- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Classic Robots
- Host administration
- Organization administration
- Troubleshooting
Orchestrator User Guide
Allowing or restricting basic authentication
Basic authentication refers to signing in with the username and password of a local account.
If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.
This option can be configured:
-
At the host level: When set at the host level, the setting applies to all organizations and all their accounts, except if the basic authentication setting at the organization or account level was not explicitly set differently.
-
For system administrator accounts: Even when all organizations are restricted from using basic authentication, you can allow system administrators only to bypass this restriction.
-
At the organization level: If set at the organization level, the organization-level setting overrides the host-level setting for only that organization. The setting for an organization applies to all accounts that belong to that organization, except accounts for which basic authentication is set differently at the account level.
-
At the account level: If set at the account level, the account-level setting overrides the host-level and organization-level basic authentication setting for only that account.
When set at the host level, the setting applies to all organizations and all their accounts. Set it according to the preference or recommendation across your company.
For exceptions, basic authentication can also be set at the organization or account level where you want this setting to apply differently.
To allow or restrict basic authentication for all organizations and all accounts, follow the instructions that apply to your user interface settings.
- Log in to the host portal as a system administrator.
- Select Security. The Security Settings window opens.
- Select the Basic sign-in toggle to change if basic authentication is allowed or not.
- Turn on (right toggle position, blue toggle) to allow basic authentication for all users, host administrators included. The Allow basic authentication for the host administrators checkbox is not editable.
- Turn off (left toggle position, gray toggle) to restrict basic authentication for all users. While basic authentication is restricted, the Allow basic authentication for the host administrators checkbox is editable, allowing you to configure basic authentication settings only for host administrators.
- When basic authentication is disabled, select the Allow basic authentication for the host administrators checkbox to allow basic authentication only for system administrators. Even when basic authentication is not allowed through the configuration of an external provider, as an exception, it is allowed for system administrator accounts only.
- When basic authentication is disabled, clear the Allow basic authentication for the host administrators checkbox to also restrict basic authentication for system administrators.
- Select Save to apply your changes or Cancel to revert to the original settings.
When basic sign-in (basic authentication) is disabled, it is possible to get locked out if you lose access to your directory account.
https://<FQDN>/host/orchestrator_/account/hostlogin
and log in using your basic authentication credentials.
Field |
Description |
---|---|
Special characters |
Select to force users to include at least one special character in their password. By default, this checkbox is not selected. |
Lowercase characters |
Select to force users to include at least one lowercase character in their password. By default, this checkbox is selected. |
Uppercase characters |
Select to force users to include at least one uppercase character in their password. By default, this checkbox is not selected. |
Digits |
Select to force users to include at least one digit in their password. By default, this checkbox is selected. |
Minimum password length |
Specify the minimum number of characters a password should contain. By default, it is 8. The length cannot be smaller than 1 or greater than 256 characters. |
Days before password expiration |
Specify the number of days for which the password is available. After this period, the password expires and needs to be changed. The minimum accepted value is 0 (the password never expires), and the maximum is 1000 days. |
Number of times a password can be reused |
The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10. |
Change password on the first login |
If set to Required, users that log in for the first time must change their password before being allowed to access Automation Suite. If set to Not required, users can log in and continue to use the admin-defined password until it expires. |
Field |
Description |
---|---|
Enabled or Disabled toggle |
If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature. |
Account lockout duration |
The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout. The default value is 5 minutes. The minimum accepted value is 0 (no lockout duration), and the maximum is 2592000 (1 month). |
Consecutive login attempts before lockout |
The number of failed login attempts allowed before the account is locked. The default value is 10 attempts. You can set a value between 2 and 10. |