orchestrator

2020.10

false

Getting started
- Introduction
- Logging in to Orchestrator
- Resetting Your Password
- Robots
  - Robot Statuses
  - Robot Settings
- Activities Feeds
Best practices
- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
Tenant
- About the Tenant Context
- Robots
- Folders
- About Users
- Roles
  - Default Roles
  - Managing Roles
- Machines
  - Managing Machines
- Packages
- Audit
- Credential Stores
- Webhooks
  - Types of Events
  - Managing Webhooks
- About Licensing
  - Activating Your License
  - Managing Your Licenses
- Alerts
  - Alert Emails
  - Setting Up Alert Emails
- Settings
Actions
- About Actions
- Managing Actions
Folders Context
- About the Folders Context
- Home
  - Overview
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- About Recording
Jobs
- About Jobs
- Managing Jobs
- Job States
Triggers
- About Triggers
- Managing Triggers
- Using Cron Expressions
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
- Orchestrator Logs
- Protecting Sensitive Information in Studio
Monitoring
- About Monitoring
- Machines
- Processes
- Queues
- Queues SLA
Queues
- About Queues and Transactions
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
- Moving Bucket Data Between Storage Providers
Test Suite - Orchestrator
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
Action Catalogs
- About Action Catalogs
- Managing Action Catalogs
Profile
- About the Profile Page
- Managing Profile Settings
System Administrator
- About System Administrators
- Managing Tenants
- Field Descriptions for the Host Settings Page
- Maintenance Mode
Identity Server
- About Identity Server
- Identity Management Portal
- External Identity Providers
  - Field Descriptions for External Providers Page
- Installation Access Token
Authentication
- Configuring the Active Directory Integration
- Configuring SSO: SAML 2.0
- Configuring SSO: Google
- Configuring SSO: Azure Active Directory
- SmartCard Authentication
- Setting Up Auto Login for Users Under an Active Directory Group
- Configuring the SMTP Server
- Changing the Windows Authentication Protocol
Other Configurations
- Increasing the Size Limit of Package Files
- Opting Out of Telemetry
- Setting up Encryption Key Per Tenant
- GZIP Compression
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Classic Robots
- Robots
- Environments
  - Managing Environments
- Jobs
- Triggers
- Monitoring
  - Robots
- Resources
Troubleshooting
- IE 11.0.9600.17031 Issues
- Frequently Encountered Orchestrator Errors
- Cron Expressions
- Upgrade Issues

OUT OF SUPPORT

Orchestrator User Guide

DELIVERY:

Automation Cloud Automation Cloud Public Sector Automation Suite Standalone

Last updated Dec 12, 2023

External Identity Providers

Identity Server acts as a federation gateway for a series of external identity providers (Google, Windows, Azure AD, SAML2), and it allows you to configure their settings on its External Identity Providers page. Orchestrator's web.config and UiPath.Orchestrator.dll.config files don't need to be changed to perform external identity provider configurations. Note that users are created within Identity Server's database.

If you are updating Orchestrator to v2020 and you've previously enabled any external identity provider authentication, there are a series of manual configurations to be performed at the external identity provider level. Previously created users are propagated to the Identity Server database.

Important: Restart the IIS server after performing any configuration changes within Identity Server.

Managing External Identity Providers Settings

Note: The URLs are case-sensitive. For simplicity, we recommend the use of lower cases whenever possible.

Google OpenID Connect

This section empowers you to set the parameters that allow Orchestrator/Identity Server to use Google OpenID Connect authentication.

Here's an example of such a setup:

Before performing any settings in this page, make sure that you've configured Google to recognize your Orchestrator instance.

Follow the steps here to instruct Identity Server to use Google OpenID Connect authentication.

Windows

This section empowers you to set the parameters that allow Orchestrator/Identity Server to use Windows authentication.

Here's an example of such a setup:

Follow the instructions on this page to enable Windows authentication.

Azure AD

This section empowers you to set the parameters that allow Orchestrator/Identity Server to use Azure AD authentication.

Here's an example of such a setup:

Before performing any settings in this page, make sure that you've configured Azure AD to recognize your Orchestrator instance.

Follow the steps here to instruct Identity Server to use Azure AD authentication.

SAML

This section empowers you to set the parameters that allow Orchestrator/Identity Server to use single sign-on authentication using SAML 2.0.

You can find examples of such setups for the following external identity providers:

ADFS Authentication Using SAML 2.0

Before performing any settings in this page, make sure that you've configured ADFS to recognize your Orchestrator instance.

Follow the steps here to instruct Identity Server to use ADFS authentication.

Google Authentication Using SAML 2.0

Before performing any settings on this page, make sure that you've configured Google to recognize your Orchestrator instance.

