# Identity Server Scripts

> The following table describes all the parameters that you can use with the `Publish-IdentityServer.ps1` script.

## Publish to Identity Server

The following table describes all the parameters that you can use with the `Publish-IdentityServer.ps1` script.

 <colgroup>
  <col/>
  <col/>
 </colgroup>
 
  
     Parameter  
     Description  
  
 
 
  
    <code>-action</code> 
    Mandatory. Indicates the type of scenario you want to start. The following options are available: 
      
         <code>Deploy</code> - specifies it is a clean installation. 
         <code>Update</code> - specifies you are updating your Identity Server instance. 
      

  
  
    <code>-azureAccountApplicationId</code> 
    Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the  Contributor role  to the app service at the subscription scope.  
  
  
    <code>-azureAccountPassword</code> 
    Mandatory. The Azure token password for the service principal ID.  
  
  
    <code>-azureSubscriptionId</code> 
    Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator.  
  
  
    <code>-azureAccountTenantId</code> 
    Mandatory. The Azure tenant ID.  
  
  
    <code>-orchestratorUrl</code> 
    Mandatory. The URL of the Orchestrator instance.  
  
  
    <code>-identityServerUrl</code> 
    Mandatory. The URL of the Identity Server.  Important: The URL must contain the Identity Server address + the suffix <code>/identity</code> in lowercase. Example: <code>https://[identity_server]/identity</code> 
  
  
    <code>-resourceCatalogUrl</code> 
    Mandatory. The URL of the Resource  Catalog.  
  
  
    <code>-orchDetails</code> 
     This parameter is a hash table that contains the following values: 
      
         <code>resourceGroupName</code> - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service. 
         <code>appServiceName</code> - Mandatory. The Orchestrator Azure App Service name. 
         <code>targetSlot</code> - Mandatory. The Target App Service Slot set by Azure. 
      

  
  
    <code>-identityServerDetails</code> 
     This parameter is a hash table that contains the following values: 
      
         <code>resourceGroupName</code> - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service. 
         <code>appServiceName</code> - Mandatory. The Identity Server Azure App Service name. 
         <code>targetSlot</code> - Mandatory. The Target App Service Slot set by Azure. 
      

  
  
    <code>-package</code> 
    Mandatory. Indicate the full path or relative path of the <code>UiPath.IdentityServer.Web.zip</code> archive. 
  
  
    <code>-cliPackage</code> 
    Mandatory. Indicate the full path or relative path of the <code>UiPath.IdentityServer.Migrator.Cli.zip</code> archive. 
  
  
    <code>-productionSlotName</code> 
    Optional. It can be used only if the Identity Server App Service deployment slot is different from the default Production App Service Slot set by Azure.  
  
  
    <code>-stopApplicationBeforePublish</code> 
    Optional. If present, it stops the application before deployment and it starts it after the deployment is completed.  
  
  
    <code>-unattended</code> 
    Optional. If present, the deployment continues without any user confirmation.  
  
  
    <code>-tmpDirectory</code> 
    Optional. Enables the specification of a directory where needed files are downloaded and unzipped.  
  
  
    <code>-noAzureAuthentication</code> 
    Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the <code>UseServicePrincipal</code> parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary. 
  
 

The `Publish-IdentityServer.ps1` script is used for the initial deployment or update of Identity Server. The script assumes that the web app already has the `DefaultConnection` database connection string configured.

```
.\Publish-IdentityServer.ps1 `
    -action Deploy `
    -orchestratorUrl "<orchestrator_address>" `
    -identityServerUrl "https://<identity_server_url>/identity" ` // must be in lowercase
    -resourceCatalogUrl "<resource_catalog_address>" `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -azureSubscriptionId "<subscription_id>" `
    -azureAccountTenantId "<azure_tenant_id>" `
    -azureAccountApplicationId "<azure_application_id>" `
    -azureAccountPassword "<azure_account_password>" `
    -package "UiPath.IdentityServer.Web.zip" `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -stopApplicationBeforePublish `
    -unattended
```

:::important
After running the above script, make sure you perform the extra steps listed below for a successful initial deployment.
:::

After publishing Identity Server, perform the following steps:

