You are currently reviewing an older revision of this page.
Introduction and Requirements
NOTE: Do not use any Bentley Systems Azure store applications for this set up. We do not have an application that will complete this process for you at this time. This set up must be completed using these instructions only.
This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.
This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.
For our new federations, we require that your users:
Federation with Azure AD also requires that you set up our Azure AD User Provisioning Service to maintain your users identities from initial provisioning to offboarding, as well as their identities in the event of an identity updates.
Create the Application in Azure AD
Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below.
Note: It is required that a user have a valid country code in your directory in order to federate. We use this information to determine proper entitlements, billing, taxes, and more. Additionally, we require that your IMS users reflect inside of IMS by their UPN.
UPN:
Secret: fY-j~4Ymc1~iiy6o0ZvP9IRPhb9BY.Y~Lo App ID: 3c52b594-9548-492a-9a05-536b650b7285 URL: https://login.microsoftonline.com/fa9d6895-f952-4ec7-b604-0e65ab076d63/v2.0/.well-known/openid-configuration
EXAMPLE FOR IMS: https://ims.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid
EXAMPLE FOR CONNECT: https://imsoidc.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid
Granting Admin Consent (optional):
Setting up federation utilizing OpenID Connect introduces the concept of user consent. This means when the user signs in the first time, the user must grant consent for IMS to access the necessary details from Azure AD for that users profile. If you'd like to grant consent on behalf of your users and eliminate this one-time consent, you may do so by granting admin consent for the application.