Follow the steps here to instruct Identity Server to use Google SAML 2.0 authentication.

OKTA Authentication Using SAML 2.0

Before performing any settings on this page, make sure that you've configured OKTA to recognize your Orchestrator instance.

Follow the steps here to instruct Identity Server to use OKTA authentication.

Manual Configurations on Orchestrator Update

Upon updating to v2020.4+, any external identity provider authentication enabled in Orchestrator is automatically migrated from web.config into Identity Server, along with all the existing users. However, some manual changes are required on your part; otherwise, the authentication will not work.

Here are the general actions you need to perform:

Go to the actual external provider's location.
Modify the Return URL by adding /identity after your Orchestrator URL.
Save the changes.

Read on for guidance on the actions needed for specific external identity providers.

Important: Replace all occurrences of https://cloud.uipath.com with the URL of your Orchestrator instance.

Google OpenID Connect Authentication

If you've previously configured Google to recognize a new Orchestrator instance, then you need to perform these steps:

Access Google APIs and search for your previously created project.
In the Credentials page, select your previously created OAuth 2.0 Client.
In the Client ID for Web application page, edit the Authorized redirect URIs value by adding the suffix /identity after your Orchestrator URL. For example, https://cloud.uipath.com/identity/google-signin.
Click Save to save the changes.

Windows Authentication

If you've previously enabled Windows authentication, then no further manual actions are required on your part.

Azure AD Authentication

If you've previously configured Azure AD to recognize a new Orchestrator instance, then you need to perform these steps:

Access Microsoft Azure App Registrations page and select your previously registered app.
In the selected app's page, select Redirect URIs.
In the selected app's Authentication page, modify the Redirect URL by adding /identity/azure-sign-in-oidc to your Orchestrator URL.
Save the changes.
Restart the IIS server.

SAML2 Authentication

ADFS

If you've previously configured ADFS to recognize a new Orchestrator instance, then you need to perform these steps:

Open ADFS Management and modify your existing relying party trust for Orchestrator as follows:
- In the Configure URL section, select the Enable support for the SAML 2.0 Web SSO Protocol and fill in the URL of the Orchestrator instance plus the suffix identity/Saml2/Acs in the Relying party SAML 2.0 SSO service URL field. For example, https://cloud.uipath.com/identity/Saml2/Acs.
- In the Configure Identifiers section, fill in the URL of the Orchestrator instance plus the suffix identity in the Relying party trust identifier field. For example, https://cloud.uipath.com/identity.
Save the changes.
Once ADFS is configured, open PowerShell as an administrator and run the following commands:
- Set-ADFSRelyingPartyTrust -TargetName "https://cloud.uipath.com/identity" -SamlResponseSignature MessageAndAssertion (Replace https://cloud.uipath.com with the URL of your Orchestrator instance)
- Restart-Service ADFSSRV.
Restart the IIS server.

Google

If you've previously configured Google to recognize a new Orchestrator instance, then you need to perform these steps:

Open Google Admin console and modify your existing service's details as follows:
- In the Service Provider window, fill in the URL of the Orchestrator instance plus the suffix identity/Saml2/Acs in the ACS URL field. For example, https://cloud.uipath.com/identity/Saml2/Acs.
- In the same window, fill in the URL of the Orchestrator instance plus the suffix identity in the Entity ID field. For example, https://cloud.uipath.com/identity.
Save the changes.
Restart the IIS server.

OKTA

If you've previously configured OKTA to recognize a new Orchestrator instance, then you need to perform these steps:

Login to OKTA, locate your existing application and modify the details on the SAML Settings window, in the General section, as follows:
- In the Single sign on URL field, fill in the URL of the Orchestrator instance plus the suffix /identity/Saml2/Acs. For example, https://cloud.uipath.com/identity/Saml2/Acs.
- Enable the Use this for Recipient URL and Destination URL check box, if it wasn't previously enabled. This will overwrite the Recipient URL and Destination URL fields with the value entered for Single Sign On URL, which in this example is https://cloud.uipath.com/identity/Saml2/Acs.
- In the Audience URI field, fill in the URL of the Orchestrator instance plus the suffix /identity. For example, https://cloud.uipath.com/identity.
Save the changes.
Restart the IIS server.

On this page

Managing External Identity Providers Settings
Google OpenID Connect
Windows
Azure AD
SAML
Manual Configurations on Orchestrator Update
Google OpenID Connect Authentication
Windows Authentication
Azure AD Authentication
SAML2 Authentication

Was this page helpful?

PREVIOUSIdentity Management Portal

NEXTField Descriptions for External Providers Page

Support and Services

Get The Help You Need

UiPath Academy

Learning RPA - Automation Courses

UiPath Forum

UiPath Community Forum

Trust and Security

Cookies Policy