- Getting Started
- Requirements
- Best Practices
- Installation
- Updating
- Identity Server
- Troubleshooting startup errors
Orchestrator Installation Guide
Identity Server Scripts
Publish-IdentityServer.ps1
.
Parameter |
Description |
---|---|
|
Mandatory. Indicates the type of scenario you want to start. The following options are available:
|
|
Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope. |
|
Mandatory. The Azure token password for the service principal ID. |
|
Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator. |
|
Mandatory. The Azure tenant ID. |
|
Mandatory. The URL of the Orchestrator instance. |
|
Mandatory. The URL of Identity Server. Important: The URL must contain the Identity Server address + the suffix
/identity in lowercase. Example: https://[identity_server]/identity |
|
This parameter is a hash table that contains the following values:
|
|
This parameter is a hash table that contains the following values:
|
|
Mandatory. Indicate the full path or relative path of the
UiPath.IdentityServer.Web.zip archive.
|
|
Mandatory. Indicate the full path or relative path of the
UiPath.IdentityServer.Migrator.Cli.zip archive.
|
|
Optional. It can be used only if the Identity Server App Service deployment slot is different from the default Production App Service Slot set by Azure. |
|
Optional. If present, it stops the application before deployment and it starts it after the deployment is completed. |
|
Optional. If present, the deployment continues without any user confirmation. |
|
Optional. Enables the specification of a directory where needed files are downloaded and unzipped. |
-azureUSGovernmentLogin | Optional. This parameter is only used for US Government deployments. |
Publish-IdentityServer.ps1
script is used for the initial deployment or update of Identity Server. The script assumes that the web app already has the
DefaultConnection
database connection string configured.
.\Publish-IdentityServer.ps1 `
-action Deploy `
-orchestratorUrl "<orchestrator_address>" `
-identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
-orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-azureSubscriptionId "<subscription_id>" `
-azureAccountTenantId "<azure_tenant_id>" `
-azureAccountApplicationId "<azure_application_id>" `
-azureAccountPassword "<azure_account_password>" `
-package "UiPath.IdentityServer.Web.zip" `
-cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
-stopApplicationBeforePublish `
-unattended
.\Publish-IdentityServer.ps1 `
-action Deploy `
-orchestratorUrl "<orchestrator_address>" `
-identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
-orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-azureSubscriptionId "<subscription_id>" `
-azureAccountTenantId "<azure_tenant_id>" `
-azureAccountApplicationId "<azure_application_id>" `
-azureAccountPassword "<azure_account_password>" `
-package "UiPath.IdentityServer.Web.zip" `
-cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
-stopApplicationBeforePublish `
-unattended
After publishing Identity Server, perform the following steps:
- Go to Azure Portal.
- Select your Identity Server App Service.
- In the Certificates menu, go to Bring your own certificates.
-
Upload a private key certificate
.pfx
file with a valid password.Note: This certificate is used to sign the access tokens and the ID tokens. -
Under Configuration menu, add the following application settings exactly as written in the Application Settings column:
Application Setting
Value
Description
AppSettings__IdentityServerAddress
https://[identity_server]/identity
The public URL of the Identity Server.
Important: The URL must contain the address of Identity Server + the suffix/identity
in lowercase.AppSettings__SigningCredentialSettings__StoreLocation__Location
CurrentUser
This has to point to CurrentUser.
AppSettings__SigningCredentialSettings__StoreLocation__Name
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
The thumbprint of your certificate that you've uploaded earlier.
AppSettings__SigningCredentialSettings__StoreLocation__NameType
Thumbprint
EnterThumbprint
as the type of the previous field.AppSettings__LoadBalancerSettings__UseRedis
true
/false
Entertrue
to use Redis as a database to distribute messages and cache to and from all the machines connected through your load balancer. Mandatory for multi-node.AppSettings__LoadBalancerSettings__RedisConnectionString
XXXXXXXXXXXX:XXXX,password=XXXXXX
The connection string needed to set up your Redis server, which contains the URL of the server, the password, and the port. You can also enable SSL encrypted connections between the Orchestrator nodes and the Redis service.
Note: Can only be used ifAppSettings__LoadBalancerSettings__UseRedis
is set to true.AppSettings__LoadBalancerSettings__SlidingExpirationTimeInSeconds
Number of seconds
The sliding expiration time of an item inside the cache. This expiration time applies to both Redis Cache and InMemory Cache.
AppSettings__UseRedisStoreCache
true
/false
Set its value totrue
to enable Redis caching of OAuth client data. This helps prevent performance issues when using Interactive Sign In to connect a large number of robots in a short amount of time. This cache uses the same Redis connection string specified in theAppSettings__LoadBalancerSettings
.Note: This is not recommended if you are using the External Applications feature since this setting caches clients, and updates to External Applications will not be reflected.App__Saml2ValidCertificateOnly
true/false
For Orchestrator deployments via an Azure web app, this parameter must be set tofalse
. This is because SAML2 requires certificates to be added to its trust store, but Azure web apps do not allow this action. Setting the value tofalse
means that the certificate check is bypassed.WEBSITE_LOAD_CERTIFICATES
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
The thumbprint value of your certificate that you've uploaded earlier.
WEBSITE_LOAD_USER_PROFILE
1
The user profile.
- Save the changes.
Find more details in the Microsoft Azure documentation.
- Replace the values of the
AppSettings__SigningCredentialSettings__StoreLocation__Name
andWEBSITE_LOAD_CERTIFICATES
parameters with the thumbprint of the new certificate. - Restart the Identity app service.
- Restart the Orchestrator app service.
MigrateTo-IdentityServer.ps1
.
Parameter |
Description |
---|---|
|
This parameter is a hash table that contains the following values:
|
|
This parameter is a hash table that contains the following values:
|
|
This parameter is a hash table that contains the following values:
|
|
Mandatory. The public address of the Identity Server. Important: The URL must contain the address of Identity Server + the suffix
/identity in lowercase. Example:
|
|
Mandatory. The public address of the Orchestrator. |
|
Optional. Enables the specification of a directory where needed files are downloaded and unzipped. |
|
Mandatory only for fresh deployments, when
-action is set to Deploy . Specify a custom password for the host administrator. Please note that passwords have to be least 8 characters long, and
must have at least one lowercase character and at least one digit.
|
|
Optional. Enables you to enforce a password reset on the first login for the host administrator. If this parameter is omitted, the host admin password is not a one-time password. |
|
Mandatory only for fresh deployments, when
-action is set to Deploy . Specify a custom password for the default tenant administrator. Please note that passwords have to be least 8 characters
long, and must have at least one lowercase character and at least one digit.
|
|
Optional. Enables you to enforce a password reset on the first login for the default tenant administrator. If this parameter is omitted, the tenant admin password is not a one-time password. |
MigrateTo-IdentityServer.ps1
script is used to migrate user data from Orchestrator to Identity Server and set the configurations for both. It sets the
identity authority of Orchestrator to Identity Server, and it creates client configuration for Orchestrator in Identity Server.
The script assumes that Orchestrator and Identity Server are already published.
.\MigrateTo-IdentityServer.ps1 `
-cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
-azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
-orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
-orchestratorUrl "https://<OrchestratorURL>" `
-hostAdminPassword "12345qwert" `
-defaultTenantAdminPassword "12345qwert"
.\MigrateTo-IdentityServer.ps1 `
-cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
-azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
-orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
-identityServerUrl "https://<identity_server_URL>/identity" ` // must be in lowercase
-orchestratorUrl "https://<OrchestratorURL>" `
-hostAdminPassword "12345qwert" `
-defaultTenantAdminPassword "12345qwert"