Setting Up Federated Identity for Your Enterprise

Federated identity allows your organization to leverage its existing IT infrastructure to manage user credentials for your Bentley products and services. When one of your users signs into a Bentley product or service, Bentley’s Identity Management System (IMS) trusts your identity provider to validate the user’s credentials.


Not sure if federated identity is right for your organization? See the Benefits of Federation.

How it Works

Federation - How it works

  1. A user navigates to a Bentley product or service from their personal device.

  2. The user signs into Bentley product or service (Bentley supports service provider-initiated sign in only).

  3. Bentley IMS identifies the email domain via home realm discovery and delegates the sign-in request to the organization’s identity provider (IdP).

  4. The user signs into their IdP and is authenticated. The IdP sends a security token back to Bentley's IMS, which includes user metadata.

  5. The user’s session is validated by Bentley IMS and a signed token is returned to the application.

  6. The user is signed into their Bentley product or service.

Setting up Federated Identity with Bentley

  1. Verify your federated identity readiness. (See prerequisites below)

  2. Configure your IdP.

    a.        Set up OIDC here. (Recommended)

    b.        Set up SAML 2.0.

  3. Submit the Bentley Federation Request Form. Upon receiving the form, a Bentley Federation Consultant will set up the connection from Bentley’s IMS (SP) to your IdP.

  4. Perform acceptance testing of federated identity setup.

  5. Enable federated identity for all Bentley application users at your organization.

  6. Deploy Bentley CONNECTION Client to all desktop users.

  7. Ensure your users sign into the CONNECTION Client.

Benefits of Federation

Federated identity provides a simpler, more secure sign-in experience for your users and less account maintenance for administrators. Benefits of implementing federated identity for your organization include:

  • Improving end-user experience by eliminating the need to remember a separate set of sign-in credentials.

  • Enhancing security and lower risk. When a user leaves your organization and is removed from your IdP, they will no longer be able to sign in to your Bentley products and services.

  • Reducing administrative overhead for the management of users in Bentley IMS.

  • Gaining full control over the password policy, including use of multi-factor authentication, for Bentley products as user authentication is managed by your IdP.

  • Automating IMS profile creation with Bentley’s IMS support of just-in-time provisioning of new users.



  • All users in your directory must have a valid country code which can be passed to Bentley. This is used to ensure that the data is properly secured in accordance with local laws, provide proper entitlements, and to ensure that billing and taxes are correct for each user. 

  • Your IdP must support OIDC (recommended) or SAML 2.0. Bentley no longer supports new connections based on the WS-Fed protocol.

  • You must supply a publicly available Federation Metadata URL.
  • Federation is with Bentley’s Identity Management System (IMS), which serves as a service provider. All Bentley products and services will be impacted by this federation project. Bentley utilizes and only supports SP-initiated federations.


Want to see if you are eligible to take advantage of these benefits? Fill out the Federation Request Form today.


Bentley User Registration
Connected Users
Find more details on how to complete the user registration and sign-in process.
Learn More