UiPath provides multiple robot authentication methods, ranging from expiring token authentication to authentication with tokens that never expire. Through robot authentication, Orchestrator verifies the identity of the UiPath Robot that needs to access Orchestrator resources. Validating that identity determines a trust relationship for further interactions.
Always review the available authentication methods before connecting your robots to Orchestrator. Where possible, choose the recommended method that provides the highest level of security.
There are two methods for attended robot authentication: interactive user sign-in and a hybrid option allowing for both user sign-in and machine key connections.
This option only allows for robot connections with tokens that expire. Users can authenticate their robots only by signing-in with their credentials in the Assistant.
Note: User sign in is required to run attended robots, make Orchestrator HTTP requests, or view processes in the Assistant. When using interactive sing-in, there is no need to create machine objects in Orchestrator.
This authentication method requires recompiling the workflows that use Orchestrator activities or make direct HTTP calls to the Orchestrator API utilizing v2020.10 activity packages or higher.
There is a chance job execution will fail if at least one of below dependencies are used in an automation project:
- UiPath.System.Activities < 20.10.0
- UiPath.Persistence.Activities < 1.1.7
- UiPath.DataService.Activities < 20.10.0
- UiPath.Testing.Activities < 1.2.0
Use the Project Dependencies Mass Update Tool in Studio to update process dependencies to versions greater than or equal to those provided above. Test before deploying in production.
This option allows for both connections with tokens that don't expire (machine key) and connections with tokens that expire (interactive sign-in or client credentials). Users have the option to sign-in with their credentials to authenticate their robots, which in turn allows them to connect Studio and the Assistant to Orchestrator, however it is not mandatory.
Interactive Sign-in SSO (Recommended)
Sign in option in the Assistant
Requires workflow recompiling
Requires machine object
Supported in classic folders
There are two methods for unattended robot authentication: client credentials and a hybrid option allowing for both client credentials and machine key connections.
In unattended automation, the host machine is connected and licensed in unattended mode so the designated way to execute processes is Orchestrator. If you want to use the machine in attended mode (opening the Assistant) when Interactive Sign-In is enforced, you need to sign in, otherwise you cannot see the processes in the Assistant, and the robot appears as "Connected, Unlicensed".
This option only allows for connections with tokens that expire. It uses the OAuth 2.0 framework as the basis for the authentication protocol, meaning unattended robots can connect to Orchestrator with a client ID - client secret pair generated via machine template objects. The client ID - client secret pair generates a token that authorizes the connection between the robot and Orchestrator and provides the robot with access to Orchestrator resources.
The admin has the option to revoke access at any time by deleting the secret employed on that machine.
See more on client credentials.
This option allows for both connections with tokens that don't expire (machine key) and connections with tokens that expire (client credentials).
To choose the robot authentication method, follow the next steps:
- Go to Tenant > Settings. The Settings page is displayed.
- Go to the Robot security tab. The Robot security page is displayed.
- On the Robot authentication section, choose the authentication mechanism.
- Click Save. Your settings are updated.
Updated 6 months ago