User Management and Identity - Configuring Azure AD for OIDC federation

Introduction and Requirements

NOTE: This guide has been deprecated and is left on the communities page for reference. All new Azure AD OIDC applications should use this set up guide.

This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.

This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.

For our new federations, we require that your users:

are currently populated inside of Bentley IMS with their UPN from Azure AD. If this is not the case, we will need to update it prior to going live with your federation.
have a country value inside of Azure AD which can be shared with Bentley through this federation.

Federation with Azure AD also requires that you set up our Azure AD User Provisioning Service to maintain your users identities from initial provisioning to offboarding, as well as their identities in the event of an identity updates.

Create the Application in Azure AD

Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below.

Open your Azure AD portal (https://portal.azure.com/) and login with administrative privileges
Select “Azure Active Directory” from the left navigation, if not already selected.
Choose “App Registrations”

Click on “New Registration”

Name it “Bentley IMS”, select “Accounts in this organizational directory only”, and no Redirect URI for now, click register –

Setting up your ID Token

Click “Token Configuration” on the left-hand side –

From here, we’re going to hit “Add Optional Claim” –

Select the “ID” Token Type –

A list of claims to add will pop up. Select: ctry, family_name, given_name, and UPN.

Note: It is required that a user have a valid country code in your directory in order to federate. We use this information to determine proper entitlements, billing, taxes, and more. Additionally, we require that your IMS users reflect inside of IMS by their UPN.

UPN:

A warning box will pop asking if you should turn on the Microsoft Graph, hit the checkbox and hit Add again –

Setting up your Client Secret

Select the “Certificates & Secrets” option on the left-hand menu

Select “New Client Secret”

Name it “Bentley Secret” and select an expiration length, hit add –

From here, copy the value from the secret, and paste that in a word pad, make sure to label it the Client Secret. This is one of three pieces of information Bentley needs –

Gathering the rest of the required information

Now that we’ve retrieved the Client Secret value, we still need the App ID and the Federation Metadata URL. To gather the App ID, click “Overview” on the left hand side. The App ID is immediately visible here. Please copy it down and notate App ID –

For the Federation Metadata URL, click on Endpoints right above that –

From there, clipboard the “OpenID Connect metadata document”

You should now have three values saved. A Client Secret, an App ID, and a Metadata URL. The values for this example would look like this –

Secret: fY-j~4Ymc1~iiy6o0ZvP9IRPhb9BY.Y~Lo
App ID: 3c52b594-9548-492a-9a05-536b650b7285
URL: https://login.microsoftonline.com/fa9d6895-f952-4ec7-b604-0e65ab076d63/v2.0/.well-known/openid-configuration

Please E-Mail your three values to the federation management team at Bentley. We’ll provide you two redirect URI’s. They’ll look something like this:

EXAMPLE FOR IMS: https://ims.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid

EXAMPLE FOR CONNECT: https://imsoidc.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid

Setting up User Assignment (optional)

By default, user assignment is not required and will allow all users to utilize the application. If you wish to change this, from your main Azure AD portal view, click on Enterprise Applications on the left hand side and select Bentley IMS:

Select “Properties” from the left hand panel and modify the “User Assignment Required” value –

From here, you would need to assign the appropriate users and groups. Select “Users and Groups” on the left hand side and add users/groups as needed –

Granting Admin Consent (optional):

Setting up federation utilizing OpenID Connect introduces the concept of user consent. This means when the user signs in the first time, the user must grant consent for IMS to access the necessary details from Azure AD for that users profile. If you'd like to grant consent on behalf of your users and eliminate this one-time consent, you may do so by granting admin consent for the application.

From the "API Permissions" tab on the left hand menu bar, click "Grant admin consent for <your orgs name>":

Inputting the Redirect URI’s:

Once you’ve received the Redirect URI’s back from the federation management team at Bentley, you’ll need to input them. Head to the app registration you made for this program, and from “Overview” on the left hand side, click on “Add a Redirect URI”

Hit “Add a Platform” and select “Web”

From here, paste one of the URI’s into the space provided -

After you set one, a new box will pop up where you can add another one –

Now hit save in the top left corner.

Configure the Branding page (optional)

You may download this Bentley logo image and use it as the application icon: