These instructions only apply if you have a standalone installation of Orchestrator. If you are using Orchestrator in Automation Suite, follow the Automation Suite instructions instead.
Host-level versus organization-level integration
如果按此页面所述在主机级别启用 Azure AD 集成，则无法在组织/租户级别启用它。
The integration at the host level only enables SSO. But if enabled at the organization/tenant level, the integration allows for SSO, but also for directory search and automatic user provisioning.
要设置 Azure AD 集成，您需要：
- Orchestrator 和 Azure AD 中的管理员权限（如果您在 Azure 中没有管理员权限，请与 Azure 管理员协作完成设置流程）；
- the UiPath organization administrator should have an Azure AD account that has the same email address as their UiPath account; the Azure AD account does not require admin permissions in Azure;
- your users need to use UiPath Studio and Assistant version 2020.10.3 or later;
- UiPath Studio and Assistant should be set up to use the recommended deployment.
- if you previously used local user accounts, make sure that all your Azure AD users have the email address in the Mail field; having the email address in the User Principle Name (UPN) field alone is not enough. The Azure AD integration links directory user accounts with the local user accounts if the email addresses match. This allows users to retain permissions when they transition from signing in with their local user account to the Azure AD directory user account.
The below steps are a broad description of a sample configuration. For more detailed instructions, see the Microsoft documentation for configuring Azure AD as an authentication provider.
- Log in to the Azure portal as an administrator.
- Go to App Registrations, and click New Registration.
- In the Register an application page, fill in the Name field with a name for your Orchestrator instance.
- In the Supported account types section, select Accounts in this organizational directory only.
- Set the Redirect URI by selecting Web from the drop-down list and filling in the URL of your Orchestrator instance, plus the suffix
/identity/azure-signin-oidc. For example,
- At the bottom, select the ID tokens checkbox.
- Click Register to create the app registration for Orchestrator.
- Save the Application (Client) ID to use it later.
- Log in to the Management portal as a system administrator.
- Click Security.
If you are still using the old Admin experience, go to Users instead of Security.
- Click Configure under Azure AD SSO.
- If you want to only allow logging in to Orchestrator using Azure AD, select the Force automatic login using this provider checkbox.
- Fill in the Display Name field with the label you want to use for the AzureAD button on the Login page.
- In the Client ID field, paste the value of the Application (Client) ID obtained from the Azure portal.
- (Optional) In the Client Secret field, paste the value obtained from the Azure portal.
- Set the Authority parameter to one of the following values:
https://login.microsoftonline.com/<tenant>，其中 是 Azure AD 租户或与此 Azure AD 租户关联的域的租户 ID。仅用于登录特定组织的用户。
https://login.microsoftonline.com/common。用于使用工作和学校帐户或个人 Microsoft 帐户登录用户。
- (Optional) In the Logout URL, paste the value obtained from the Azure portal.
The page closes and you return to the Security Settings page.
- Click the toggle to the left of SAML SSO to enable the integration.
- Restart the IIS site. This is required after making any changes to External Providers.
Now that Orchestrator is integrated with Azure AD Sign-In, user accounts that have a valid Azure AD email address can use the Azure AD SSO option on the Login page to sign in to Orchestrator.
Each administrator must do this for their organization/tenant if they want to allow login with Azure AD SSO.
- Log in to Orchestrator as an administrator.
- Add local user accounts for your users, each with a valid Azure AD email address.