Identity Server にパブリッシュする
次の表で、Publish-IdentityServer.ps1 スクリプトで使用できるすべてのパラメーターについて説明します。
| Parameter | Description |
|---|---|
-action | Mandatory. Indicates the type of scenario you want to start. The following options are available:Deploy - specifies it is a clean installation.Update - specifies you are updating your Identity Server instance. |
-azureAccountApplicationId | Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope. |
-azureAccountPassword | Mandatory. The Azure token password for the service principal ID. |
-azureSubscriptionId | Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator. |
-azureAccountTenantId | Mandatory. The Azure tenant ID. |
-orchestratorUrl | Mandatory. The URL of the Orchestrator instance. |
-identityServerUrl | Mandatory. The URL of Identity Server. The URL must contain the Identity Server address + the suffix /identity in lowercase. Example: https://[identity_server]/identity |
-orchDetails | This parameter is a hash table that contains the following values:resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service.appServiceName - Mandatory. The Orchestrator Azure App Service name.targetSlot - Mandatory. The Target App Service Slot set by Azure. |
-identityServerDetails | This parameter is a hash table that contains the following values:resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service.appServiceName - Mandatory. The Identity Server Azure App Service name.targetSlot - Mandatory. The Target App Service Slot set by Azure. |
-package | Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Web.zip archive. |
-cliPackage | Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Migrator.Cli.zip archive. |
-productionSlotName | Optional. It can be used only if the Identity Server App Service deployment slot is different from the default Production App Service Slot set by Azure. |
-stopApplicationBeforePublish | Optional. If present, it stops the application before deployment and it starts it after the deployment is completed. |
-unattended | Optional. If present, the deployment continues without any user confirmation. |
-tmpDirectory | Optional. Enables the specification of a directory where needed files are downloaded and unzipped. |
-noAzureAuthentication | Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the UseServicePrincipal parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary. |
Publish-IdentityServer.ps1 スクリプトが初期デプロイまたは Identity Server の更新に使用されます。このスクリプトは、Web アプリで既にデータベースの接続文字列 DefaultConnection を設定済みであることを前提としています。
.\Publish-IdentityServer.ps1 `
-action Deploy `
-orchestratorUrl "<orchestrator_address>" `
-identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
-orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-azureSubscriptionId "<subscription_id>" `
-azureAccountTenantId "<azure_tenant_id>" `
-azureAccountApplicationId "<azure_application_id>" `
-azureAccountPassword "<azure_account_password>" `
-package "UiPath.IdentityServer.Web.zip" `
-cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
-stopApplicationBeforePublish `
-unattended
重要
上記スクリプトの実行後、初期デプロイを成功させるために以下の追加手順を実行する必要があります。
Identity Server のパブリッシュ後に次の手順を実行します。
- Azure Portal に移動します。
- Identity Server の App Service を選択します。
- [TLS/SSL 設定] メニューから [秘密キー証明書] タブに移動します。
- 有効なパスワードを持つ秘密キー証明書の
.pfxファイルをアップロードします。
注:
この証明書はアクセス トークンと ID トークンに署名するために使用されます。
- [構成] メニューで、以下のアプリケーションの設定を [アプリケーションの設定] 列に記載されているとおりに追加します。
| Application Setting | Value | Description |
|---|---|---|
AppSettings__IdentityServerAddress | https://[identity_server]/identity | The public URL of the Identity Server. The URL must contain the address of Identity Server + the suffix /identity in lowercase. |
AppSettings__SigningCredentialSettings__StoreLocation__Location | CurrentUser | This has to point to CurrentUser. |
AppSettings__SigningCredentialSettings__StoreLocation__Name | XXXXXXXXXXXXXXXXXXXXXXXXXXXX | The thumbprint of your certificate that you've uploaded earlier. |
AppSettings__SigningCredentialSettings__StoreLocation__NameType | Thumbprint | Enter Thumbprint as the type of the previous field. |
AppSettings__LoadBalancerSettings__RedisConnectionString | XXXXXXXXXXXX:XXXX,password=XXXXXX | The connection string needed to set up your Redis server, which contains the URL of the server, the password, and the port. You can also enable SSL encrypted connections between the Orchestrator nodes and the Redis service. |
AppSettings__LoadBalancerSettings__SlidingExpirationTimeInSeconds | Number of seconds | The sliding expiration time of an item inside the cache. This expiration time applies to both Redis Cache and InMemory Cache. |
