Choosing the identity provider for your organization (Admin > Users and Groups > Authentication Settings) affects the way users sign in, and how user and group accounts are created and managed in Orchestrator .
The integration with Azure Active Directory (Azure AD) can offer scalable user and access management for your organization, allowing for compliance across all the internal applications used by your employees. If your organization is using Azure AD or Office 365, you can connect your Orchestrator organization directly to your Azure AD tenant to obtain the following benefits:
Automatic user onboarding with seamless migration
All users and groups from Azure AD are readily available for any Orchestrator service to assign permissions, without the need to invite and manage Azure AD users in the Orchestrator organization directory.
You can provide Single Sign-On for users whose corporate username differs from their email address, which is not possible with the invitation model.
All existing users with UiPath user accounts have their permissions automatically migrated to their connected Azure AD account.
Simplified sign-in experience
Users do not have to accept an invitation or create a UiPath user account to access the Orchestrator organization as in the default model. They sign in with their Azure AD account by selecting the Enterprise SSO option or using their organization-specific URL.
If the user is already signed in to Azure AD or Office 365, they are automatically signed in.
UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Orchestrator URL, which leads to the same seamless connection experience.
Scalable governance and access management with existing Azure AD groups
Azure AD security groups or Office 365 groups, also known as directory groups, allow you to leverage your existing organizational structure to manage permissions at scale. You no longer need to configure permissions in Orchestrator services for each user.
You can combine multiple directory groups into one Orchestrator group if you need to manage them together.
Auditing Orchestrator access is simple. After you've configured permissions in all Orchestrator services using Azure AD groups, you utilize your existing validation processes associated with Azure AD group membership.
While on the Azure AD model, you can continue to use all the features of the default model. But to maximize the benefits, we recommend relying exclusively on centralized account management from Azure AD.
If you would like to use Azure Active Directory as the identity provider for your organization, follow the instructions in Setting up the Azure AD integration.
This model allows you to connect Orchestrator to your chosen identity provider (IdP) so that:
- your users can benefit from single sign-on (SSO) and
- you can manage existing accounts from your directory in Orchestrator, without having to re-create identities.
Orchestrator can connect to any external identity provider that uses the SAML 2.0 standard.
Automatic onboarding of users to Orchestrator
All users from your external identity provider are authorized to sign in to Orchestrator with basic rights when the SAML integration is active. What this means is:
Users can sign in to your Orchestrator organization via SSO using their existing company account, as defined in the IdP.
Without any further setup, they become members of the Everyone user group, which grants them the User organization role by default. To be able to work in Orchestrator, users require roles and licenses, as appropriate for their role.
If you need to restrict access to only some of your users, you can define the set of users who are allowed to access Orchestrator in your identity provider.
You can add users by directly assigning them to Orchestrator groups, to do this all you have to do is enter their email address when adding users to the group.
Typically, administrators manage local accounts from Admin > Accounts & Groups > Users tab. But SAML users are directory accounts in Orchestrator, so they are not visible on this page.
After a user has been added to a group or they have signed in at least once (which automatically adds them to the Everyone group), they are available in search in all services across Orchestrator for direct role or license assignment.
If you use UiPath Automation Hub, you can define custom attribute mapping to propagate attributes from your identity provider into Orchestrator. For example, when an account is first added to Automation Hub, the first name, last name, email address, job title, and department of the user are already populated.
Administrators can configure and enable the SAML integration for your entire organization from Admin > Security Settings > Authentication Settings.
For instructions, see Configuring the SAML integration.
After switching to the SAML integration, the Azure AD integration is disabled. Azure AD group assignments no longer apply, so Orchestrator group membership and the permissions inherited from Azure AD are no longer respected.
Basic authentication refers to signing in with the username and password of a local account.
If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.
Also see Configuration levels and inheritance for more information about this setting.
This setting is only available if an external provider integration is enabled at the host or organization level.
When set at the organization level, the setting applies to all accounts in the organization.
For exceptions, basic authentication can also be set at the account level where you want this setting to apply differently.
To allow or restrict basic authentication for your organization:
- Log in to the organization-level Management portal at
https://<server>/identity/managementas an administrator.
- Go to Security Settings.
- Under External Providers, click the Disable basic authentication for the organizations toggle to restrict or allow sign in using basic authentication:
- If off (left toggle position, gray toggle), basic authentication is allowed.
- If on (right toggle position, blue toggle), basic authentication is restricted. While restricted, the Allow basic authentication for the host administrators toggle is available.
- At the bottom-right of the External Providers section, click Save to apply your changes.
To configure security options for your organization, go to Admin > Accounts and Groups > Authentication Settings and edit the options as needed.
Editing the Password complexity settings does not affect existing passwords.
Select to force users to include at least one special character in their password.
Select to force users to include at least one lowercase character in their password.
Select to force users to include at least one uppercase character in their password.
Select to force users to include at least one digit in their password.
Minimum password length
Specify the minimum number of characters a password should contain.
Days before password expiration
Specify the number of days for which the password is available. After this period, the password expires and needs to be changed.
Number of times a password can be reused
The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10.
Change password on the first login
If set to Required, users that log in for the first time must change their password before being allowed to access Orchestrator.
Enabled or Disabled toggle
If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature.
Account lockout duration
The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout.
Consecutive login attempts before lockout
The number of failed login attempts allowed before the account is locked.
Updated 25 days ago