Microsoft Azure AD configuration for OIDC

Introduction

This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.

This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.

Create the Application in Azure AD

Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below. 

• Open your Azure AD portal (https://portal.azure.com/) and login with administrative privileges
• Select “Azure Active Directory” from the left navigation, if not already selected.
• Choose “App Registrations”

• Click on “New Registration”

• Name it “Bentley IMS”, select “Accounts in this organizational directory only”, and no Redirect URI for now, click register –

Setting up your ID Token 

• Click “Token Configuration” on the left-hand side –

• From here, we’re going to hit “Add Optional Claim” –

• Select the “ID” Token Type –

• A list of claims to add will pop up. Select: ctry, email, family_name, given_name, and upn. Then hit Add –

• A warning box will pop asking if you should turn on the Microsoft Graph, hit the checkbox and hit Add again –

Setting up your Client Secret

• Select the “Certificates & Secrets” option on the left-hand menu

• Select “New Client Secret”

• Name it “Bentley Secret” and select an expiration length, hit add –

• From here, copy the value from the secret, and paste that in a word pad, make sure to label it the Client Secret. This is one of three pieces of information Bentley needs –

Gathering the rest of the required information

• Now that we’ve retrieved the Client Secret value, we still need the App ID and the Federation Metadata URL. To gather the App ID, click “Overview” on the left hand side. The App ID is immediately visible here. Please copy it down and notate App ID –

• For the Federation Metadata URL, click on Endpoints right above that –

• From there, clipboard the “OpenID Connect metadata document”

• You should now have three values saved. A Client Secret, an App ID, and a Metadata URL. The values for this example would look like this –

Secret: fY-j~4Ymc1~iiy6o0ZvP9IRPhb9BY.Y~Lo
App ID: 3c52b594-9548-492a-9a05-536b650b7285
URL: https://login.microsoftonline.com/fa9d6895-f952-4ec7-b604-0e65ab076d63/v2.0/.well-known/openid-configuration

• Please E-Mail your three values to the federation management team at Bentley. We’ll provide you two redirect URI’s. They’ll look something like this:

EXAMPLE FOR IMS: https://ims.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid

EXAMPLE FOR CONNECT: https://imsoidc.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid

Setting up User Assignment (optional)

• By default, user assignment is not required and will allow all users to utilize the application. If you wish to change this, from your main Azure AD portal view, click on Enterprise Applications on the left hand side and select Bentley IMS:

• Select “Properties” from the left hand panel and modify the “User Assignment Required” value –

• From here, you would need to assign the appropriate users and groups. Select “Users and Groups” on the left hand side and add users/groups as needed –

Inputting the Redirect URI’s

• Once you’ve received the Redirect URI’s back from the federation management team at Bentley, you’ll need to input them. From “Overview” on the left hand side, click on “Add a Redirect URI”

• Hit “Add a Platform” and select “Web”

• From here, paste one of the URI’s into the space provided -

• After you set one, a new box will pop up where you can add another one –

• After you add the second URI, click “Save” in the top left

Configure the Branding page (optional)

• You may download this Bentley logo image and use it as the application icon: