Orchestrator
2023.10
false
Banner background image
Orchestrator User Guide
Last updated Feb 15, 2024

Custom Mapping

ADFS, Google, and Okta all use your email address as a SAML attribute. This section handles custom SAML mapping based on either your username or an external provider key.

Important: Please be aware that configuring custom mapping attributes impacts the entire system, meaning they apply to all existing identity providers. As a result, no other provider (Azure, Windows) can work while a new mapping is set into place.

The following parameters need to be configured in this regard in Identity Server's SAML2 settings within the External Providers page (read here how to access Identity Server):

  • External user mapping strategy - Defines the mapping strategy. The following options are available:

    • By user email - Your email address is set as the attribute. This is the default value.
    • By username - Your username is set as the attribute.
    • By external provider key - An external provider key is set as the attribute.
  • External user identifier claim name - Defines the claim to be used as an identifier for the mapping. This is only required if you set your username as the attribute.

Custom Mapping Using OKTA

See below a configuration example for each mapping strategy using OKTA.

Note: Restart the IIS server after performing and saving any configuration changes within Identity Server.

By User Email

This is the default mapping strategy. User identification is made using an email claim.

To use the user email, configure SAML in the host Management portal (Users > Authentications Settings > External Providers > SAML 2.0) as follows:

  • Select the Enabled checkbox.
  • Set the External user mapping strategy parameter to By user email.

By User Name

This enables the administrator to define a specific claim for user identification.

  1. In this example, we define a custom claim in Okta and use user.employeeNumber as identifier:


  2. Define the corresponding attributes:


  3. Make sure the user account in Orchestrator has the same username as defined in Okta.

To use the user name, configure SAML in the host Management portal (Users > Authentications Settings > External Providers > SAML 2.0) as follows:

  • Select the Enabled checkbox.
  • Set the External user mapping strategy parameter to By username.
  • Set the External user identifier claim name parameter to the previously created claim, in our example, auid-claim.

By External Provider Key

This option is recommended if the users are already defined in Orchestrator and Okta.

An administrator with access to the Identity Server users database is required to run the following SQL command:

INSERT INTO [identity].[AspNetUserLogins] (UserId,LoginProvider,ProviderKey)
VALUES (<userid>,'http://www.okta.com/exkh4xo7uoXgjukfS0h7','documentation@uipath.com')INSERT INTO [identity].[AspNetUserLogins] (UserId,LoginProvider,ProviderKey)
VALUES (<userid>,'http://www.okta.com/exkh4xo7uoXgjukfS0h7','documentation@uipath.com')
  • Set the LoginProvider parameter to the entityId used in Okta
  • Set the ProviderKey parameter to the user's email address

To use the external provider key, configure SAML in the host Management portal (Users > Authentication Settings > External Providers > SAML 2.0) as follows:

  • Select the Enabled checkbox.
  • Set the External user mapping strategy parameter to By external provider key.
  • Custom Mapping Using OKTA
  • By User Email
  • By User Name
  • By External Provider Key

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.