Setting Up Federated Identity for Your Enterprise

Federated identity allows your organization to leverage its existing IT infrastructure to manage user credentials for your Bentley products and services. When one of your users signs into a Bentley product or service, Bentley’s Identity Management System (IMS) trusts your identity provider to validate the user’s credentials.


Not sure if federated identity is right for your organization? See the Benefits of Federation.

How it Works

Federation - How it works

  1. User navigates to a Bentley product or service from their personal device.

  2. User signs into Bentley product or service (Bentley support service provider initiated sign-in).

  3. Bentley IMS identifies the email domain (via home realm discovery) and delegates the sign-in request to the organization’s identity provider (IdP).

  4. User signs into their IdP and is authenticated. The IdP sends an assertion back to Bentley IMS, which includes user metadata. 

  5. The user’s session is authenticated by Bentley IMS and a signed token is sent to the application.

  6. User is signed into their Bentley product or service.

Setting up Federated Identity with Bentley

  1. Verify your federated identity readiness. (See prerequisites below)

  2. Configure your IdP.

    a.        Set up OIDC here. (Recommended)

    b.        Set up SAML 2.0.

  3. Submit Bentley Federation Request Form. Upon receiving the form, a Bentley Federation Consultant will set up the connection from Bentley’s IMS (SP) to your IdP.

  4. Perform acceptance testing of federated identity setup.

  5. Enable federated identity for all Bentley application users at your organization.

  6. Deploy Bentley CONNECTION Client to all desktop users.

  7. Ensure your users sign into the CONNECTION Client.

Benefits of Federation

Federated identity provides a simpler, more secure sign-in experience for your users and less account maintenance for administrators. Benefits of implementing federated identity for your organization include:

  • Improve end-user experience by eliminating the need to remember a separate set of sign-in credentials.

  • Enhance security and lower risk. When a user leaves your organization and is removed from your IdP, they will no longer be able to sign in to your Bentley products and services.

  • Reduce administrative overhead for the creation, updating, and deprovisioning of users.

  • Gain full control over the password policy, including use of multi-factor authentication, for Bentley products as user authentication is managed by your IdP.

  • Automate IMS profile creation with Bentley’s IMS support of just-in-time provisioning of new users.

Want to see if you are eligible to take advantage of these benefits? Fill out the Federation Request Form today.


When considering if federated identity with Bentley is right for your organization, please consider the following requirements and conditions:

  • Your IdP must support OIDC (recommended) or SAML 2.0. Bentley no longer supports new connections based on the WS-Fed protocol.

  • You must supply a publicly available Federation Metadata URL.

  • User primary email address is used as the user’s unique identifier. Some Bentley applications and services use this email for communication with the user.

  • Your email domain must be federated to a single Bentley account. If your email domain is used by more than one Bentley account, consolidation of these accounts must occur before federated identity can be enabled.

  • Federation is with Bentley’s Identity Management System (IMS), which serves as a service provider. All Bentley products and services will be impacted by this federation project. Bentley utilizes SP initiated sign-in.

  • Bentley has certified federated identity with Azure AD (recommended) and Microsoft ADFS. 

Bentley User Registration
Connected Users
Find more details on how to complete the user registration and sign-in process.
Learn More