The following is a high level list of the items that may break when moving to Trimble ID SSO.  Please note that the following sections will list out the specifics of each potential gotcha and available workarounds.

• Third Party Products are NOT Supported (e.g. SSMS, Crystal Builder, Spreadsheet Server, etc.)

  • Details Link

• Customers using Cascade / AVD legacy logins (Use of Viewpoint AVD or SMB Share Mounting for Imports) will need three sets of credentials

  • Details Link

• When using Entra ID (Azure AD) federation, your UPNs and primary email addresses MUST MATCH

  • Details Link

Prior to beginning the process of moving to Trimble ID SSO, you should thoroughly understand the nature of Trimble ID.  Specifically, the way that it functions, it only supports Trimble solutions, such as SketchUp, ProjectSight, Accubid, Vista, Spectrum, Vista Web, Viewpoint Analytics, and Automated Invoicing, along with many others.

The unfortunate caveat is that Trimble ID does NOT support various third party solutions, many of which customers consider to be part of Vista itself or that integrate closely with other Trimble Viewpoint solutions.  

This holds especially true for customers who are already in our cloud and who are using our legacy internal Active Directory (i.e. Cascade / AVD) to authenticate to Vista, SSMS, SSRS, Spreadsheet Server, etc.

The following is a list, although not completely exhaustive, of the third party products that do NOT support Trimble ID and will thus require workarounds when moving to use Trimble ID:

• SSRS's Actual Web UI

  • Using SSRS reports in Vista itself will work as Vista uses methods that force SSRS to work with the logged in Trimble ID SSO User

  • Those methods cannot work inside of the actual SSRS Web UI

• Crystal Reports Builder

• SSRS Report Builder

• Insight Software's Spreadsheet Server

Methods to Address Issue

• Consider Replacement Tools

• Use SQL Authentication Accounts

Consider Replacement Tools

Various solutions listed above have equivalent tools that do not require authenticating directly to the Vista database.  As such they can leverage your normal authentication methods such as Entra ID / Azure AD or even a Trimble ID in some cases.

The following is a list of potential substitute solutions that should be considered:

• SSRS's Web UI

  • Consider Instead Viewpoint Analytics Paginated Reports or PowerBI

    • Viewpoint Analytics has a Paginated Reports function that allows for both custom SSRS and custom Crystal reports to be hosted in a multitenant, web-based environment that leverages Trimble ID for authentication.  Custom SSRS and Crystal Reports may be easily added into Viewpoints Analytics for any customer that is on a Trimble Construction One (TC1) contract.  Please reach out to your Trimble support or customer success representative for more details.

• SSRS Report Builder

  • Consider Replacing with PowerBI or Analytics Entirely

    • Rather than continuing to use SSRS reports, you should consider migrating to a more future proof reporting toolset.  For example, Microsoft themselves has expressed that PowerBI is the way of their future, rather than SSRS reports

    • Viewpoint Analytics also contains a significant number of built in dashboards and capabilities that do not require the use of SSRS.

• Insight Software Spreadsheet Server

  • Insight software has available other reporting solutions that do not require direct authentication to the Vista database

    • Please reach out to your Insight Software representative for more details

  • Other solutions that do not require direct authentication for each end-user to the Vista database, such as Viewpoint Analytics or other third-party products, such as PowerBI or Prophix can also be used

Method to Address Issue - SQL Accounts

In the near term, if you cannot move from solutions that are incompatible with Trimble ID, there is another workaround that should be implemented.  To work around the fact that these third-party solutions do not support Trimble ID SSO, we need to set up a separate method of authentication for users who wish to use these tools.  As customers should not continue to use the legacy method of Cascade, which uses our internal active directory within viewpoints cloud and should really only be reserved for AVD logins, another method identified allow for login into these third-party products.

The proper method to use for authentication to these third-party products in our cloud, after moving to use Trimble ID SSO, is to use SQL authentication accounts.  The advantage to this method is that most legacy solutions, such as SSRS, that had been previously used with the Vista ERP, support this method of authentication.

