All federated connections rely on a certificate or client secret to validate the information being shared via the federation. Depending on the length at which you issued the certificate for secret for, you will at some point be required to replace the signing certificate or secret being used for our connection. 

For WS-Fed based connections, federation metadata URL's are checked every 15 minutes for changes. If a new certificate is found in your federation metadata URL then we will automatically import the certificate. 

For SAML based connections, federation metadata URL's are checked every 60 minutes for changes. If a new certificate is found in your federation metadata URL then we will automatically import the certificate.

Note that a new certificate must be presented in the metadata for us to be able to automatically import it.

For WS-Fed and SAML based connections, if you did not provide a federation metadata URL, users are responsible for providing Bentley with an updated certificate ahead of your expiration, otherwise your connection will be interrupted until this is resolved. 

If you would like to avoid the automated method and any potential downtime, you may email IMSTeam@bentley.com and provide the new signing certificate to Bentley ahead of the rotation and we will import the certificate in addition to the existing certificate on our end. We will then notify you that you're free to make the swap on your end at your convenience. 

For OIDC based connections, users are responsible for tracking the expiration and replacement of the client secret for your connection. Please email IMSTeam@bentley.com with any inquiries or when providing a new client secret. For better security when sending a client secret via email, consider navigating to https://1ty.me, creating a message with the client secret, and then sending an email to IMSTeam@bentley.com with the resulting one-time URL.