Bentley Communities
Bentley Communities
  • Site
  • User
  • Site
  • Search
  • User
Licensing, Cloud and Web Services
  • Welcome to Bentley Communities
  • Bentley's Communities
  • Licensing, Cloud and Web Services
  • Cancel
Licensing, Cloud and Web Services
Licensing, Cloud and Web Services Wiki Azure AD WS-Fed and SAML contactless signing certificate renewal
    • Sign In
    • Contacting Entitlements Support (Licensing and User Management)
    • Eastern Europe Continuity Plan
    • Guest Accounts - Review Access
    • +Web Services
    • +SES Activation
    • +CONNECTION Client
    • +CONNECT Advisor
    • -Federated Identity
      • Federation Frequently Asked Questions
      • Configuring your Azure AD for OIDC Federation and Automatic User Provisioning
      • Configuring Microsoft Azure AD for B2B Guest Users Using OIDC
      • Configuring Okta for OIDC federation
      • Configuring OIDC with other Identity Providers
      • Configuring Microsoft Azure AD for SAML 2.0 federation
      • Configuring Azure AD for OIDC federation
      • Configuring Microsoft ADFS for SAML 2.0 federation
      • Configuring SAML 2.0 with other Identity Providers
      • -Certificate and Secret Rotations
        • Azure AD WS-Fed and SAML contactless signing certificate renewal
      • Browser and App Token Lifetimes
      • +IMS Help and Troubleshooting
      • +Microsoft Azure AD Automatic User Provisioning Configuration
    • +SELECTserver based Activation
    • +Pre-SELECTserver Based Activation
    • +Product-Specific Licensing
    • Understanding why you received a TL Invoice
    • Working from Home using Bentley Licensing
    • What you need to know/request when consolidating Accounts
    • +Licensing Workflow
    • How to leave a Product Review
    • +Serviços ProjectWise 365
    • About Bentley Trust Licensing
    • Customer Number, Account Number, Entitlements, Users
    • Support for non-Bentley technologies utilized by Bentley products
    • Support for V8i applications after December 31st, 2021
    • +Support Homepage - Localized

    You are currently reviewing an older revision of this page.

    • History View current version

    Azure AD WS-Fed and SAML contactless signing certificate renewal

    Prerequisite: In order to use this contactless method of renewing your signing certificate, you must have provided Bentley with federation metadata during your federation set up. There is no way for us to provide a confirmation of this to you here. If you're unsure, submit a service request for assistance. 

    Prerequisite: Your federated connection type must be WS-Fed or SAML based. You can confirm this by generating a request incognito to your IDP by going to https://ims.bentley.com/ and providing your username@federateddomain.com. Check the URL: 

    WS-Fed : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/wsfed?wctx=....

    SAML : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/saml2?SAMLRequest=....

    OIDC/OAuth : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/oauth2/v2.0/authorize?...

    If your connection type is OIDC, you must submit a service request for assistance to renew your client secret.

    Now that you've confirmed that your connection type is either WS-Fed or SAML, you can proceed over to the Azure Portal and navigate into Azure AD. 

    From there, head into enterprise application that was created on your end to handle the federation to Bentley Systems on your end. 

    From the enterprise application, head to the "Single-Sign On" tab and navigate to section three - "SAML Signing Certificate" and hit the "Edit" button.

    Note: If your Single-Sign On page provides you with a response mentioning that your application does not support SSO, please submit a service request for assistance.

     

    With the Signing Certificate menu open, hit New Certificate:

    You'll be given the option to choose a length of expiration for this certificate. This is up to your team.

    After the new certificate has been saved, it will automatically populate as an inactive certificate in your metadata. If you'd like to confirm, you can copy the "App Federation Metadata URL" and check the X509 certificates present in your metadata. If the new certificate is not present, double check that the certificate is now listed as "Inactive" in the editing panel.

    Now that you new certificate is present in your metadata, please wait. We check the WS-Fed and SAML metadata provided to us every 15 minutes and 1 hour respectively. After you've waited at least the noted amount of time, you can promote the inactive certificate to active and test your connection.

    If the connection test was successful, you may delete the old, inactive certificate. If you have an issue authenticating, please revert the certificate change by promoting the currently inactive certificate to the active certificate and submit a service request for assistance rotating your signing certificate.

    Communities
    • Home
    • Getting Started
    • Community Central
    • Products
    • Support
    • Secure File Upload
    • Feedback
    Support and Services
    • Home
    • Product Support
    • Downloads
    • Subscription Services Portal
    Training and Learning
    • Home
    • About Bentley Institute
    • My Learning History
    • Reference Books
    Social Media
    •    LinkedIn
    •    Facebook
    •    Twitter
    •    YouTube
    •    RSS Feed
    •    Email

    © 2023 Bentley Systems, Incorporated  |  Contact Us  |  Privacy |  Terms of Use  |  Cookies