Subscribe

UiPath Installation and Upgrade

The UiPath Installation and Upgrade Guide

βš™ Identity Server AppSettings.json

The appsetting.json file (C:\Program Files (x86)\UiPath\Orchestrator\Identity) contains the out-of-the-box configuration settings for Identity Server. A second, identical file, appsetting.Production.json, is the one that contains your specific Identity Server settings.

🚧

Important!

To configure Identity Server to your liking you should modify the appsetting.Production.json file. This file overrides any pre-existent settings within appsetting.json after each installation process.

πŸ“˜

Note:

It is recommended that only administrators change the values of these parameters.

Additionally, it is recommended that you shut down the IIS server in order to modify appsetting.Production.json settings under any circumstances.

Parameters that are not documented in this page should not be changed.

All parameters are case sensitive.

Settings Priority

Settings can be configured in multiple places. Here are the priorities used by Identity Server when determining the value of a setting, listed from high (1) to low (3):

  1. Value within the appsettings.Production.json file
  2. Value within the appsettings.json file
  3. Default value set in the code. Used only if a specific setting can't be found within appsettings.Production.json or appsettings.json.

Settings

The appsettings.json file has an internal structure composed of multiple JSON sections separated by a comma.

Connection Strings

The ConnectionStrings section is used to store the Identity Server database connection string. This value is populated by the installer.
This setting has values within appsettings.Production.json and appsettings.json.

"ConnectionStrings": {
  "DefaultConnection": "Server=.\\sqlexpress;Database=IdentityServer;User ID=<username>;Password=<password>;"
}

Encryption

The EncryptionSettings section is used to store tenant encryption keys. The values are automatically migrated from Orchestrator's web.config during installation.
This setting has values within appsettings.Production.json and appsettings.json.

"EncryptionSettings": {
  "MultiTenantEncryptionKeyProvider": 1
  "EncryptionKey": "3wkO1hkaXLwR9LZoRZIueIxG3GIEB/YMDZUWhD9AR8g="
}

Identity Server can be configured to use a local key (see above) or an Azure Key Vault (see below), just like Orchestrator.

"EncryptionSettings": {
  "MultiTenantEncryptionKeyProvider": 0,
  "EncryptionKeyPerTenant": true,
  "AzureKeyVaultAddress": "keyVaultAddress",
  "AzureKeyVaultCertificateThumbprint": "keyvaultCertificateThumbprint",
  "AzureKeyVaultClientId" : "azureClientId"
},
  • MultiTenantEncryptionKeyProvider - Indicates in which key management application to store the encryption keys generated per tenant from Orchestrator. By default, the setting has ConfigFileKey value within the code. The accepted values are AzureKeyVault and ConfigFileKey. During Identity Server installation, the value is copied from web.config EncryptionKeyPerTenant.KeyProvider setting.

The following Identity Server keys match the Orchestrator keys within UiPath.Orchestrator.dll.config's SecureAppSettings section:

Identity Server Key

Orchestrator Key

EncryptionKeyPerTenant

EncryptionKeyPerTenant.Enabled

AzureKeyVaultAddress

Azure.KeyVault.VaultAddress

AzureKeyVaultCertificateThumbprint

Azure.KeyVault.CertificateThumbprint

AzureKeyVaultClientId

Azure.KeyVault.ClientId

🚧

Important!

If you change the Encryption Key or the Azure Key Vault settings inside Orchestrator’s UiPath.Orchestrator.dll.config, you must also update Identity Server's appsettings.Production.json with the same values.

Logging

The Logging section configures the log level for each component used by Identity Server. This is a generic logging configuration. Find more information here.
This section has values within appsettings.json.

"Logging": {
  "LogLevel": {
    "Default": "Trace",
    "Microsoft": "Warning",
    "Microsoft.Hosting.Lifetime": "Information"
  }
}

Identity Server provides some defaults for a few major components like Microsoft and Microsoft.Hosting.Lifetime.

NLog

The NLog section is used to define how information is logged in Identity Server via NLog targets, just like in Orchestrator.
This section has values within appsettings.json.

"NLog": {
  "IncludeScopes": true,
  "throwConfigExceptions": false,
  "targets": {
    "EventLog": {
      "type": "EventLog",
      "source": "IdentityService",
      "layout": "${longdate} ${logger} ${message}${onexception:${newline}${exception:maxInnerExceptionLevel=10:format=shortType,message,stacktrace:separator=*:innerExceptionSeparator=&#xD;&#xA;&#x9;}}"
    }
  },
  "rules": [
    {
      "logger": "*",
      "minLevel": "Info",
      "writeTo": "EventLog"
    }
  ]
},

By default, NLog is configured to write logs to ApplicationEvents. Read here more information about how to configure NLog using a JSON section.

App Settings

The AppSettings section is Identity Server's main configuration section. This section has values within appsettings.Production.json and appsettings.json.

  • IdentityServerAddress - Represents the audience that Identity Server checks when validating the token used to call Identity Server API. During installation, this field is automatically populated inside the appsettings.Production.json with Identity Server's address. Do not modify this value because it will break Orchestrator data propagation.
    This setting has values within appsettings.Production.json and appsettings.json.
  • Saml2ValidCertificateOnly - If set to true, it doesn't allow the use of invalid certificates when configuring SAML2.
    By default, the setting has true value within the code.
  • EnablePII - When set to true, the exceptions contain sensitive information (for example, the URL address of the external identity provider, or the address of Identity Server, etc.)
    By default, the setting has false value within appsettings.json and the code.
  • CookieValidationInterval - Represents the time interval (in seconds) after which the cookie is checked to see if the user and the tenant are still active, and if the user has not logged in another browser. The value within appsetttings.Production.json is automatically migrated from Orchestrator, which has the same setting.
    By default, the value is set to 60 seconds within appsettings.Production.json and the code.
  • CookieExpireMinutes - Represents the time interval (in minutes) after which the Identity Server cookie expires. The value within appsetttings.Production.json is automatically migrated from Orchestrator, which has the same setting.
    By default, the value is set to 60 minutes within appsettings.Production.json and the code.
  • OrchestratorUrl - Represents the URL of the Orchestrator. This is where Identity Server redirects you when you click the Orchestrator icon within Identity Management Portal's Hub menu.
    The value is set during installation within appsettings.Production.json.

Localization

The LocalizationSettings section has the following default values within the code:

"LocalizationSettings": {
  "EnabledLanguages": "en,ja,de,es,es-MX,fr,ko,pt,pt-BR,ru,tr,zh-CN"
}
  • EnabledLanguages - Lists the languages available in Identity Server. It is used to limit the number of available languages.

Load Balancer

The LoadBalancerSettings section has the following default values within appsettings.Production.json and the code:

"LoadBalancerSettings": {
  "UseRedis": false,
  "RedisConnectionString": "",
  "SlidingExpirationTimeInSeconds":  600
}

The values within appsetttings.Production.json are automatically migrated from Orchestrator's web.config in case of a multi-node upgrade. If Redis is not configured inside Orchestrator, then appsetting.Production.json will contain this setting.

  • UseRedis - Use Redis as a database to distribute messages and cache to and from all the machines connected through your load balancer. This is mandatory for multi-node.
  • RedisConnectionString - Can only be used if LoadBalancer.UseRedis is set to true. A connection string that enables you to set up your Redis server, which contains the URL of the server, the password, and port used with Redis. It is also possible to enable SSL encrypted connections between the Orchestrator nodes and the Redis service. For more information, please click here. Examples:
    • with SSL enabled - "RedisConnectionString": "DOCWREDIS02:6379,password=12345678,ssl=true"
    • without SSL enabled - "RedisConnectionString": "DOCWREDIS02:6379,password=12345678"
  • SlidingExpirationTimeInSeconds - Controls the sliding expiration time of an item inside the cache. This expiration time applies for both Redis Cache and InMemory Cache (this is the default when Redis is not available).

Signing Credential

The SigningCredentialSettings section describes the location of the certificate used to sign the tokens generated by the Identity Server. The values of the settings in this section are populated by the installer based on your input. The settings can be configured to allow the reading of the certificate from a certificate store or from Azure Key Vault.

πŸ“˜

Note:

For security reasons, the signing certificate must have a public key on 2048 bits. Make sure the certificate is valid, and not expired, and it is signing-capable.

Example of Certificate Store Location Settings

Here's a classic configuration for finding a certificate inside the certificate store:

"SigningCredentialSettings": {
  "StoreLocation": {
    "Name": "30f3c11e676fc8eb1f9dd4e330f3ce668d796796",
    "Location": "LocalMachine",
    "NameType": "Thumbprint"
  }

In this example, Name represents a Thumbprint value.
We do not recommend using other values for Location and NameType.

Example of Azure Key Vault Location Settings

"SigningCredentialSettings": {
  "AzureKeyVaultLocation": {
    "KeyName": "key_name_534553553"
  }

In this example, KeyName represents the key to search for inside Azure Key Vault.

Authorization

  • RestrictBasicAuthentication - Restricts the basic authentication through the UI for all users except the users that have the bypass flag. The value within appsetttings.Production.json is automatically migrated from Orchestrator's web.config.

By default, the value is set to false in the code.

🚧

Important!

Orchestrator still has the Auth.RestrictBasicAuthentication key, which controls if a user can make an authenticated API request to an Orchestrator instance using basic authentication credentials. Read here how to allow basic authentication for local users.

Remember to set both the RestrictBasicAuthentication Identity Server key and theAuth.RestrictBasicAuthentication Orchestrator key in order to obtain total basic authentication.

  • EnableBasicAuthenticationForHostTenant - If set to true, the login performed via UI for host tenant users ignores the basic authentication restriction.
    By default, the value is set to false within the code.

🚧

Important!

Orchestrator still has the Auth.EnableBasicAuthenticationForHostTenant key, which controls if a host admin can make an authenticated API request to the host tenant of an Orchestrator instance using basic authentication credentials.

Remember to set both the EnableBasicAuthenticationForHostTenant Identity Server key and theAuth.EnableBasicAuthenticationForHostTenant Orchestrator key in order to allow UI login using basic authentication credentials.

Updated 6 days ago


βš™ Identity Server AppSettings.json


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.