioning section & Enable it.

   

5. You will find:

   • SCIM Base URL (Entra ID users, please see the warning below)

   • Bearer Token

Info

You can also rotate the Bearer Token if needed for security or credential rotation.

Important

When configuring SCIM with Entra ID (Azure AD), you must append ?aadOptscim062020 to the end of the SCIM Base URL provided by Prevu3D.

6. In your Identity Provider (e.g., Microsoft Entra ID):

   • Open the Prevu3D Enterprise Application.

   • Enable SCIM provisioning.

   • Enter the SCIM Base URL and Bearer Token obtained from the SSO tab.

7. Configure attribute mappings for:

   • userName, givenName, familyName, email

   • Optional: groups, roles, active

8. Save your configuration

   Your IdP will now automatically sync users and groups to Prevu3D based on its provisioning schedule.

Definitions

• IdP, Identity Provider : refers to the system that registers all the users and allows the connection to various other services. This is your source of truth for your organization, users and groups. Eg : Azure AD, Jumpcloud...

• SP, Service Provider : refers to the service application that will consume SSO information, in this case, Prevu3D Cloud.

• SSO, Single Sign-on : refers to a mechanism allowing users to have their login information from a single portal, and allowing to spread the user management configuration across multiple applications.

• SAML, Security Assertion Markup Language : a widely-used protocol in the industry allowing the use of SSO on multiple cloud based platforms.

• SCIM, System for Cross-domain Identity Management: protocol for provisioning users and groups.