Home / Federation

Federation

federation

Setting Up A Federated Identity for Your Enterprise

Federated identity allows your organization to leverage its existing IT infrastructure to manage user credentials for your Bentley products and services. When one of your users signs into a Bentley product or service, Bentley’s Identity Management System (IMS) trusts your identity provider to validate the user’s credentials.

Benefits of Federation

Federated identity provides a simpler, more secure sign-in experience for your users and less account maintenance for administrators. The benefits of implementing federated identity for your organization include:

  • Improving end-user experience by eliminating the need to remember a separate set of sign-in credentials
  • Enhancing security and lowering risk. When a user leaves your organization and is removed from your identity provider IdP, they will no longer be able to sign in to your Bentley products and services
  • Reducing administrative overhead for the management of users in Bentley IMS
  • Gaining full control over the password policy, including use of multi-factor authentication, for Bentley products as user authentication is managed by your IdP
  • Automating IMS profile creation with Bentley’s IMS support of just-in-time provisioning of new users

Want to see if you are eligible to take advantage of these benefits?

  • How it Works
  • How It Works

    how it works graphic

    1. Navigate to a Bentley product or service from a personal device.
    2. Sign in (Bentley supports service provider-initiated sign-in only).
    3. Bentley IMS identifies the email domain via home realm discovery and delegates the sign-in request to the organization’s IdP.
    4. The user signs into their IdP and is authenticated. The IdP sends a security token back to Bentley’s IMS, which includes user metadata.
    5. The user’s session is validated by Bentley IMS and a signed token is returned to the application.
    6. The user is signed in to their Bentley product or service.
  • Set Up
  • Setting up Federated Identity with Bentley

    1. Verify your federated identity readiness. (See Prerequisites tab above)
    2. Configure your Identity Provider (IdP) with OIDC.
    3. Submit the Bentley Federation Request Form. Upon receiving the form, a Bentley Federation Consultant will set up the connection from Bentley’s IMS (SP) to your IdP.
    4. Perform acceptance testing of federated identity setup.
    5. Enable federated identity for all Bentley application users at your organization.
    6. Deploy the Bentley CONNECTION Client to all desktop users.
    7. Ensure your users sign in to the CONNECTION Client.
  • Prerequisites
  • Prerequisites

    • All users in your directory must have a valid country code that can be passed to Bentley. This is used to ensure that the data is properly secured in accordance with local laws, provide proper entitlements, and ensure that billing and taxes are correct for each user.
    • Your Identity Provider must support Open ID Connect (OIDC). Bentley no longer supports new connections based on the SAML or WS-Fed protocol.
    • Federation is with Bentley’s Identity Management System (IMS), which serves as a service provider. All Bentley products and services will be impacted by this federation project. Bentley utilizes and only supports SP-initiated federations.

How It Works

how it works graphic

  1. Navigate to a Bentley product or service from a personal device.
  2. Sign in (Bentley supports service provider-initiated sign-in only).
  3. Bentley IMS identifies the email domain via home realm discovery and delegates the sign-in request to the organization’s IdP.
  4. The user signs into their IdP and is authenticated. The IdP sends a security token back to Bentley’s IMS, which includes user metadata.
  5. The user’s session is validated by Bentley IMS and a signed token is returned to the application.
  6. The user is signed in to their Bentley product or service.

Setting up Federated Identity with Bentley

  1. Verify your federated identity readiness. (See Prerequisites tab above)
  2. Configure your Identity Provider (IdP) with OIDC.
  3. Submit the Bentley Federation Request Form. Upon receiving the form, a Bentley Federation Consultant will set up the connection from Bentley’s IMS (SP) to your IdP.
  4. Perform acceptance testing of federated identity setup.
  5. Enable federated identity for all Bentley application users at your organization.
  6. Deploy the Bentley CONNECTION Client to all desktop users.
  7. Ensure your users sign in to the CONNECTION Client.

Prerequisites

  • All users in your directory must have a valid country code that can be passed to Bentley. This is used to ensure that the data is properly secured in accordance with local laws, provide proper entitlements, and ensure that billing and taxes are correct for each user.
  • Your Identity Provider must support Open ID Connect (OIDC). Bentley no longer supports new connections based on the SAML or WS-Fed protocol.
  • Federation is with Bentley’s Identity Management System (IMS), which serves as a service provider. All Bentley products and services will be impacted by this federation project. Bentley utilizes and only supports SP-initiated federations.

Fill out the Federation Request Form today.

Be a Part of the Greatest Infrastructure Event

The Year in Infrastructure
2024 Going Digital Awards

Be considered a leader in infrastructure. Submit your project today before our April 15 deadline!