Licensing, Cloud and Web Services - Microsoft Azure AD configuration for WS-Federation

Introduction

This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.

This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.

Create the Application in Azure AD

Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below.

Open your Azure AD portal (https://portal.azure.com/) and login with administrative privileges
Select “Azure Active Directory” from the left navigation, if not already selected.
Choose “Enterprise Applications”

Click on “Overview”

Click on “New Application”
Choose the option for a “Non-gallery application”
Name it “Bentley IMS”

Choose Single Sign-On and SAML:

Define the URLs

Depending on your version of Azure AD, you may click the edit button in Section #1 (looks like a pencil) and edit the Identifier and Reply URL values to https://ims.bentley.com/.

Define the Claims

If your primary email address is your users' key identifying claim, remove the "Unique User Identifier" claim from the claims setup.
If your users' UPN is the key identifying claim, please remove the email address claim to avoid confusion. Bentley can use the "name" claim (which typically contains the user's UPN address) to identify the user.

You will need to add the country claim, which is not included by default.

Name the claim “country”
Tip: The Namespace will be the same as the others, so copy that before editing the new country claim. Do not include the slash – it should end with the word “claims”
Choose “user:country” as the source attribute

Define the Users and Groups for this application

By default, no one can use your new application, so you must enable user log in. The best way to do this is to remove the requirement for User Assignment as seen below:

User Assignment Required?

Alternately, you may add users and groups explicitly. This can be used to limit access to Bentley users and IT admins if desired.

Copy the federation metadata URL and send it to Bentley

Select Endpoints (see image above), and grab the URL for the federation metadata under section #3, (see image below.)

Configure the Branding page (optional)

OPTIONAL: You may download this Bentley logo image and use it as the application icon:

Troubleshooting:

If you cannot add an application due to a conflict, you may be able to remove it using PowerShell:

Logon to Azure AD using Powershell:

Connect-AzureAD

Use this command to see if the identifier is in use (substitute https://ims.bentley.com/ if applicable.)

Get-AzureADApplication -All $true | select DisplayName, IdentifierUris | where IdentifierUris -Contains "https://ims.bentley.com/"

Run this command to find objectid (substitute https://ims.bentley.com/ if applicable.)

Get-AzureADApplication -Filter "DisplayName eq 'Bentley'"

Run this command to delete the old application (substitute the Object Id)

Remove-AzureADApplication -ObjectId " ????????-???-????-???-????????????"