Configuring identity providers
Choosing the identity provider for your organization affects the way users sign in, and how user and group accounts are created and managed for Automation Suite.
Models
While we offer several authentication settings for you to control access to your instance of Automation Suite, they are all based on two main models: the default model and the Azure Active Directory (Azure AD) model, which lets you leverage more advanced identity management capabilities.
Allow any user to sign in using basic authentication (Default model)
With this model, organization administrators create user accounts for employees in Automation Suite so that they can log in.
The accounts that are created may represent a local account in Automation Suite, or a user in the external directory provider configured at the host level (as documented in Host authentication and security settings.)
Enable enterprise SSO with Microsoft Azure Active Directory (Azure Active Directory model)
The integration with Azure Active Directory (Azure AD) can offer scalable user and access management for your organization, allowing for compliance across all the internal applications used by your employees. If your organization is using Azure AD or Office 365, you can connect your Automation Suite organization directly to your Azure AD tenant to obtain the following benefits:
Automatic user onboarding with seamless migration
All users and groups from Azure AD are readily available for any Automation Suite service to assign permissions, without the need to invite and manage Azure AD users in the Automation Suite organization directory.
You can provide Single Sign-On for users whose corporate username differs from their email address, which is not possible with the invitation model.
All existing users with UiPath user accounts have their permissions automatically migrated to their connected Azure AD account.
Simplified sign-in experience
Users do not have to accept an invitation or create a UiPath user account to access the Automation Suite organization as in the default model. They sign in with their Azure AD account by selecting the Enterprise SSO option or using their organization-specific URL.
If the user is already signed in to Azure AD or Office 365, they are automatically signed in.
UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Automation Suite URL, which leads to the same seamless connection experience.
Scalable governance and access management with existing Azure AD groups
Azure AD security groups or Office 365 groups, also known as directory groups, allow you to leverage your existing organizational structure to manage permissions at scale. You no longer need to configure permissions in Automation Suite services for each user.
You can combine multiple directory groups into one Automation Suite group if you need to manage them together.
Auditing Automation Suite access is simple. After you've configured permissions in all Automation Suite services using Azure AD groups, you utilize your existing validation processes associated with Azure AD group membership.
Note:
While on the Azure AD model, you can continue to use all the features of the default model. But to maximize the benefits, we recommend relying exclusively on centralized account management from Azure AD.
If you would like to use Azure Active Directory as the identity provider for your organization, follow the instructions in Setting up the Azure AD integration.
SAML model
This model allows you to connect Automation Suite to your chosen identity provider (IdP) so that:
- your users can benefit from single sign-on (SSO) and
- you can manage existing accounts from your directory in Automation Suite, without having to re-create identities.
Automation Suite can connect to any external identity provider that uses the SAML 2.0 standard.
Benefits
Automatic onboarding of users to Automation Suite
All users from your external identity provider are authorized to sign in to Automation Suite with basic rights when the SAML integration is active. What this means is:
Users can sign in to your Automation Suite organization via SSO using their existing company account, as defined in the IdP.
Without any further setup, they become members of the Everyone user group, which grants them the User organization role by default. To be able to work in Automation Suite, users require roles and licenses, as appropriate for their role.
If you need to restrict access to only some of your users, you can define the set of users who are allowed to access Automation Suite in your identity provider.
User management
You can add users by directly assigning them to Automation Suite groups, to do this all you have to do is enter their email address when adding users to the group.
Typically, administrators manage local accounts from Admin > Accounts & Groups > Users tab. But SAML users are directory accounts in Automation Suite, so they are not visible on this page.
After a user has been added to a group or they have signed in at least once (which automatically adds them to the Everyone group), they are available in search in all services across Automation Suite for direct role or license assignment.
Attribute mapping
If you use UiPath Automation Hub, you can define custom attribute mapping to propagate attributes from your identity provider into Automation Suite. For example, when an account is first added to Automation Hub, the first name, last name, email address, job title, and department of the user are already populated.
Setup
Administrators can configure and enable the SAML integration for your entire organization.
For instructions, see Configuring the SAML integration.
Transitioning from the Azure AD integration to the SAML integration
After switching to the SAML integration, the Azure AD integration is disabled. Azure AD group assignments no longer apply, so Automation Suite group membership and the permissions inherited from Azure AD are no longer respected.
Allowing or restricting basic authentication
Basic authentication, or basic sign-in, refers to signing in with the username and password of a local account.
If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.
Also see Configuration levels and inheritance for more information about this setting.
Setting basic authentication at the organization level
This setting is only available if an external provider integration is enabled at the host or organization level.
When set at the organization level, the setting applies to all accounts in the organization.
For exceptions, basic authentication can also be set at the account level where you want this setting to apply differently.
To allow or restrict basic authentication for your organization:
- Log in to the organization-level Management portal at
https://<server>/identity/managementas an organization administrator. - Go to Admin and make sure that the organization is selected at the top of the left pane.
- Click Security.
The Security Settings page for the organization opens on the Authentication Settings tab. - Click the Basic sign-in toggle to restrict or allow sign in using basic authentication:
- If on (right toggle position, blue toggle), basic authentication is allowed.
- If on (left toggle position, gray toggle), basic authentication is restricted.
- At the bottom-right, click Save to apply your changes.
Old admin experience
If you are still using the old admin experience, follow these instructions instead:
- Log in to the organization-level Management portal at
https://<server>/identity/managementas an organization administrator. - Go to Admin and select Security Settings.
- Under External Providers, click the Disable basic authentication for the organizations toggle to restrict or allow sign in using basic authentication:
- If off (left toggle position, gray toggle), basic authentication is allowed.
- If on (right toggle position, blue toggle), basic authentication is restricted.
- At the bottom-right of the External Providers section, click Save to apply your changes.
Configuring security options
To configure security options for your organization, go to Admin > organization > Security and, under Basic sign-in, click Edit password policy, where you can edit the options as needed.
If you are still using the old admin experience, go to Admin and select Security Settings on the left. The options are displayed in the Security section.
Password complexity
Editing the Password complexity settings does not affect existing passwords.
| Field | Description |
|---|---|
| Special characters | Select to force users to include at least one special character in their password. By default, this checkbox is not selected. |
| Lowercase characters | Select to force users to include at least one lowercase character in their password. By default, this checkbox is selected. |
| Uppercase characters | Select to force users to include at least one uppercase character in their password. By default, this checkbox is not selected. |
| Digits | Select to force users to include at least one digit in their password. By default, this checkbox is selected. |
| Minimum password length | Specify the minimum number of characters a password should contain. By default, it is 8. The length cannot be smaller than 1 or greater than 256 characters. |
| Days before password expiration | Specify the number of days for which the password is available. After this period, the password expires and needs to be changed. The minimum accepted value is 0 (the password never expires), and the maximum is 1000 days. |
| Number of times a password can be reused | The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10. |
| Change password on the first login | If set to Required, users that log in for the first time must change their password before being allowed to access Automation Suite. If set to Not required, users can log in and continue to use the admin-defined password until it expires. |
Account lockout
| Field | Description |
|---|---|
| Enabled or Disabled toggle | If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature. |
| Account lockout duration | The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout. The default value is 5 minutes. The minimum accepted value is 0 (no lockout duration), and the maximum is 2592000 (1 month). |
| Consecutive login attempts before lockout | The number of failed login attempts allowed before the account is locked. The default value is 10 attempts. You can set a value between 2 and 10. |
Updated 26 days ago