Introduction

This page describes how to set up Single Sign-on through Microsoft Integrated Windows Authentication.

🚧

Note:

Single Sign-on authentication for UiPath Process Mining through Microsoft Integrated Windows Authentication requires both the user logging in and the IIS server to be on the same domain. If your setup involves users logging in from different domains, consider one of the other authentication methods such as SAML or Azure Active Directory.

If Microsoft Integrated Windows Authentication is enabled and correctly configured, a button is displayed at the bottom of the Login page. See the illustration below.

Step 1: Configure the server running UiPath Process Mining.

📘

Note:

Before you move on to the next steps, the IIS server running the UiPath Process Mining server must be configured correctly. For a detailed description on how to set up Integrated Windows Authentication in Internet Information Services (IIS) Manager, visit the official Microsoft Documentation.

Step 2: Configure UiPath Process Mining for Single Sign-On

Configure Server settings

1. Go to the Settings tab of the Superadmin page of your UiPath Process Mining installation. See illustration below.

2. Add the required Integrated Windows Authentication settings in the ExternalAuthenticationProviders setting of the Server Settings. Below is a description of the JSON keys of the integratedWindowsAuthentication object.

See illustration below for an example of the Server Settings with the ExternalAuthenticationProviders setting with the integratedWindowsAuthentication object.

, "ExternalAuthenticationProviders": {
                    "integratedWindowsAuthentication": {
                        "url":             "ldap://server1:389",
                        "base":            "DC=Company,DC=com",
                        "bindDN":          "username",
                        "bindCredentials": "password"
                        }
    }

3. Click on SAVE to save the Server settings.

4. Press F5 to refresh the Superadmin page. This loads the new settings and enables user groups to be created based on these settings.

Auto-login

🚧

Note:

Make sure Single Sign-on works correctly before enabling autologin. Enabling autologin when SSO is not set up correctly can make it impossible for users affected by the autologin setting to log in.

With the AutoLogin Server Setting, the user will be automatically logged in using the current active SSO method.
By default, AutoLogin is set to none. If you want to enable auto-login for end-users and/or Superadmin users, you can specify this in the AutoLogin in the Superadmin Settings tab. See The Settings Tab.

📘

Note:

When logging in via localhost, auto-login will always be disabled for Superadmin users.

Additional steps

In order to use Integrated Windows Authentication authentication, you must create one or more AD group to allow members to login. For Superadmin users, or app developers you can create AD groups on the Superadmin users tab. See Adding Superadmin AD Groups.

For end-user authentication, AD groups can be created on the End user administration page. See Adding End-user AD Groups.

Troubleshooting

Verifying that the process-mining server can connect to the LDAP server

• Install the graphical LDP client as per the official Microsoft Documentation.
• Verify that a successful connection is possible from LDP with the same settings as configured in the integratedWindowsAuthentication object in the Server Settings.

Inspecting log files

Inspect the [PLATFORMDIR]/logs/iisnode folder for files containing LDAP connection error lines. The example below displays a log file with an error message. The data field contains the relevant error code. Refer to the LDAP wiki for an explanation of the error. In the example below the error is 52e, ERROR_LOGON_FAILURE.

[2000-01-01T00:00:00.000Z] LDAP connection error:
[2000-01-01T00:00:00.000Z] json: {"lde_message":"80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839\u0000","lde_dn":null}