Configuring Microsoft Azure AD for SAML 2.0 federation


NOTE: This guide is deprecated and for review only. We no longer set up new SAML based federations. Please refer to the Azure AD OIDC guide for implementing federation with Bentley.

Do not use any Bentley Systems Azure store applications for this set up. We do not have an application that will complete this process for you at this time. This set up must be completed using these instructions only.

This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.

This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.

This guide provides federation metadata, however, simply importing it will not completely set up this connection. Please finish the entire document to set up your federation.

Create the Application in Azure AD

Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below. 



Add an Application

Choose Single Sign-On and SAML: 

Choose SAML

Import Bentley's Federation Metadata

Basic SAML Config


Reply URL: 

Define the Claims

You will need to add the country claim, which is not included by default. 

Note: It is required that a user have a valid country code in your directory in order to federate. We use this information to determine proper entitlements, billing, taxes, and more. 




Define the Users and Groups for this application

Users and Groups

Add users individually

Copy the federation metadata URL and send it to Bentley

Configure the Branding page (optional)


OPTIONAL: You may download this Bentley logo image and use it as the application icon: