Veröffentlichen auf Identity Server

In der folgenden Tabelle sind alle Parameter beschrieben, die mit dem Skript Publish-IdentityServer.ps1 verwendet werden können.

Parameter	Description
-action	Mandatory. Indicates the type of scenario you want to start. The following options are available: Deploy - specifies it is a clean installation. Update - specifies you are updating your Identity Server instance.
-azureAccountApplicationId	Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope.
-azureAccountPassword	Mandatory. The Azure token password for the service principal ID.
-azureSubscriptionId	Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator.
-azureAccountTenantId	Mandatory. The Azure tenant ID.
-orchestratorUrl	Mandatory. The URL of the Orchestrator instance.
-identityServerUrl	Mandatory. The URL of Identity Server. The URL must contain the Identity Server address + the suffix /identity in lowercase. Example: https://[identity_server]/identity
-orchDetails	This parameter is a hash table that contains the following values: resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service. appServiceName - Mandatory. The Orchestrator Azure App Service name. targetSlot - Mandatory. The Target App Service Slot set by Azure.
-identityServerDetails	This parameter is a hash table that contains the following values: resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service. appServiceName - Mandatory. The Identity Server Azure App Service name. targetSlot - Mandatory. The Target App Service Slot set by Azure.
-package	Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Web.zip archive.
-cliPackage	Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Migrator.Cli.zip archive.
-productionSlotName	Optional. It can be used only if the Identity Server App Service deployment slot is different from the default Production App Service Slot set by Azure.
-stopApplicationBeforePublish	Optional. If present, it stops the application before deployment and it starts it after the deployment is completed.
-unattended	Optional. If present, the deployment continues without any user confirmation.
-tmpDirectory	Optional. Enables the specification of a directory where needed files are downloaded and unzipped.
-noAzureAuthentication	Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the UseServicePrincipal parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary.

Das Skript Publish-IdentityServer.ps1 wird für die anfängliche Bereitstellung oder Aktualisierung von Identity Server verwendet. Das Skript geht davon aus, dass die Web-App bereits die Datenbankverbindungszeichenfolge DefaultConnection konfiguriert hat.

.\Publish-IdentityServer.ps1 `
    -action Deploy `
    -orchestratorUrl "<orchestrator_address>" `
    -identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -azureSubscriptionId "<subscription_id>" `
    -azureAccountTenantId "<azure_tenant_id>" `
    -azureAccountApplicationId "<azure_application_id>" `
    -azureAccountPassword "<azure_account_password>" `
    -package "UiPath.IdentityServer.Web.zip" `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -stopApplicationBeforePublish `
    -unattended

🚧

Wichtig!

Stellen Sie nach dem Ausführen des obigen Skripts sicher, dass Sie die unten aufgeführten zusätzlichen Schritte ausführen, um eine erfolgreiche Erstbereitstellung zu ermöglichen.

Führen Sie nach der Veröffentlichung von Identity Server die folgenden Schritte aus:

1. Wechseln Sie zum Azure-Portal.
2. Wählen Sie Ihren Identity Server-App-Service aus.
3. Wechseln Sie unter dem Menü TLS/SSL-Einstellungen zur Registerkarte Private Schlüsselzertifikate.
4. Laden Sie die .pfx-Zertifikatdatei eines privaten Schlüssels mit einem gültigen Kennwort hoch.

📘

Hinweis:

Dieses Zertifikat wird zum Signieren der Zugriffstoken und der ID-Token verwendet.

5. Fügen Sie unter dem Konfigurationsmenü die folgenden Anwendungseinstellungen genau wie in der Spalte Anwendungseinstellungen geschrieben hinzu:

