You are currently reviewing an older revision of this page.
Prerequisite: In order to use this contactless method of renewing your signing certificate, you must have provided Bentley with federation metadata during your federation set up. There is no way for us to provide a confirmation of this to you here. If you're unsure, submit a service request for assistance.
Prerequisite: Your federated connection type must be WS-Fed or SAML based. You can confirm this by generating a request incognito to your IDP by going to https://ims.bentley.com/ and providing your username@federateddomain.com. Check the URL:
WS-Fed : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/wsfed?wctx=....
SAML : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/saml2?SAMLRequest=....
OIDC/OAuth : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/oauth2/v2.0/authorize?...
If your connection type is OIDC, you must submit a service request for assistance to renew your client secret.
Now that you've confirmed that your connection type is either WS-Fed or SAML, you can proceed over to the Azure Portal and navigate into Azure AD.
From there, head into enterprise application that was created on your end to handle the federation to Bentley Systems on your end.
From the enterprise application, head to the "Single-Sign On" tab and navigate to section three - "SAML Signing Certificate" and hit the "Edit" button.
Note: If your Single-Sign On page provides you with a response mentioning that your application does not support SSO, please submit a service request for assistance.
With the Signing Certificate menu open, hit New Certificate:
You'll be given the option to choose a length of expiration for this certificate. This is up to your team.
After the new certificate has been saved, it will automatically populate as an inactive certificate in your metadata. If you'd like to confirm, you can copy the "App Federation Metadata URL" and check the X509 certificates present in your metadata. If the new certificate is not present, double check that the certificate is now listed as "Inactive" in the editing panel.
Now that you new certificate is present in your metadata, please wait. We check the WS-Fed and SAML metadata provided to us every 15 minutes and 1 hour respectively. After you've waited at least the noted amount of time, you can promote the inactive certificate to active and test your connection.
If the connection test was successful, you may delete the old, inactive certificate. If you have an issue authenticating, please revert the certificate change by promoting the currently inactive certificate to the active certificate and submit a service request for assistance rotating your signing certificate.