Introduction

NOTE: This guide is deprecated and for review only. We no longer set up new SAML based federations. Please refer to the Azure AD OIDC guide for implementing federation with Bentley.

Do not use any Bentley Systems Azure store applications for this set up. We do not have an application that will complete this process for you at this time. This set up must be completed using these instructions only.

This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.

This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.

This guide provides federation metadata, however, simply importing it will not completely set up this connection. Please finish the entire document to set up your federation.

Create the Application in Azure AD

Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below. 

• Open your Azure AD portal (https://portal.azure.com/) and login with administrative privileges
• Select “Azure Active Directory” from the left navigation, if not already selected.
• Choose “Enterprise Applications”

• Click on “Overview”

• Click on “New Application”
• Choose the option for a “Non-gallery application”
• Name it “Bentley IMS”

Choose Single Sign-On and SAML: 

Import Bentley's Federation Metadata

• In the top left, hit the “Upload Metadata file” option and paste the following link in the explorer that pops up under “File name:” –

https://ims.bentley.com/saml2/FederationMetadata/2007-06/FederationMetadata.xml

• This will import the “Basic SAML Configuration” for the connection as seen below:

Identifier: https://ims.bentley.com/

Reply URL: https://ims.bentley.com/sp/ACS.saml2 

Define the Claims

You will need to add the country claim, which is not included by default. 

Note: It is required that a user have a valid country code in your directory in order to federate. We use this information to determine proper entitlements, billing, taxes, and more. 

• Under User Attributes & Claims, hit Edit
• Hit “Add new claim”
• Fill it out as such, note the lowercase country –

Schema: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

• Next up, reduce the attribute statement to only be sending the designated identifier, either E-Mail or UPN:

E-Mail:

UPN:

Define the Users and Groups for this application

• By default, no one can use your new application, so you must enable user log in.  The best way to do this is to remove the requirement for User Assignment as seen below:

• Alternately, you may add users and groups explicitly.  This can be used to limit access to Bentley users and IT admins if desired. 

Copy the federation metadata URL and send it to Bentley

Configure the Branding page (optional)

OPTIONAL: You may download this Bentley logo image and use it as the application icon: