Configuring host authentication settings

As a system administrator, you can choose the authentication and related default security settings for your entire Automation Suite installation. These settings are inherited by all organizations as default.

Note:

This article walks you through the steps for configuring global authentication and security settings. If you want to configure organization-level settings, i.e., settings that apply to one organization, see documentation on .

See an overview of organization-level and host-level configuration.

Global authentication settings (host level)

The platform allows you to configure an external identity provider to control how your users sign in. Settings here apply to all organizations.

The following table provides an overview of the different host-level external providers available:

External Provider Integration	Authentication	Directory Search	Administrators Provisioning
Active Directory and Windows Authentication	Administrators can use SSO with Windows Authentication using the Kerberos protocol	Administrators can search for users from the Active Directory	For a user to be able to login, either the user or a group that the user is a member of should already be added to Automation Suite. Active Directory users and groups are available in Automation Suite through directory search.
Azure Active Directory	Administrators can use SSO with Azure AD using the OpenID Connect protocol	Not supported	Users must be manually provisioned into the Automation Suite. with an email address matching their Azure AD account.
Google	Users can use SSO with Google using the OpenID Connect protocol	Not supported	Users must be manually provisioned into the Automation Suite organization with an email address matching their Google account.
SAML 2.0	Users can use SSO with any Identity Provider that supports SAML	Not supported	Users must be manually provisioned into the Automation Suite organization with a username/email/external provider key (as configured in their external identity provider configuration) matching their SAML account.

Note: Differences between integrating Azure AD at host-level and organization-level: The host-level only enables SSO functionality. The organization-level enables SSO, directory search, and automatic user provisioning.

Allowing or restricting basic authentication

Basic authentication refers to signing in with the username and password of a local account.

If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.

Configuration levels and inheritance

This option can be configured:

at the host level, as described below.

When set at the host level, the setting applies to all organizations and all their accounts, except if the basic authentication setting at the organization or account level was not explicitly set differently.
for system administrator accounts, as described below.

Even when all organizations are restricted from using basic authentication, you can allow system administrators only to bypass this restriction.
at the organization level, as described in Configuring authentication and security.

If set at the organization level, the organization-level setting overrides the host-level setting for only that organization. The setting for an organization applies to all accounts that belong to that organization, except accounts for which basic authentication is set differently at the account level.
at the account level, as described in Adding accounts.

If set at the account level, the account-level setting overrides the host-level and organization-level basic authentication setting for only that account.

Setting basic authentication at the host level

Note: This setting is only available if an external provider integration is enabled at the host level.

When set at the host level, the setting applies to all organizations and all their accounts. Set it according to the preference or recommendation across your company.

For exceptions, basic authentication can also be set at the organization or account level where you want this setting to apply differently.

To allow or restrict basic authentication for all organizations and all accounts, follow the instructions that apply to your user interface settings.

Configuring basic authentication for host administrators

Log in to the host portal as a system administrator.
Make sure that Host is selected at the top of the left pane.
Click Security.
Click the Basic sign-in toggle to change if basic authentication is allowed or not.
- If on (right toggle position, blue toggle), basic authentication is allowed. While allowed, the Allow basic authentication for the host administrators checkbox is available.
- If off (left toggle position, gray toggle), basic authentication is restricted.
Under Basic sign-in, select or clear the Allow basic authentication for the host administrators checkbox.
- If selected, basic authentication is allowed for system administrators. Even when basic authentication is not allowed through the configuration of an external provider, as an exception, it is allowed for system administrator accounts only.
- If cleared, basic authentication is not allowed for system administrators either.
At the bottom-right, click Save to apply your changes.

Recovering from lock out

When basic sign-in (basic authentication) is disabled, it is possible to get locked out if you lose access to your directory account.

To recover from this situation, go to https://<FQDN>/host/orchestrator_/account/hostlogin and log in using your basic authentication credentials.

Configuring Security Options

Note: The settings you specify here are inherited by all organizations in your installation as default, but organization administrators can overwrite these settings as needed at the level of the individual organization.

To configure security options for your Automation Suite installation:

Log in to the host portal,
Make sure that Host is selected at the top of the left pane, and then click Security.
Under Basic sign-in, click Edit password policy.
Update the settings as needed. See the following sections for details about each option.

Password complexity

Note: Changes that you make to the Password complexity settings do not affect existing passwords.

Field	Description
Special characters	Select to force users to include at least one special character in their password. By default, this checkbox is not selected.
Lowercase characters	Select to force users to include at least one lowercase character in their password. By default, this checkbox is selected.
Uppercase characters	Select to force users to include at least one uppercase character in their password. By default, this checkbox is not selected.
Digits	Select to force users to include at least one digit in their password. By default, this checkbox is selected.
Minimum password length	Specify the minimum number of characters a password should contain. By default, it is 8. The length cannot be smaller than 1 or greater than 256 characters.
Days before password expiration	Specify the number of days for which the password is available. After this period, the password expires and needs to be changed. The minimum accepted value is 0 (the password never expires), and the maximum is 1000 days.
Number of times a password can be reused	The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10.
Change password on the first login	If set to Required, users that log in for the first time must change their password before being allowed to access Automation Suite. If set to Not required, users can log in and continue to use the admin-defined password until it expires.

Account lockout

Field	Description
Enabled or Disabled toggle	If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature.
Account lockout duration	The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout. The default value is 5 minutes. The minimum accepted value is 0 (no lockout duration), and the maximum is 2592000 (1 month).
Consecutive login attempts before lockout	The number of failed login attempts allowed before the account is locked. The default value is 10 attempts. You can set a value between 2 and 10.

Session policy

Setting the idle timeout

The value set for idle timeout represents the amount of time a user can be inactive before their session is disconnected and they are singed out.

To set the idle timeout:

Go to Admin, at host level, and then select Security.
The Security Settings page for the organization opens.
Along the top, select the Session Policy tab.
If not already enabled, click the toggle next to Enable Idle Timeout to enable this setting.
Under Timeout settings, set the number of minutes, hours, or days.
Click Save in the bottom right corner of the page.

A confirmation message appears in the top right after the change is applied.

Restrict or allow concurrent sessions

This feature governs user sessions within web browsers. It determines whether a user can have more than one active session at the same time.

If the Limit Concurrent Sessions option is enabled, it restricts users to a single active session at any given time. If a user is already logged in and attempts to log in from another browser or device, the previous session is terminated.
If the Limit Concurrent Sessions option is disabled, users can log in from different browsers or devices simultaneously. Each login is treated as a separate session, and users can switch between them without being automatically disconnected from the previous sessions.

To change concurrent sessions settings:

Go to Admin, select your organization, and then select Security.

The Security Settings page for the organization opens.
Along the top, select the Session Policy tab.
Click the toggle next to Limit Concurrent Sessions to enable or disable this setting.
Click Save in the bottom right corner of the page.