Prerequisite: In order to use this contactless method of renewing your signing certificate, you must have provided Bentley with federation metadata during your federation set up. There is no way for us to provide a confirmation of this to you here. If you're unsure, submit a service request for assistance.
Prerequisite: Your federated connection type must be WS-Fed or SAML based. You can confirm this by generating a request incognito to your IDP by going to https://ims.bentley.com/ and providing your firstname.lastname@example.org. Check the URL:
WS-Fed : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/wsfed?wctx=....
SAML : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/saml2?SAMLRequest=....
OIDC/OAuth : https://login.microsoftonline.com/YOURTENANT-GUID-xxxx-xxxx-xxxxxxxxx/oauth2/v2.0/authorize?...
If your connection type is OIDC, you must submit a service request for assistance to renew your client secret.
Now that you've confirmed that your connection type is either WS-Fed or SAML, you can proceed over to the Azure Portal and navigate into Azure AD.
From there, open the enterprise application that was created on your end to handle the federation to Bentley Systems on your end.
From the enterprise application, head to the "Single-Sign On" tab and navigate to section three - "SAML Signing Certificate" and click the "Edit" button.
Note: If your Single-Sign On page provides you with a response mentioning that your application does not support SSO, please submit a service request for assistance.
With the Signing Certificate menu open, click New Certificate:
You'll be given the option to choose a length of expiration for this certificate. This is up to your team.
After the new certificate has been saved, it will automatically populate as an inactive certificate in your metadata. If you'd like to confirm, you can copy the "App Federation Metadata URL" and check the X509 certificates present in your metadata. If the new certificate is not present, double check that the certificate is now listed as "Inactive" in the editing panel.
Now that you new certificate is present in your metadata, please wait. We check the WS-Fed and SAML metadata provided to us every 15 minutes and 1 hour respectively. After you've waited at least the noted amount of time, you can promote the inactive certificate to active and test your connection.
Note: Changing this will not invalidate any users currently issued session. Users who are signed in will stayed signed in, even in the event that something goes wrong. Only users who attempt to sign in after you've changed the signing certificate will observe the effects. The new certificate will be added in addition to your old certificate on our side and the old one will not be deleted.
If the connection test was successful, you may delete the old, inactive certificate. In the event that you have an issue authenticating after promoting the new certificate, please revert the certificate change by promoting the currently inactive certificate back to the active certificate and submit a service request for assistance rotating your signing certificate.