Re-configuring Authentication After Upgrade

If you are upgrading Orchestrator to this version and you've previously enabled any external identity provider authentication, there are a series of manual configurations to be performed at the external identity provider level.

Previously created users are propagated to the UiPath Identity Server database.

UiPath Identity Server acts as a federation gateway for a series of external identity providers (Google, Windows, Azure AD, and SAML2). You can configure their settings from the Management portal, under Users > Authentication Settings, in the External Providers section.

Manual Configuration After an Orchestrator Upgrade

Upon upgrading to this version of Orchestrator, any external identity provider authentication enabled in Orchestrator is automatically migrated to Identity Server, along with all the existing users. However, some manual changes are required after the upgrade.

Upgrading From Versions Prior to 2020.4

If you upgraded Orchestrator from version 2020.4 (or from a later version) to the current version, skip this section.

If you upgraded from a version prior to 2020.4:

In the external provider's settings, modify the Return URL by adding /identity at the end of your Orchestrator URL so that you have https://OrchestratorURL/identity.
Save the changes to the external provider.
Restart the IIS site for the changes to apply.

Continue with the instructions on this page for additional configuration that is required actions for the external identity providers you use with Orchestrator.

Google OpenID Connect Authentication

If you've previously configured Google to recognize a new Orchestrator instance, then you need to perform these steps:

Access Google APIs and search for your previously created project.
In the Credentials page, select your previously created OAuth 2.0 client:
In the Client ID for Web application page, edit the Authorized redirect URIs value by adding the suffix /identity after your Orchestrator URL. For example, https://OrchestratorURL/identity/google-signin.
Save your changes.

Windows Authentication

If you've previously enabled Windows authentication, no further actions are required.

Azure AD Authentication

If you've previously configured Azure AD to recognize a new Orchestrator instance, then you need to perform these steps:

Access App Registrations in the Microsoft Azure portal and select your existing Orchestrator app registration.
In the selected app's page, select Redirect URIs.
In the selected app's Authentication page, modify the Redirect URL by adding /identity/azure-sign-in-oidc at the end of your Orchestrator URL:
Save the changes.
Restart the IIS server.

SAML2 Authentication

ADFS

If you've previously configured ADFS to recognize a new Orchestrator instance, then you need to perform these steps after upgrading Orchestrator:

Open ADFS Management and modify your existing relying party trust for Orchestrator as follows:
- In the Configure URL section, select the Enable support for the SAML 2.0 Web SSO Protocol and, in the Relying party SAML 2.0 SSO service URL field, fill in the Orchestrator URL plus the suffix identity/Saml2/Acs. For example, https://OrchestratorURL/identity/Saml2/Acs.
- In the Configure Identifiers section, in the Relying party trust identifier field, fill in the Orchestrator URL plus the suffix identity. For example, https://OrchestratorURL/identity.
Save the changes.
After ADFS is configured, open PowerShell as an administrator and run the following commands:
```
Set-ADFSRelyingPartyTrust -TargetName "https://OrchestratorURL/identity" -SamlResponseSignature MessageAndAssertion
Restart-Service ADFSSRVSet-ADFSRelyingPartyTrust -TargetName "https://OrchestratorURL/identity" -SamlResponseSignature MessageAndAssertion
Restart-Service ADFSSRV
```
Restart the IIS server.

Google

If you've previously configured Google to recognize a new Orchestrator instance, then you need to perform these steps:

Open the Google administration console and modify your existing service's details as follows:
- In the Service Provider window, in the ACS URL field, fill in the Orchestrator URL plus the suffix identity/Saml2/Acs. For example, https://OrchestratorURL/identity/Saml2/Acs.
- In the same window, in the Entity ID field, fill in the Orchestrator URL plus the suffix identity. For example, https://OrchestratorURL/identity.
Save the changes.
Restart the IIS server.

Okta

If you've previously configured Okta to recognize a new Orchestrator instance, then you need to perform these steps:

Log in to Okta and locate your existing application.
Modify the details in the SAML Settings window, in the General section, as follows:
- In the Single sign on URL field, fill in the Orchestrator URL plus the suffix /identity/Saml2/Acs. For example, https://OrchestratorURL/identity/Saml2/Acs.
- If not already, enable the Use this for Recipient URL and Destination URL. This overwrites the Recipient URL and Destination URL fields with the value entered for Single Sign On URL, which in this example is https://OrchestratorURL/identity/Saml2/Acs.
- In the Audience URI field, fill in the Orchestrator URL plus the suffix /identity. For example, https://OrchestratorURL/identity.
Save the changes.
Restart the IIS server.

On this page

Manual Configuration After an Orchestrator Upgrade
Upgrading From Versions Prior to 2020.4
Google OpenID Connect Authentication
Windows Authentication
Azure AD Authentication
SAML2 Authentication

Was this page helpful?

PREVIOUSHost Authentication Settings

NEXTHost Audit Logs

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy