You are currently reviewing an older revision of this page.
Prerequisite: In order to use this contactless method of renewing your signing certificate, you must have provided Bentley with federation metadata during your federation set up. There is no way for us to provide a confirmation of this to you here. If you're unsure, submit a service request for assistance.
Prerequisite: Your federated connection type must be WS-Fed or SAML based. You can confirm this by generating a request incognito to your IDP by going to https://ims.bentley.com/ and providing your username@federateddomain.com. Check the URL:
WS-Fed : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/wsfed?wctx=....
SAML : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/saml2?SAMLRequest=....
OIDC/OAuth : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/oauth2/v2.0/authorize?...
If your connection type is OIDC, you must submit a service request for assistance to renew your client secret.
Now that you've confirmed that your connection type is either WS-Fed or SAML, you can proceed to the enterprise application that was created on your end to handle the federation to Bentley Systems on your end. From the enterprise application, head to the "Single-Sign On" tab and navigate to section three - "SAML Signing Certificate" .
Note: If your Single-Sign On page provides you with a response mentioning that your application does not support SSO, please submit a service request for assistance.
In section three of the SAML Signing Certificate area, you can now hit the "Edit" button and a panel will open up on the right side of your web browser.
Hit the "New Certificate" option. You'll be given the option to choose a length of expiration for this certificate. This is up to your team. After the new certificate has been saved, it will automatically populate as an inactive certificate in your metadata. If you'd like to confirm, you can copy the "App Federation Metadata URL" and check the X509 certificates present in your metadata. If the new certificate is not present, double check that the certificate is now listed as "Inactive" under the "Active" cert in the editing panel.
Now that you new certificate is present in your metadata, please wait. We check the WS-Fed and SAML metadata provided to us every 15 minutes and 1 hour respectively. After you've waited at least the noted amount of time, you can promote the inactive certificate to active and test your connection.