AppSettings__RedisSettings__UseRedisStoreCache | true/false | Set its value to true to enable Redis caching of OAuth client data. This helps prevent performance issues when using Interactive Sign In to connect a large number of robots in a short amount of time. This cache uses the same Redis connection string specified in the AppSettings__LoadBalancerSettings.Note: This is not recommended if you are using the External Applications feature since this setting caches clients, and updates to External Applications will not be reflected. |
AppSettings__RedisSettings__UseRedisStoreClientCache | true/false | Set its value to true to enable Redis caching for first-party clients (UiPath applications) or third-party clients (external applications). If you have a large-scale deployment, it is recommended to enable this flag. |
App__Saml2ValidCertificateOnly | true/false | For Orchestrator deployments via an Azure web app, this parameter must be set to false. This is because SAML2 requires certificates to be added to its trust store, but Azure web apps do not allow this action. Setting the value to false means that the certificate check is bypassed. |
WEBSITE_LOAD_CERTIFICATES | XXXXXXXXXXXXXXXXXXXXXXXXXXXX | The user profile. |
WEBSITE_LOAD_USER_PROFILE | 1 | The thumbprint value of your certificate that you've uploaded earlier. |
- 変更を保存します。
詳細については、Microsoft Azure ドキュメントをご覧ください。
Identity Server へ移行する
次の表で、MigrateTo-IdentityServer.ps1 で使用できる全パラメーターについて説明します。
| Parameter | Description |
|---|---|
-cliPackage | Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Migrator.Cli.zip archive. |
-azureDetails | This parameter is a hash table that contains the following values:azureAccountApplicationId - Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope.azureSubscriptionId - Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator.azureAccountTenantId - Mandatory. The Azure tenant ID.azureAccountPassword - Mandatory. The Azure token password for the service principal ID. |
-orchDetails | This parameter is a hash table that contains the following values:resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service.appServiceName - Mandatory. The Orchestrator Azure App Service name.targetSlot - Mandatory. The Target App Service Slot set by Azure. |
-identityServerDetails | This parameter is a hash table that contains the following values:resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service.appServiceName - Mandatory. The Identity Server Azure App Service name.targetSlot - Mandatory. The Target App Service Slot set by Azure. |
-identityServerUrl | Mandatory. The public address of the Identity Server. The URL must contain the address of Identity Server + the suffix /identity in lowercase. Example:https://[identity_server]/identity |
-orchestratorUrl | Mandatory. The public address of the Orchestrator. |
-tmpDirectory | Optional. Enables the specification of a directory where needed files are downloaded and unzipped. |
-hostAdminPassword | Mandatory only for fresh deployments, when -action is set to Deploy. Specify a custom password for the host administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit. |
-isHostPassOneTime | Optional. Enables you to enforce a password reset on the first login for the host administrator. If this parameter is omitted, the host admin password is not a one-time password. |
-defaultTenantAdminPassword | Mandatory only for fresh deployments, when -action is set to Deploy. Specify a custom password for the default tenant administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit. |
-isDefaultTenantPassOneTime | Optional. Enables you to enforce a password reset on the first login for the default tenant administrator. If this parameter is omitted, the tenant admin password is not a one-time password. |
-noAzureAuthentication | Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the UseServicePrincipal parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary. |
MigrateTo-IdentityServer.ps1 スクリプトは、Orchestrator から Identity Server にユーザー データを移行し、その両方の設定を行うために使用します。このスクリプトは Identity Server に対して Orchestrator の ID 権限を設定し、Identity Server 内で Orchestrator のクライアント構成を作成します。
このスクリプトは、Orchestrator と Identity Server が既にパブリッシュ済みであることを前提としています。
.\MigrateTo-IdentityServer.ps1 `
-cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
-azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
-orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
-orchestratorUrl "https://<OrchestratorURL>" `
-hostAdminPassword "12345qwert" `
-defaultTenantAdminPassword "12345qwert"
5 か月前に更新