- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Organizing Resources With Tags
- Orchestrator Read-only Replica
- Exporting grids in the background
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read Only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Bulk Uploading Queue Items Using a CSV File
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Review Requests
- Test Automation
- Testing Data Retention Policy
- Host Administration Portals
- Configuring System Email Notifications
- Managing System Administrators
- Configuring Host Security
- Host Audit Logs
- Customizing the Login Page
- Maintenance Mode
- Managing tags
- Audit Logs
- Overriding System Email Settings
Configure a machine to support ADFS and make sure you have access to the ADFS Management software. Address to your system administrator in this regard.
- Open ADFS Management and define a new relying party trust for Orchestrator as follows:
- Click Relying Party Trusts.
- In the Actions panel, click Add Relying Party Trust. The Add Relying Party Trust Wizard is displayed.
- In the Welcome section, select Claims Aware.
- In the Select Data section, choose the Enter data about relying party manually option.
- In the Specify Display Name section, in the Display name field, insert the URL of the Orchestrator instance.
- The Configure Certificate section does not need any specific settings so you may leave it as it is.
- In the Configure URL section, select the Enable support for the SAML 2.0 Web SSO Protocol and fill in the URL of the Orchestrator instance plus the suffix
identity/Saml2/Acsin the Relying party SAML 2.0 SSO service URL field. For example,
- In the Configure Identifiers section, fill in the URL of the Orchestrator instance in the Relying party trust identifier field.
- In the Choose Access Control Policy section make sure to select the Permit everyone access control policy.
- The next two sections (Ready to Add Trust and Finish) do not need any specific settings so you may leave them as they are.
- The newly added party trust is displayed on the Relying Party Trusts window.
- Make sure that the default value for your URL is Yes (Actions > Properties > Endpoints).
- Select the relying party trust and click Edit Claim Issuance Policy from the Actions panel. The Edit Claim Issuance Policy wizard is displayed.
- Click Add rule and create a new rule using the Send LDAP Attributes as Claims template with the following settings:
- Once ADFS is configured, open PowerShell as an administrator and run the following commands:
Set-ADFSRelyingPartyTrust -TargetName "DISPLAYNAME" -SamlResponseSignature MessageAndAssertion(Replace
DISPLAYNAMEwith the value set on point 1.e.)
- Define a user in Orchestrator and have a valid email address set on the Users page.
- Import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
- Log in to the host Management portal as a system administrator.
- Click Security.Note: If you are still using the old Admin experience, go to Users instead of Security.
- Click Configure under SAML SSO.
The SAML SSO configuration page opens.
- Set it up as follows:
- Optionally select the Force automatic login using this provider checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
- In the Display Name field, type the name that you want to show for the SAML login option on the Login page.
- Set the Service Provider Entity ID parameter to
- Set the Identity Provider Entity ID parameter to the value obtained by configuring ADFS authentication.
- Set the Single Sign-On Service URL parameter to the value obtained by configuring ADFS authentication.
- Select the Allow unsolicited authentication response checkbox.
- Set the Return URL parameter to
- Set the External user mapping strategy parameter to
By user email.
- Set the SAML binding type parameter to
- In the Signing Certificate section, from the Store name list, select My.
- From the Store location list, select
In the Thumbprint field, add the thumbprint value provided in the Windows certificate store. Details.Note:Replace all occurrences of
https://orchestratorURLwith the URL of your Orchestrator instance.Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as
- Click Save to save the changes to the external identity provider settings.
The page closes and you return to the Security Settings page.
- Click the toggle to the left of SAML SSO to enable the integration.
- Restart the IIS server.