- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Organizing Resources With Tags
- Orchestrator Read-only Replica
- Exporting grids in the background
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read Only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Bulk Uploading Queue Items Using a CSV File
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Review Requests
- Test Automation
- Host Administration Portals
- Configuring System Email Notifications
- Managing System Administrators
- Configuring Host Security
- Host Audit Logs
- Customizing the Login Page
- Maintenance Mode
- Managing tags
- Audit Logs
- Overriding System Email Settings
- Log in to Okta. The following setup is made in Classic UI view. You can change it from the drop-down on the top-right corner of the window.
- On the Application tab, click Create New App. The Create a New Application Integration window is displayed.
- Choose SAML 2.0 as sign-on method and click Create.
- For the new integration, on the General Settings window, enter the application name.
- On the SAML Settings window, fill in the General section as per this example:
- Single sign on URL: The Orchestrator instance URL +
/identity/Saml2/Acs. For example,
- Enable the Use this for Recipient URL and Destination URL check box.
- Audience URI:
- Name ID Format: EmailAddress
Application Username: EmailNote: Whenever filling in the URL of the Orchestrator instance, make sure it does not contain a trailing slash. Always fill it in as
- Single sign on URL: The Orchestrator instance URL +
- Click Show Advanced Settings and fill in the Attribute Statements section:
Set the Name field to
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressand select user.email from the Value drop-down.
- Download the Okta certificate.
- In the Feedback section, select the option that suits you and click Finish.
- On the Sign On tab, in the Settings section, click Setup Instructions. You are redirected to a new page containing the instructions required to complete your Orchestrator configuration for SAML
2.0: Identity Provider Sign-On URL, Identity Provider Issuer, X.509 Certificate.Note: If, for any reason, the information about the identity provider is lost, you can, at any point, visit Sign On > Settings > View Setup Instructions.
In order for a user to be able to use OKTA authentication, he must be assigned the newly created application:
- Log in to OKTA.
- On the Application page, select the newly created application.
- On the Assignments tab, select Assign > Assign to People and then select the users to be given the necessary permissions.
- The newly added users are displayed on the People tab.
- Define a user in Orchestrator and have a valid email address set on the Users page.
- Import the signing certificate:
- For Windows deployments, import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
- For Azure deployments, upload the certificate provided by the Identity Provider from in the Azure portal. (TLS/SSL settings > Public Certificates (.cer) > Upload Public Key Certificate). See here how to adjust your web app configuration if you are unable to use OKTA authentication and encounter the following error message:
An error occurred while loading the external identity provider. Please check the external identity provider configuration.
- Log in to the Management portal as a system administrator.
- Go to Security.Note: If you are still using the old Admin experience, go to Users instead of Security.
- Click Configure under SAML SSO:
The SAML SSO configuration page opens.
- Set it up as follows:
- Optionally select the Force automatic login using this provider checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
- Set the Service Provider Entity ID parameter to
- Set the Identity Provider Entity ID parameter to the value obtained by configuring Okta authentication (see step 9).
- Set the Single Sign-On Service URL parameter to the value obtained by configuring Okta authentication (see step 9).
- Select the Allow unsolicited authentication response checkbox.
- Set the Return URL parameter to
https://orchestratorURL/identity/externalidentity/saml2redirectcallback. Make sure to add
/identity/externalidentity/saml2redirectcallbackat the end of the URL for the Return URL parameter. This path is specific to Okta as it allows you to reach an Orchestrator environment directly from Okta.
- Set the SAML binding type parameter to
- In the Signing Certificate section, from the Store name list, select My.
- From the Store location list, select
LocalMachinefor Windows deployments or
CurrentUserfor Azure Web App deployments.
In the Thumbprint field, add the thumbprint value provided in the Windows certificate store. Details.Note:Replace all occurrences of
https://orchestratorURLwith the URL of your Orchestrator instance.Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as
- Click Save to save the changes to the external identity provider settings.
The page closes and you return to the Security Settings page.
- Click the toggle to the left of SAML SSO to enable the integration.
- Restart the IIS server.