- Démarrage
- Meilleures pratiques
- Modélisation de l'organisation dans Orchestrator
- Gestion de grands déploiements
- Meilleures pratiques d'automatisation
- Optimisation de l'infrastructure Unattended à l'aide de modèles de machine
- Organisation des ressources avec des balises
- Réplica Orchestrator en lecture seule
- Exportation des grilles dans l'arrière-plan
- Locataire
- À propos du contexte du locataire
- Recherche de ressources dans un locataire
- Gestion des Robots
- Connexion des Robots à Orchestrator
- Enregistrement des identifiants du Robot dans CyberArk
- Stockage des mots de passe de l’Unattended Robot dans Azure Key Vault (lecture seule)
- Stockage des informations d’identification de l’Unattended Robot dans HashiCorp Vault (lecture seule)
- Stockage des informations d'identification du robot Unattended dans AWS Secrets Manager (lecture seule)
- Suppression des sessions Unattended déconnectées et qui ne répondent pas
- Authentification du Robot
- Authentification du Robot avec les informations d'identification du client
- Authentification par carte à puce
- Configurer les capacités d’automatisation
- Audit
- Paramètres - Niveau du locataire
- Service de catalogue de ressources
- Contexte des dossiers
- Automatisations
- Processus (Processes)
- Tâches (Jobs)
- Déclencheurs (Triggers)
- Journaux (Logs)
- Surveillance
- Files d'attente (Queues)
- Actifs
- Compartiments de stockage
- Tests d'Orchestrator
- Autres configurations
- Intégrations
- Administration de l'hôte
- À propos du niveau de l’hôte
- Gestion des administrateurs système
- Gestion des locataires
- Configuration des notifications par e-mail du système
- Journaux d'audit pour le portail hôte
- Mode de Maintenance
- Administration de l'organisation
- Résolution des problèmes
Guide de l'utilisateur d'Orchestrator
À propos d'Identity Server
UiPath® Identity Server is the authentication service of standalone Orchestrator. It provides secure authentication and token issuance for Orchestrator and its management portals. Identity Server implements OAuth 2.0 and OpenID Connect standards and integrates with enterprise identity systems such as Active Directory. Check out the following diagram for understanding how Identity Server operates in standalone Orchestrator.
Figure 1. Identity Server diagram
Role within Orchestrator
Identity Server is responsible for:
- Authenticating users and applications accessing Orchestrator
- Issuing access and identity tokens
- Supporting OAuth 2.0 and OpenID Connect flows
- Integrating with external identity providers (for example, Active Directory, SAML providers)
- Enabling single sign-on (SSO)
- Securing communication between Orchestrator and the Identity Management Portal
Orchestrator and its management portals rely on Identity Server for authentication.
Authentication flow in Orchestrator
- Authentification de l’utilisateur
When a user accesses Orchestrator or the Identity Management Portal:
- The request is redirected to Identity Server.
- Identity Server validates the user against:
- Local accounts, or
- External identity providers (for example, Active Directory, SAML).
- Upon successful authentication, Identity Server issues a security token.
- Token-based access
After authentication:
- An OAuth access token is issued.
- The token accompanies subsequent requests to Orchestrator.
- Orchestrator validates the token.
- Authorization is determined based on roles and permissions. Identity Server handles authentication. Orchestrator enforces authorization.
Active Directory and Kerberos integration
In domain-joined environments, standalone Orchestrator supports Kerberos-based authentication:
- The client resolves the Orchestrator host name using DNS.
- The client obtains a Kerberos Ticket Granting Ticket (TGT) from Active Directory.
- The client requests a service ticket for the configured Service Principal Name (SPN).
- The IIS web server validates the Kerberos ticket.
- Identity Server processes the authenticated identity and issues a platform token.
This enables seamless single sign-on in enterprise Windows environments.
High availability considerations
In multi-node deployments:
- Identity Server runs on multiple nodes behind a load balancer.
- Clients access Orchestrator and Identity Server through a shared load balancer host name.
- Redis is used to cache OAuth client data and session state across nodes, ensuring consistent authentication across the cluster.
- The Service Principal Name (SPN) must match the load balancer host name when Kerberos is used.
- When changing from a single-node to a multi-node setup, the Identity Server public URL must be updated in the database and in the UiPath.Orchestrator.dll.config file.
Authentification de l’application externe
Orchestrator supports secure access for:
- Applications externes
- API integrations
- Robot-to-Orchestrator communication
Applications authenticate using supported OAuth flows (such as ROPC) and receive tokens from Identity Server.
Security model
Standalone Orchestrator uses a centralized authentication model:
- Identity Server performs authentication.
- Orchestrator enforces authorization.
- Token-based access secures APIs and the Orchestrator UI.
- Integration with external identity providers (Active Directory, SAML) supports enterprise security requirements.