Please note that there are a few disadvantages to using SQL accounts that must be accepted when using this method:

• Resetting passwords for these accounts is more difficult, requiring either a customer support case or the use of the Vista client itself after logging in

• MFA is not possible for these accounts, necessitating that these accounts should only be used for the bare minimum level of access as required by these tools.  Please note that these tools are, for the most part, confined to reporting use cases.  As such, the SQL accounts that are created for these third-party solutions should be restricted to read only access into the Vista database.

To create the SQL account as needed for third-party products, please use the instructions link that the following cloud FAQ article:  I need a dedicated SQL account for my integration to Vista in your cloud.  How do I set that up? 

If a customers and users are making use of Viewpoint's Azure Virtual Desktop (AVD), or if they area using SMB to mount the Vista pickup folder over the IPSEC VPN, it is likely that those end-users will need to make use of three sets of credentials once they have been migrated to Trimble ID SSO.  The reason for this is that the authentication into our AVD environment (Microsoft terminal services housed within our Active Directory infrastructure) cannot be done through either a customer's own Active Directory, or through Trimble ID.

The key thing to remember, especially for existing customers in our cloud, is that you may be using our Viewpoint internal Active Directory, managed by the Cascade portal, to authenticate to these resources.  These usernames are in the format of VIEWPOINT\username.companyCode.  These "legacy Viewpoint AD" usernames are used for customers who, for the most part, have two major use cases:  a need to use Trimble Viewpoint's own AVD instance in the cloud AND/OR who use SMB to mount the Vista pickup folder over an ISPEC VPN.

The following are the three sets of credentials that will be needed and the reason for their need:

• Trimble ID SSO:  Authentication into Viewpoint products, such as Vista, Vista Web, Viewpoint Analytics, Viewpoint Team, SketchUp, and more

• Pure SQL authentication:  for third-party products that perform direct queries on the Vista database, such as SSRS's actual web UI, SSMS, Crystal Builder, Spreadsheet Server, and more

  • As mentioned above, migrating to replacement solutions for these tools may be advisable not only for future proofing but to enable a more straightforward process for authentication for your end-users.

• Cascade Legacy Viewpoint AD:

  • In order to utilize our AVD in our cloud, where we host Vista, and other required products such as Adobe Acrobat reader

  • In order to mount the Vista pickup folder, needed ONLY for automated server to server file imports

    • The account used to authenticate with SMB over the IPSEC VPN MUST BE an internal Cascade-managed Viewpoint AD account

Methods to Address Issue

• Migrate to VRL

By installing the Vista rich client on your local workstations and using the Vista Remote Link (VRL) method to connect to Vista in the cloud, there is no need to have access to our Trimble AVD instance.  As such, there would be no need for your users to manage Cascade credentials.

• Leverage AppXchange / DataXchange Rather Than Imports

As a more modern method of connecting to the Vista solution to push data into Vista, wherever possible, we recommend the use of our AppXchange and DataXchange solutions.  AppXchange (formerly Ryvit) (Cloud and Data Connectors) 

• Begin Using Customer-Managed AVD

In the event that VRL is not possible for you, usually due to a desire for a thin client consumption model or due to concerns around network latency and performance, it is highly recommended that a customer managed AVD instance be set up in the same datacenter as where Vista is hosted.  The significant benefit to this solution is twofold:

• Higher Performance, similar to Viewpoint AVD

Performance could be much more acceptable to your end-users as the network latency between the Vista rich client and the Vista server will be kept small; they're both running in the same datacenter.

• Users Leverage Existing AD Logins

The AVD instance that will be used by your end-users will be managed within the same Active Directory (Entra ID) infrastructure as your standard computing systems.  This means that your end-users will be able to authenticate into the AVD portion without needing to use Viewpoint-specific Cascade logins, but rather would use their own, already familiar, Active Directory logins.