1. Go to Azure Portal.
2. Select your Identity Server App Service.
3. In the **Certificates** menu, go to **Bring your own certificates**.
4. Upload a private key certificate `.pfx` file with a valid password.
   :::note
   This certificate is used to sign the access tokens and the ID tokens.
   :::
5. Under **Configuration** menu, add the following application settings **exactly** as written in the **Application Settings** column:

 <colgroup>
  <col/>
  <col/>
  <col/>
 </colgroup>
 
  
   
    
     Application Setting
    
   
   
    
     Value
    
   
   
    
     Description
    
   
  
 
 
  
   
    
     <code>
      AppSettings__IdentityServerAddress
     </code>
    
   
   
    
     https://[identity_server]/identity
    
   
   
    
     The public URL of the Identity Server.
    
    Important: The URL must contain the address of Identity Server + the suffix
    <code>
     /identity
    </code>
    in lowercase.
   
  
  
   
    
     <code>
      AppSettings__SigningCredentialSettings__StoreLocation__Location
     </code>
    
   
   
    
     CurrentUser
    
   
   
    
     This has to point to
     
      CurrentUser
     
     .
    
   
  
  
   
    
     <code>
      AppSettings__SigningCredentialSettings__StoreLocation__Name
     </code>
    
   
   
    
     XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    
   
   
    
     The thumbprint of your certificate that you've uploaded earlier.
    
   
  
  
   
    
     <code>
      AppSettings__SigningCredentialSettings__StoreLocation__NameType
     </code>
    
   
   
    
     <code>
      Thumbprint
     </code>
    
   
   
    Enter
    <code>
     Thumbprint
    </code>
    as the type of the previous field.
   
  
  
   
    
     <code>
      AppSettings__LoadBalancerSettings__RedisConnectionString
     </code>
    
   
   
    
     <code>
      XXXXXXXXXXXX:XXXX,password=XXXXXX
     </code>
    
   
   
    
     The connection string needed to set up your Redis server, which contains the URL of the server, the password, and the port.
                                       You can also enable SSL encrypted connections between the Orchestrator nodes and the Redis service.
    
   
  
  
   
    
     <code>
      AppSettings__LoadBalancerSettings__SlidingExpirationTimeInSeconds
     </code>
    
   
   
    
     Number of seconds
    
   
   
    
     The sliding expiration time of an item inside the cache. This expiration time applies to both Redis Cache and InMemory Cache.
    
   
  
  
   
    
     <code>
      AppSettings__RedisSettings__UseRedisStoreCache
     </code>
    
   
   
    <code>
     true
    </code>
    /
    <code>
     false
    </code>
   
   
    Set its value to
    <code>
     true
    </code>
    to enable Redis caching of OAuth client data. This helps prevent performance issues when using Interactive Sign In to connect
                                       a large number of robots in a short amount of time. This cache uses the same Redis connection string specified in the
    <code>
     AppSettings__LoadBalancerSettings
    </code>
Note: This is not recommended if you are using the
    
     External Applications
    
    feature since this setting caches clients, and updates to External Applications will not be reflected.
   
  
  
   
    
     <code>
      AppSettings__RedisSettings__UseRedisStoreClientCache
     </code>
    
   
   
    <code>
     true
    </code>
    /
    <code>
     false
    </code>
   
   
    
     Set its value to true to enable Redis caching for first-party clients (UiPath applications) or third-party clients (external
                                       applications). If you have a large-scale deployment, it is recommended to enable this flag.
    
   
  
  
   
    
     <code>
      App__Saml2ValidCertificateOnly
     </code>
    
   
   
    <code>
     true
    </code>
    /
    <code>
     false
    </code>
   
   
    For Orchestrator deployments via an Azure web app, this parameter must be set to
    <code>
     false
    </code>
    . This is because SAML2 requires certificates to be added to its trust store, but Azure web apps do not allow this action.
                                       Setting the value to
    <code>
     false
    </code>
    means that the certificate check is bypassed.
   
  
  
   
    
     <code>
      WEBSITE_LOAD_CERTIFICATES
     </code>
    
   
   
    
     XXXXXXXXXXXXXXXXXXXXXXXXXXXX
    
   
   
    
     The thumbprint value of your certificate that you've uploaded earlier.
    
   
  
  
   
    
     <code>
      WEBSITE_LOAD_USER_PROFILE
     </code>
    
   
   
    
     1
    
   
   
    The user profile.
   
