Overview

Organizations integrating Bentley IMS with their identity provider, a process we term "federation," establish a trust relationship with Bentley using a time-limited value that must be renewed periodically to ensure end users can sign in. Federations utilizing the OpenID Connect (OIDC) protocol utilize a password known as a client secret. Client secrets, unlike signing certificates used with other protocols do not divulge their expiration dates and must therefore be tracked separately. Bentley now offers a Client Secret Page for tracking expirations, notifying administrators, and applying new client secrets in a self-service manner.

Accessing the Client Secret Key page

Account admins and co-administrators can access the Client Secret Key page by clicking the key icon at the bottom of the left sidebar as shown below. If this icon is not visible, please request access by submitting an existing federation request. However, note the page is useful only for federations utilizing the OpenID Connect (OIDC) protocol.

Federation Management

The first section provides three fields, described below:

1. Issuers: This dropdown menu displays the entity ID of the enterprise application managing your federation. If your organization has more than one federation with Bentley, particularly from the past, the dropdown menu is used to select the correct one to edit.
2. Client Secret Key: This field must be populated with a client secret generated from your identity provider. The value is not arbitrary and should be retrieved from an administrator who manages your identity provider (e.g. Microsoft Azure AD/Entra ID, Okta, etc.). For Azure AD/Entra ID administrators, provide the value listed in the Value column specifically as shown below which is only available after immediately creating it. If the value is no longer accessible, simply create a new client secret.
    
3. Expiration Date: This calendar picker specifies when the client secret expires. Like the client secret key, it is not an arbitrary value and should be retrieved from an administrator who manages your identity provider (e.g. Microsoft Azure AD/Entra ID, Okta, etc.). The date allows us to notify you when expiration is nearing.

Additionally, a line directly above the three settings denotes when the client secret and expiration date were last changed and by whom. Administrators designated in the next section will also be notified when a client secret and expiration date are updated.

To update the client secret:

1. Enter both a client secret and an expiration date.
2. Click the Update button. If disabled, ensure a client secret and an expiration date in the future have been specified.
3. Acknowledge the warning dialog to apply the changes.
4. Important: Before navigating away from this page, ensure you can sign into your federation. If an invalid client secret has been applied, you will be unable to complete authentication and will need to correct it. Navigating away from this page prior to validation risks locking you out. Should this happen, email imsteam@bentley.com for assistance.

Expiration Alert Notifications

The second section also provides three settings to regulate who should receive notification emails as described below:

1. Frequency: This dropdown menu regulates how soon notifications emails of an impending expiration begin. At present, there is a single setting that may be expanded in the future. Text below the dropdown menu describes the pattern of notifications which begin three months out with increasingly regularity as the expiration date approaches.
2. Notification Audience: This dropdown by default will notify by email all IMS users with an Account Admin or Co-Administrator role of impending client secret expirations or the application of a new client secret. However, there is also an option to specify which administrator should be notified. When selected, a third field and list will appear by which an administrator can add or remove administrators who should be notified.
3. Select Audience: If "Selected Admin & Coadmin Users" is selected in the Notification Audience dropdown menu, this dropdown menu appears by which admins can be added to the list. The list beneath this menu displays the currently selected admins and provides red X's for removing admins as needed.