orchestrator
2023.4
false
UiPath logo, featuring letters U and I in white

Orchestrator User Guide

Automation CloudAutomation Cloud Public SectorAutomation SuiteStandalone
Last updated Dec 5, 2024

Reconfiguring authentication after upgrade

If you are upgrading Orchestrator to this version and you've previously enabled any external identity provider authentication, there are a series of manual configurations to be performed at the external identity provider level.

Previously created users are propagated to the UiPath Identity Server database.

UiPath® Identity Server acts as a federation gateway for a series of external identity providers (Google, Windows, Azure AD, and SAML2). You can configure their settings from the Management portal, under Users > Authentication Settings, in the External Providers section.

Manual configuration after an upgrade

Upon upgrading to this version of Orchestrator, any external identity provider authentication enabled in Orchestrator is automatically migrated to Identity Server, along with all the existing users. However, some manual changes are required after the upgrade.

Upgrading from versions prior to 2020.4

If you upgraded Orchestrator from version 2020.4 (or from a later version) to the current version, skip this section.

If you upgraded from a version prior to 2020.4:

  1. In the external provider's settings, modify the Return URL with the identity base URL, https://{yourDomain}/identity.
  2. Save the changes to the external provider.
  3. Restart the IIS site for the changes to apply.

Continue with the instructions on this page for additional configuration that is required actions for the external identity providers you use with Orchestrator.

Google OpenID Connect authentication

If you've previously configured Google to recognize a new Orchestrator instance, then you need to perform these steps:

  1. Access Google APIs and search for your previously created project.
  2. In the Credentials page, select your previously created OAuth 2.0 client:


  3. In the Client ID for Web application page, edit the Authorized redirect URIs value with the identity base URL. For example, https://{yourDomain}/identity/google-signin.
  4. Save your changes.


Windows authentication

If you've previously enabled Windows authentication, no further actions are required.

Azure AD authentication

If you've previously configured Azure AD to recognize a new Orchestrator instance, then you need to perform these steps:

  1. Access App Registrations in the Microsoft Azure portal and select your existing Orchestrator app registration.
  2. In the selected app's page, select Redirect URIs.
  3. In the selected app's Authentication page, modify the Redirect URL by adding /azure-sign-in-oidc at the end of your Identity base URL, https://{yourDomain}/identity:


  4. Save the changes.
  5. Restart the IIS server.

SAML2 authentication

ADFS

If you've previously configured ADFS to recognize a new Orchestrator instance, then you need to perform these steps after upgrading Orchestrator:

  1. Open ADFS Management and modify your existing relying party trust for Orchestrator as follows:
    • In the Configure URL section, select the Enable support for the SAML 2.0 Web SSO Protocol and, in the Relying party SAML 2.0 SSO service URL field, fill in the Identity base URL, , plus the suffix /Saml2/Acs. For example, https://{yourDomain}/identity/Saml2/Acs.
    • In the Configure Identifiers section, in the Relying party trust identifier field, fill in the Identity base URL
      , https://{yourDomain}/identity.
  2. Save the changes.
  3. After ADFS is configured, open PowerShell as an administrator and run the following commands:
    Set-ADFSRelyingPartyTrust -TargetName "https://IdentityBaseURL" -SamlResponseSignature MessageAndAssertion
    Restart-Service ADFSSRVSet-ADFSRelyingPartyTrust -TargetName "https://IdentityBaseURL" -SamlResponseSignature MessageAndAssertion
    Restart-Service ADFSSRV
  4. Restart the IIS server.

Google

If you've previously configured Google to recognize a new Orchestrator instance, then you need to perform these steps:

  1. Open the Google administration console and modify your existing service's details as follows:
    • In the Service Provider window, in the ACS URL field, fill in the Identity URL, https://{yourDomain}/identity, plus the suffix /Saml2/Acs. For example, https://{yourDomain}/identity/Saml2/Acs.
    • In the same window, in the Entity ID field, fill in the Identity base
      URL, https://{yourDomain}/identity.
  2. Save the changes.
  3. Restart the IIS server.

Okta

If you've previously configured Okta to recognize a new Orchestrator instance, then you need to perform these steps:

  1. Log in to Okta and locate your existing application.
  2. Modify the details in the SAML Settings window, in the General section, as follows:
    • In the Single sign on URL field, fill in the Identity URL, https://{yourDomain}/identity, plus the suffix /Saml2/Acs. For example, https://{yourDomain}/identity/Saml2/Acs.
    • If not already, enable the Use this for Recipient URL and Destination URL. This overwrites the Recipient URL and Destination URL fields with the value entered for Single Sign On URL, which in this example is https://{yourDomain}/identity/Saml2/Acs.
    • In the Audience URI field, fill in the Identity URL https://{yourDomain}/identity
  3. Save the changes.
  4. Restart the IIS server.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.