Application Setting	Value	Description
AppSettings__IdentityServerAddress	https://[identity_server]/identity	The public URL of the Identity Server. The URL must contain the address of Identity Server + the suffix /identity in lowercase.
AppSettings__SigningCredentialSettings__StoreLocation__Location	CurrentUser	This has to point to CurrentUser.
AppSettings__SigningCredentialSettings__StoreLocation__Name	XXXXXXXXXXXXXXXXXXXXXXXXXXXX	The thumbprint of your certificate that you've uploaded earlier.
AppSettings__SigningCredentialSettings__StoreLocation__NameType	Thumbprint	Enter Thumbprint as the type of the previous field.
AppSettings__LoadBalancerSettings__RedisConnectionString	XXXXXXXXXXXX:XXXX,password=XXXXXX	The connection string needed to set up your Redis server, which contains the URL of the server, the password, and the port. You can also enable SSL encrypted connections between the Orchestrator nodes and the Redis service.
AppSettings__LoadBalancerSettings__SlidingExpirationTimeInSeconds	Number of seconds	The sliding expiration time of an item inside the cache. This expiration time applies to both Redis Cache and InMemory Cache.
AppSettings__RedisSettings__UseRedisStoreCache	true/false	Set its value to true to enable Redis caching of OAuth client data. This helps prevent performance issues when using Interactive Sign In to connect a large number of robots in a short amount of time. This cache uses the same Redis connection string specified in the AppSettings__LoadBalancerSettings. Note: This is not recommended if you are using the External Applications feature since this setting caches clients, and updates to External Applications will not be reflected.
AppSettings__RedisSettings__UseRedisStoreClientCache	true/false	Set its value to true to enable Redis caching for first-party clients (UiPath applications) or third-party clients (external applications). If you have a large-scale deployment, it is recommended to enable this flag.
App__Saml2ValidCertificateOnly	true/false	For Orchestrator deployments via an Azure web app, this parameter must be set to false. This is because SAML2 requires certificates to be added to its trust store, but Azure web apps do not allow this action. Setting the value to false means that the certificate check is bypassed.
WEBSITE_LOAD_CERTIFICATES	XXXXXXXXXXXXXXXXXXXXXXXXXXXX	The user profile.
WEBSITE_LOAD_USER_PROFILE	1	The thumbprint value of your certificate that you've uploaded earlier.

6. Speichern Sie die Änderungen.

Weitere Informationen finden Sie in der Microsoft Azure-Dokumentation.

Migrieren zu Identity Server

In der folgenden Tabelle sind alle Parameter beschrieben, die mit MigrateTo-IdentityServer.ps1 verwendet werden können.

Parameter	Description
-cliPackage	Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Migrator.Cli.zip archive.
-azureDetails	This parameter is a hash table that contains the following values: azureAccountApplicationId - Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope. azureSubscriptionId - Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator. azureAccountTenantId - Mandatory. The Azure tenant ID. azureAccountPassword - Mandatory. The Azure token password for the service principal ID.
-orchDetails	This parameter is a hash table that contains the following values: resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service. appServiceName - Mandatory. The Orchestrator Azure App Service name. targetSlot - Mandatory. The Target App Service Slot set by Azure.
-identityServerDetails	This parameter is a hash table that contains the following values: resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service. appServiceName - Mandatory. The Identity Server Azure App Service name. targetSlot - Mandatory. The Target App Service Slot set by Azure.
-identityServerUrl	Mandatory. The public address of the Identity Server. The URL must contain the address of Identity Server + the suffix /identity in lowercase. Example: https://[identity_server]/identity
-orchestratorUrl	Mandatory. The public address of the Orchestrator.
-tmpDirectory	Optional. Enables the specification of a directory where needed files are downloaded and unzipped.
-hostAdminPassword	Mandatory only for fresh deployments, when -action is set to Deploy. Specify a custom password for the host administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit.
-isHostPassOneTime	Optional. Enables you to enforce a password reset on the first login for the host administrator. If this parameter is omitted, the host admin password is not a one-time password.
-defaultTenantAdminPassword	Mandatory only for fresh deployments, when -action is set to Deploy. Specify a custom password for the default tenant administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit.
-isDefaultTenantPassOneTime	Optional. Enables you to enforce a password reset on the first login for the default tenant administrator. If this parameter is omitted, the tenant admin password is not a one-time password.
-noAzureAuthentication	Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the UseServicePrincipal parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary.

Das Skript MigrateTo-IdentityServer.ps1 wird verwendet, um Benutzerdaten vom Orchestrator zum Identity Server zu migrieren und die Konfigurationen für beide festzulegen. Es überträgt die Identifikationsautorität des Orchestrators auf den Identity Server und erstellt die Clientkonfiguration für den Orchestrator im Identity Server.
Das Skript geht davon aus, dass Orchestrator und Identity Server bereits veröffentlicht wurden.

.\MigrateTo-IdentityServer.ps1 `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
    -orchestratorUrl "https://<OrchestratorURL>" `
    -hostAdminPassword "12345qwert" `
    -defaultTenantAdminPassword "12345qwert"