- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Setup Samples
- Storing Robot Credentials in CyberArk
- Setting up Attended Robots
- Setting up Unattended Robots
- Storing Unattended Robot Passwords in Azure Key Vault (read-only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- Audit
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Host administration
- Identity Server
- Authentication
- Organization administration
- Other Configurations
- Integrations
- Classic Robots
- Troubleshooting
Host Authentication Settings
The installation key is a token used to allow SSO connections to Orchestrator for integrated applications.
Orchestrator allows you to configure an external identity provider to control how your users sign in. The following table provides an overview of the different host-level external providers available.
Follow the instructions applicable for the external provider you want to use, as indicated below:
New installation versus upgrade
The instructions indicated in the below table are for a new installation or if you are configuring one of the external providers for the first time.
If you upgraded Orchestrator and were already using one or more of the external providers listed below, the configuration is migrated, but you might need to perform some re-configuration tasks. If so, follow the instructions in Re-configuring authentication after upgrade instead.
External Provider Integration |
Authentication |
Directory Search |
User Provisioning |
---|---|---|---|
Users can use SSO with Windows Authentication using the Kerberos protocol |
Administrators can search for users from the Active Directory |
Users must be assigned a role in the Orchestrator tenant. Active Directory users and groups can be assigned a role via directory search. | |
Users can use SSO with Azure AD using the OpenID Connect protocol |
Not supported |
Users must be manually provisioned into the Orchestrator tenant with an email address matching their Azure AD account. | |
Users can use SSO with Google using the OpenID Connect protocol |
Not supported |
Users must be manually provisioned into the Orchestrator tenant with an email address matching their Google account. | |
Users can use SSO with any Identity Provider that supports SAML |
Not supported |
Users must be manually provisioned into the Orchestrator tenant with a username matching their SAML account. |
Basic authentication refers to signing in with the username and password of a local account.
If basic authentication is restricted, your users can only log in with their directory account, as defined in the external identity provider. Otherwise, users can log in with both their local accounts, if any, and their directory accounts.
Configuration levels and inheritance
This option can be configured:
-
at the host level, as described below.
When set at the host level, the setting applies to all organizations and all their accounts, except if the basic authentication setting at the organization or account level was not explicitly set differently.
-
for system administrator accounts, as described below.
Even when all organizations are restricted from using basic authentication, you can allow system administrators only to bypass this restriction.
-
at the organization level.
If set at the organization level, the organization-level setting overrides the host-level setting for only that organization. The setting for an organization applies to all accounts that belong to that organization, except accounts for which basic authentication is set differently at the account level.
-
at the account level
If set at the account level, the account-level setting overrides the host-level and organization-level basic authentication setting for only that account.
Setting Basic Authentication at the Host Level
When set at the host level, the setting applies to all organizations and all their accounts. Set it according to the preference or recommendation across your company.
For exceptions, basic authentication can also be set at the organization or account level where you want this setting to apply differently.
To allow or restrict basic authentication for all organizations and all accounts:
Recovering from lock out
When basic authentication is disabled, it is possible to get locked out if you lose access to your directory account.
https://<FQDN>/host/orchestrator_/account/hostlogin
and log in using your basic authentication credentials.