To read more details on the use of a customer managed AVD solution to host the Vista Rich client please see Option A in the following cloud FAQ article.  Please note that even though it references consultants, the details in this option are applicable to a customer managed AVD environment as well:  Cloud Access for Third Party Consultants 

Prior to beginning the Federation process to Entra ID (Azure AD), you should understand the impact of enabling federation to Entra ID.  Specifically, the way Microsoft Entra ID handles authentication can cause issues with licensing with certain Trimble products if your users have User Principal Names (UPNs) that do not exactly match the primary email address specified for the user in Office Microsoft 365.  If you are using, or plan to use Trimble products such as SketchUp, Connect, ProjectSight, Accubid, etc., please read on for more details and considerations.

Circumstances to Manifest Issue

If the following circumstances are in place, after federation of your Trimble ID instance to Entra ID, you will likely encounter login and licensing issues with various non-Viewpoint Trimble products:

• Your organization is a user of any of the following Trimble products:   SketchUp, Accubid, Trimble Estimating, ProjectSight, Trimble Connect.  There may be others, but those have been identified at this point as being of concern.

• Your end users have UPNs that correspond a domain that is different from the primary email address for your end users; in other words, your user UPNs and primary email addresses in Office 365 do not match.

  • This is most common in a subsidiary / parent company relationship, where your organization has subsidiaries that use email addresses whose domains differ from the main email address used by the parent company.

    • For example, ABC Plumbing is a subsidiary of ABC Conglomerate.  The email domain for ABC Conglomerate is "abc-conglomerate.com".  The email domain preferred by ABC Plumbing employees is "abc-plumbing.com".  

Impact of Issue

Once you have federated Entra ID to Trimble ID, you will see the following impacts if you use the products listed above and if your end users have UPNs that do not match their primary email addresses in Office 365:

• Licenses for Trimble products will not be able to be assigned correctly as they are most likely being assigned to a different company account in Trimble licensing as compared to what Entra ID sends back in the approval to login message.

• Logins for Trimble products will fail.  This is due to the approval that is sent back from Microsoft Entra ID / Azure AD:  it contains approval for the UPN for that user, NOT for the email address used by the end user to sign in.

  • For example, user "John" at ABC Plumbing attempts to log in to SketchUp after Federation is complete.  He attempts to log in with his ABC Plumbing email of "john@abc-plumbing.com".  In the past, that would have been successful, as the user was likely logging into Trimble ID with a standalone, non-Federated Trimble ID account.  However, now that federation is complete, instead of his "abc-plumbing.com" account receiving approval to login, instead, his UPN will now be approved, which is "john@abc-conglomerate.com".  That user account does not match the email he submitted initially, so login will be denied.

Methods to Address Issue

There are several methods available to address this Entra ID conflict.  However, they may involve changes in how your end users operate:

• Option A - Block, Migrate, and Educate (PREFERRED)

  • In detail, this option attempts to balance the need to retain the UPN as the parent company for management purposes, with the need to continue using the subsidiary email domain for ongoing branding and operational purposes.  It allows for the UPN to remain mis-matched from the primary email address, but requires a few, careful, steps including the training on the changing of user behavior.

High Level Steps to Implement:

1. Obtain a list of subsidiary domains (e.g. "dba domains").

2. Add a TXT record provided by the Trimble ID team to the main DNS for each domain you own, including the dba domains and your main UPN domain.  This proves to our team your ownership of those domains.

3. Work with Trimble ID team to block the creation of new standalone accounts that use the dba domains.

   1. This functionality is similar to how Trimble can block the creation of new accounts from domains that are replete with cyber threat actors.

4. Identify with the Trimble ID team all users who have already created standalone Trimble ID accounts using your dba domains.

5. Reach out to those users to tell them that their accounts will be migrated to use your main management domain to login ("UPN domain").  

   1. NOTE:  This will NOT impact their use of the dba domain for email and branding - ONLY logging in to various solutions.

6. The Trimble ID team will then, at your scheduled time, migrate those previously created standalone users from using dba domains to using your UPN domain.

7. Once the account migration is complete, you will need to test user login with standalone Trimble ID, using your "UPN domain" for all users who have been migrated.

8. Once successful, you can proceed with Federation as detailed below, later in this FAQ.

• • PROs:

    • If successful, would require no change to operations, nor would licensing be impacted.

