Introduction and Requirements
NOTE: This guide has been deprecated and is left on the communities page for reference. All new Azure AD OIDC applications should use this set up guide.
This guide provides instructions for setting up Single Sign-on between Microsoft Azure AD and Bentley's Identity Management System (IMS), for your corporate users.
This guide assumes that your Azure AD tenant is properly set up on a SSL /TLS endpoint using HTTPS, and that the authentication address is accessible by your corporate users.
For our new federations, we require that your users:
Federation with Azure AD also requires that you set up our Azure AD User Provisioning Service to maintain your users identities from initial provisioning to offboarding, as well as their identities in the event of an identity updates.
Create the Application in Azure AD
Note: The interface for Azure changed in early 2019, so your Azure interface may look different than the screenshots depicted below.
Note: It is required that a user have a valid country code in your directory in order to federate. We use this information to determine proper entitlements, billing, taxes, and more. Additionally, we require that your IMS users reflect inside of IMS by their UPN.
Secret: fY-j~4Ymc1~iiy6o0ZvP9IRPhb9BY.Y~Lo App ID: 3c52b594-9548-492a-9a05-536b650b7285 URL: https://login.microsoftonline.com/fa9d6895-f952-4ec7-b604-0e65ab076d63/v2.0/.well-known/openid-configuration
EXAMPLE FOR IMS: https://ims.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid
EXAMPLE FOR CONNECT: https://imsoidc.bentley.com/sp/eyJpc3MiOiJodHRwczpcL1wvbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbVwvMzcwN2M5Y2UtNDlmNC00MDU2LTljY2QtYjIwZDVmMWRmYzVjXC92Mi4wIn0/cb.openid
Granting Admin Consent (optional):
Setting up federation utilizing OpenID Connect introduces the concept of user consent. This means when the user signs in the first time, the user must grant consent for IMS to access the necessary details from Azure AD for that users profile. If you'd like to grant consent on behalf of your users and eliminate this one-time consent, you may do so by granting admin consent for the application.