Introduction and Prerequisites 

This guide provides instructions for configuring your WS-Fed or SAML based Azure AD federation to support guest users within Bentley Identity Management System (IMS) 

This guide assumes that you have an active federation with Bentley using Azure AD WS-Fed or SAML based authentication. If you do not, please visit our federation landing page and the federated identity communities page to get your federation set up. 

Azure AD provides functionality to invite guest users to your Azure AD tenant. This allows the user to maintain a “guest identity” inside your tenant, which can be granted access to your internal resources and access applications set up in your environment. This guest account is maintained by your tenant, but the guest authenticates with their primary domain credentials, not guest credentials.  

If you wish to use guest users, there are some limitations regarding the capabilities of guest users with Bentley IMS. As with all federations in our environment, when a user signs in through your federation, they are automatically assigned to your user directory inside of Bentley IMS. This means that your organization is responsible for providing the necessary licensing for these users.  

Guest users in your Azure AD tenant will be treated the same as normal users from your federation. We will set up a dynamic SAML claim which provides the guest -formatted account for that user, rather than their primary identity, and this user will be added to your directory inside of IMS for management. Guest users will appear with their guest Azure AD identity with the username_externaldomain#EXE#@yourdomain.com format.  

Making the Required Changes to your Application 

• Open your Azure AD portal (https://portal.azure.com/) and login using administrative privileges 
• Select “Azure Active Directory” from the left navigation, if not already selected. 
• Choose “Enterprise Applications” and find the application you are using for our federation 

• Under User Attributes & Claims, click “Edit” 
• Click “Add new claim” 
• Fill it out as such – 

• Schema: http://schemas.xmlsoap.org/ws/2005/05/identity/claims 
  • It is important that the “Name” is “guestidentity”, in lowercase. This is case sensitive. 

• Under “Claim Conditions”, make the following changes:  
  • “All Guests” 
  • Source: Attribute 
  • Value: user.localuserprincipalname 

We have configured all Azure AD connections to automatically look for this value. When it is found, we will use this value to identify your guest users. Simply set up the new claim, and your guest users are now supported in your environment.  

If you have any issues or questions, please submit a service request.