  • CONs:

    • Requires a change in end user behavior to log in using your UPN domain, instead of their previous dba domain

    • Requires careful following of a series of complex steps

• Option B - Update UPNs to Match Primary Email Addresses

  • PROs:  

    • This option is often more palatable, as it allows end users in subsidiaries to continue to use their subsidiary email domain for day to day operations; no change to end user processes

    • Potentially preserves Trimble product licenses that may be set up at the subsidiary level

  • CONs:

    • More work for IT Team

      • This can cause issues with internal Entra ID domain management scripts and processes that will need to be updated, so be aware of those impacts prior to making this change.

    • Complicates licensing tracking if done at parent company level

• Option C - Update Primary Email Addresses to Match UPNs

  • PROs:

    • Easiest from the standpoint of IT as most scripts and automation should be minimally impacted by this move.

  • CONs:

    • Impact to branding of subsidiary and day to day operations of end users

• Option D - Remain with Standalone Trimble IDs for all Trimble and Trimble Viewpoint Products

  • PROs:

    • No impact to current operations and current products

    • Much less complex for end users and customer IT

    • Allows for preserving UPNs as parent company while email domains remain as subsidiary, preserving branding

  • CONs:

    • Lack of true SSO due to additional Trimble credentials needed

    • Not tied to the organization's overall, preferred IdP

    • Continued mismatch of UPN to primary email could cause issues with other solutions, even third party solutions, which might wish to federate at some point in the future

Thursday, 08 May 2025 at 12:56PM:  

• Specified that DNS verification keys are now unique per customer when performed through the Trimble ID team, such as for Okta Federation, or for existing cloud customers.  The TID team will provide them to you.

Wednesday, 09 April 2025 at 12:08PM:  

• Added notes on how OKTA can only be federated by TID Team, NOT transformations team.  Cleaned up organization by moving Caveat sections into collapsible groups to make the overall page smaller.  

Friday, 21 June 2024 at 11:14AM:  

• Massive updates to incorporate latest learned best practices around issues that can arise when moving to TID SSO and how to accommodate and workaround them

Friday, 14 June 2024 at 10:06AM:  

• Added preferred tag to the warning around UPNs needing to match primary email addresses; added information around using UPNs experimental option

Friday, 31 May 2024 at 09:49AM:  

• Added critical warning about what happens when federation is set up when UPN mismatches primary email in Azure AD.

Thursday, 04 April 2024 at 12:15PM:  

• Updated and restructured organization of page to make steps clearer and point out responsibilities for each task.

Friday, 22 March 2024 at 11:17AM:  

• Added note that the migration portal is NOT for service accounts, but only for human end users.

Wednesday, 06 March 2024 at 10:18AM:  

• Added screenshot and information about consenting on behalf of the organization, which is required for Azure AD federation to Trimble ID SSO.

Tuesday, 28 November 2023 at 06:17PM:  

• Added link to Australia / New Zealand SSO Setup page

Monday, 13 November 2023 at 03:29PM:  

• Corrected rapid typing typo error.

Thursday, 02 November 2023 at 01:51PM:  

• Added required DNS TXT record key for customers using Federation who are ALREADY in the cloud, using the Google Form for Federation kickoff.

Wednesday, 01 November 2023 at 08:11AM:  

• updated to highlight in bold the need to not migrate large numbers of users one at a time.

Wednesday, 25 October 2023 at 10:30AM:  

• Added notes about permissions needed.

Thursday, 12 October 2023 at 04:16PM:  

• Additional clarification around finalizing federation.

Wednesday, 04 October 2023 at 03:13PM:  

• Added key and process for TID to Azure AD / Okta Federation.

Tuesday, 26 September 2023 at 08:37PM:  

• Noticed that the URL for SSO migrations for Vista users is case-sensitive.

Thursday, 25 May 2023 at 03:26PM:  

• Significantly revised to include instructions on how to set up Trimble ID Federation, and steps to set up the initial promotion of users from Vista into Trimble ID SSO.

Wednesday, 13 July 2022 at 04:38PM

• Updated error in URL formatting for migration URL.