  
  
   
    <code>
     -azureUSGovernmentLogin
    </code>
   
   
    
     Optional.
    
    This parameter is only used for US
                                    Government deployments.
   
   
    &nbsp;
   
  
 

6. Save the changes.

Find more details in the [Microsoft Azure documentation](https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code).

### Replacing the private key certificate

When you replace a private key certificate with a new one, make sure to follow these steps:

1. Replace the values of the `AppSettings__SigningCredentialSettings__StoreLocation__Name` and `WEBSITE_LOAD_CERTIFICATES` parameters with the thumbprint of the new certificate.
2. Restart the Identity app service.
3. Restart the Orchestrator app service.

## Migrate to Identity Server

The following table describes all the parameters that can be used with the `MigrateTo-IdentityServer.ps1`.

 <colgroup>
  <col/>
  <col/>
 </colgroup>
 
  
     Parameter  
     Description  
  
 
 
  
    <code>-cliPackage</code> 
    Mandatory . Indicate the full path or relative path of the <code>UiPath.IdentityServer.Migrator.Cli.zip</code> archive. 
  
  
    <code>-azureDetails</code> 
     This parameter is a hash table that contains the following values: 
      
         <code>azureAccountApplicationId</code> - Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the  Contributor role  to the app service at the subscription scope. 
         <code>azureSubscriptionId</code> - Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator. 
         <code>azureAccountTenantId</code> - Mandatory. The Azure tenant ID. 
         <code>azureAccountPassword</code> - Mandatory. The Azure token password for the service principal ID. 
      

  
  
    <code>-orchDetails</code> 
     This parameter is a hash table that contains the following values: 
      
         <code>resourceGroupName</code> - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service. 
         <code>appServiceName</code> - Mandatory. The Orchestrator Azure App Service name. 
         <code>targetSlot</code> - Mandatory. The Target App Service Slot set by Azure. 
      

  
  
    <code>-identityServerDetails</code> 
     This parameter is a hash table that contains the following values: 
      
         <code>resourceGroupName</code> - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service. 
         <code>appServiceName</code> - Mandatory. The Identity Server Azure App Service name. 
         <code>targetSlot</code> - Mandatory. The Target App Service Slot set by Azure. 
      

  
  
    <code>-identityServerUrl</code> 
    Mandatory. The public address of the Identity Server.  Important: The URL must contain the address of Identity Server + the suffix <code>/identity</code> in lowercase. Example: <code>https://[identity_server]/identity</code> 
  
  
    <code>-orchestratorUrl</code> 
    Mandatory. The public address of the Orchestrator.  
  
  
    <code>-tmpDirectory</code> 
    Optional. Enables the specification of a directory where needed files are downloaded and unzipped.  
  
  
    <code>-hostAdminPassword</code> 
    Mandatory only for fresh deployments, when<code>-action</code> is set to <code>Deploy</code> . Specify a custom password for the host administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit. 
  
  
    <code>-isHostPassOneTime</code> 
    Optional. Enables you to enforce a password reset on the first login for the host administrator. If this parameter is omitted, the host admin password is not a one-time password.  
  
  
    <code>-defaultTenantAdminPassword</code> 
    Mandatory only for fresh deployments, when<code>-action</code> is set to <code>Deploy</code> . Specify a custom password for the default tenant administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit. 
  
  
    <code>-isDefaultTenantPassOneTime</code> 
    Optional. Enables you to enforce a password reset on the first login for the default tenant administrator. If this parameter is omitted, the tenant admin password is not a one-time password.  
  
  
    <code>-noAzureAuthentication</code> 
    Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the <code>UseServicePrincipal</code> parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary. 
  
 

The `MigrateTo-IdentityServer.ps1` script is used to migrate user data from Orchestrator to Identity Server and set the configurations for both. It sets the identity authority of Orchestrator to Identity Server, and it creates client configuration for Orchestrator in Identity Server.

The script assumes that Orchestrator and Identity Server are already published.

```
.\MigrateTo-IdentityServer.ps1 `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -identityServerUrl "https://<identity_server_url>/identity" ` // must be in lowercase
    -orchestratorUrl "https://<OrchestratorURL>" `
    -hostAdminPassword "12345qwert" `
    -defaultTenantAdminPassword "12345qwert"
```