- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Setup Samples
- Storing Robot Credentials in CyberArk
- Setting up Attended Robots
- Setting up Unattended Robots
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Audit
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Classic Robots
- Host administration
- Organization administration
- Troubleshooting
Configuring SSO: SAML 2.0
Orchestrator can handle single sign-on (SSO) authentication based on SAML 2.0. To enable it, both Orchestrator/Identity Server as Service Provider, and an Identity Provider must be properly configured so that they can communicate with each other. If SAML is enabled and correctly configured, a button is displayed at the bottom of the Login page. If the external identity provider uses a multi-factor authentication protocol, the user needs to comply to the corresponding rules as well in order to successfully log in.
To enable SAML authentication, the high-level process is as follows:
-
Define a user in Orchestrator and have a valid email address set on the Users page.
This applies if your email address is set as a SAML attribute. You can configure a custom mapping strategy as well.
- Import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console, and set Orchestrator/Identity Server to use it accordingly.
-
Add the configuration specific to the identity provider you want to use in the Saml2 settings (Users > Authentication Settings > External Providers), making sure the Enabled checkbox is selected. Follow the instructions for the identity provider you use: