Configuring identity providers
Choosing the identity provider for your organization (Admin > Users and Groups > Authentication Settings) affects the way users sign in, and how user and group accounts are created and managed in Orchestrator .
Azure Active Directory model
The integration with Azure Active Directory (Azure AD) can offer scalable user and access management for your organization, allowing for compliance across all the internal applications used by your employees. If your organization is using Azure AD or Office 365, you can connect your Orchestrator organization directly to your Azure AD tenant to obtain the following benefits:
Automatic user onboarding with seamless migration
- All users and groups from Azure AD are readily available for any Orchestrator service to assign permissions, without the need to invite and manage Azure AD users in the Orchestrator organization directory.
- You can provide Single Sign-On for users whose corporate username differs from their email address, which is not possible with the invitation model.
- All existing users with UiPath user accounts have their permissions automatically migrated to their connected Azure AD account.
Simplified sign-in experience
- Users do not have to accept an invitation or create a UiPath user account to access the Orchestrator organization as in the default model. They sign in with their Azure AD account by selecting the Enterprise SSO option or using their organization-specific URL.
If the user is already signed in to Azure AD or Office 365, they are automatically signed in.
- UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Orchestrator URL, which leads to the same seamless connection experience.
Scalable governance and access management with existing Azure AD groups
- Azure AD security groups or Office 365 groups, also known as directory groups, allow you to leverage your existing organizational structure to manage permissions at scale. You no longer need to configure permissions in Orchestrator services for each user.
- You can combine multiple directory groups into one Orchestrator group if you need to manage them together.
- Auditing Orchestrator access is simple. After you've configured permissions in all Orchestrator services using Azure AD groups, you utilize your existing validation processes associated with Azure AD group membership.
While on the Azure AD model, you can continue to use all the features of the default model. But to maximize the benefits, we recommend relying exclusively on centralized account management from Azure AD.
If you would like to use Azure Active Directory as the identity provider for your organization, follow the instructions in Setting up the Azure AD integration.
This model allows you to connect Orchestrator to your chosen identity provider (IdP) so that:
- your users can benefit from single sign-on (SSO) and
- you can manage existing accounts from your directory in Orchestrator, without having to re-create identities.
Orchestrator can connect to any external identity provider that uses the SAML 2.0 standard.
Automatic onboarding of users to Orchestrator
All users from your external identity provider are authorized to sign in to Orchestrator with basic rights when the SAML integration is active. What this means is:
- Users can sign in to your Orchestrator organization via SSO using their existing company account, as defined in the IdP.
- Without any further setup, they are able to access Orchestrator by default. To be able to work in Orchestrator, users require roles and licenses, as appropriate for their role.
If you need to restrict access to only some of your users, you can define the set of users who are allowed to access Orchestrator in your identity provider.
You can add users by directly assigning them to Orchestrator groups, to do this all you have to do is enter their email address when adding users to the group.
Typically, administrators manage local accounts from Admin > organization > Accounts & Groups > Users tab. But SAML users are directory accounts in Orchestrator, so they are not visible on this page.
After a user has been added to a group or they have signed in at least once (which automatically adds them to the Everyone group), they are available in search in all services across Orchestrator for direct role or license assignment.
If you use UiPath Automation Hub, you can define custom attribute mapping to propagate attributes from your identity provider into Orchestrator. For example, when an account is first added to Automation Hub, the first name, last name, email address, job title, and department of the user are already populated.
Administrators can configure and enable the SAML integration for your entire organization from Admin > Security Settings > Authentication Settings.
For instructions, see Configuring the SAML integration.
Transitioning from the Azure AD integration to the SAML integration
After switching to the SAML integration, the Azure AD integration is disabled. Azure AD group assignments no longer apply, so Orchestrator group membership and the permissions inherited from Azure AD are no longer respected.
Allowing or restricting basic authentication
Basic authentication refers to signing in with the username and password of a local account.
If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.
Also see Configuration levels and inheritance for more information about this setting.
Setting basic authentication at the organization level
This setting is only available if an external provider integration is enabled at the host or organization level.
When set at the organization level, the setting applies to all accounts in the organization.
For exceptions, basic authentication can also be set at the account level where you want this setting to apply differently.
To allow or restrict basic authentication for your organization:
- Log in to the organization-level Management portal at
https://<server>/identity/managementas an administrator.
- Go to Security Settings.
- Under External Providers, click the Disable basic authentication for the organizations toggle to restrict or allow sign in using basic authentication:
- If off (left toggle position, gray toggle), basic authentication is allowed.
- If on (right toggle position, blue toggle), basic authentication is restricted. While restricted, the Allow basic authentication for the host administrators toggle is available.
- At the bottom-right of the External Providers section, click Save to apply your changes.
Configuring security options
To configure security options for your organization, go to Admin > Accounts and Groups > Authentication Settings and edit the options as needed.
Editing the Password complexity settings does not affect existing passwords.
|Special characters||Select to force users to include at least one special character in their password.|
By default, this checkbox is not selected.
|Lowercase characters||Select to force users to include at least one lowercase character in their password.|
By default, this checkbox is selected.
|Uppercase characters||Select to force users to include at least one uppercase character in their password.|
By default, this checkbox is not selected.
|Digits||Select to force users to include at least one digit in their password.|
By default, this checkbox is selected.
|Minimum password length||Specify the minimum number of characters a password should contain.|
By default, it is 8. The length cannot be smaller than 1 or greater than 256 characters.
|Days before password expiration||Specify the number of days for which the password is available. After this period, the password expires and needs to be changed.|
The minimum accepted value is 0 (the password never expires), and the maximum is 1000 days.
|Number of times a password can be reused||The minimum accepted value is 0 (never allow reusing a password), while the maximum is 10.|
|Change password on the first login||If set to Required, users that log in for the first time must change their password before being allowed to access Orchestrator.|
If set to Not required, users can log in and continue to use the admin-defined password until it expires.
|Enabled or Disabled toggle||If enabled, locks the account for a specific amount of seconds after a specific amount of failed login attempts. This also applies to the password change feature.|
|Account lockout duration||The number of seconds a user needs to wait before being allowed to log in again after exceeding the Consecutive login attempts before lockout.|
The default value is 5 minutes. The minimum accepted value is 0 (no lockout duration), and the maximum is 2592000 (1 month).
|Consecutive login attempts before lockout||The number of failed login attempts allowed before the account is locked.|
The default value is 10 attempts. You can set a value between 2 and 10.
Updated about a month ago