orchestrator

2023.4

false

Getting started
- Introduction
- User options
- Logging in to Orchestrator
- Resetting your password
- Robots
  - Robot Statuses
  - Robot Settings
- Auto Updating Client Components
- Orchestrator Configuration Checklist
Best practices
- Organization Modeling in Orchestrator
- Managing Large Deployments
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Unattended automation
  - Useful concepts in unattended automation
  - How is unattended automation performed
- Organizing Resources With Tags
- Orchestrator Read-only Replica
- Exporting grids in the background
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
  - Managing Robots
  - Connecting Robots to Orchestrator
  - Storing Robot Credentials in CyberArk
  - Storing Unattended Robot Passwords in Azure Key Vault (read only)
  - Storing Unattended Robot Credentials in HashiCorp Vault (read only)
  - Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
  - Deleting Disconnected and Unresponsive Unattended Sessions
  - Robot Authentication
  - Robot Authentication With Client Credentials
  - SmartCard Authentication
- Folders
  - Managing Folders
  - Classic Folders Vs Modern Folders
  - Migrating From Classic to Modern Folders
  - Administration of Modern Folders
  - Personal Workspaces
  - Managing Personal Workspaces
- Monitoring
  - Unattended sessions
  - User sessions
  - License
- Managing Access and Automation Capabilities
  - Assigning Roles
  - Managing Roles
  - Default roles
  - Configuring access for accounts
  - Enabling personal automations
  - Enabling unattended automations
  - Configuring robot accounts to run unattended automations
- Machines
  - Managing Machines
  - Assigning Machine Objects to Folders
  - Configuring Account-machine Mappings
  - EDR Protection Status
- Packages
  - Managing Packages
  - About Libraries
  - Managing Libraries
- Audit
- Credential Stores
  - Managing credential stores
  - Integrating credential stores
- Webhooks
  - Types of Events
  - Managing Webhooks
- Licensing
  - Managing Your Licenses
- Alerts
  - Configuring Alerts
  - Alert Emails
  - Setting up Alert Emails
- Settings - Tenant Level
Resource Catalog Service
- About Resource Catalog Service
Folders Context
- About the Folders Context
- Home
Automations
- About Automations
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- Recording
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working with long-running workflows
- Running Personal Remote Automations
- Troubleshooting Jobs
Triggers
- About triggers
  - Time triggers
  - Queue triggers
- Managing triggers
  - Creating a Time Trigger
  - Creating a Queue Trigger
- Managing Non-Working Days
- Using Cron Expressions
  - Triggering jobs on the last day of the month
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
- Orchestrator Logs
Monitoring
- About Monitoring
- Machines
- Processes
- Queues
- Queues SLA
- Exporting usage data
Queues
- About Queues and Transactions
  - Queue Item Statuses
  - Business Exception Vs Application Exception
  - Studio Activities Used With Queues
  - Queue Item Retention Policy
- Bulk uploading Queue Items using a CSV file
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read only)
- Storing Assets in HashiCorp Vault (read only)
- Storing Assets in AWS Secrets Manager (read only)
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
- Moving Bucket Data Between Storage Providers
Orchestrator testing
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
  - Managing Test Data Queues in Orchestrator
  - Managing Test Data Queues in Studio
  - Field Descriptions for the Test Data Queues Page
  - Test Data Queue Activities
- Testing Data Retention Policy
Other Configurations
- Increasing the Size Limit of Package Files
- Setting up Encryption Key Per Tenant
- GZIP Compression
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Classic Robots
- Robots
  - Managing Robots
  - Robot Statuses
  - Setup Samples
- Environments
  - Managing Environments
- Jobs
- Triggers
- Monitoring
  - Robots
- Resources
Host administration
- About the host level
- Managing system administrators
- Managing tenants
- Configuring host authentication settings
  - Reconfiguring authentication after upgrade
  - Allowing or restricting basic authentication
  - Configuring SSO: SAML 2.0
    - ADFS Authentication
    - Google Authentication
    - Okta Authentication
    - PingOne Authentication
    - Custom Mapping
    - Self-signed Certificates
    - Private Key Certificates
  - Configuring SSO: Google
  - Configuring SSO: Microsoft Entra ID
  - Configuring the Active Directory Integration
    - Switching between Active Directory adapters
- Managing your host license
  - Allocating Licenses to Tenants
- Configuring system email notifications
- Configuring other host settings
  - Customizing the Login page
  - Session Policy
  - Orchestrator Host Settings
- Audit logs for the host portal
- Maintenance Mode
Organization administration
- About organizations
- Managing organization administrators
- Managing organization settings
- Configuring organization authentication
  - Allowing or restricting basic authentication
  - Setting up the Azure AD integration
  - Configuring the SAML integration
- Configuring organization security
  - Session policy
  - Restricting access to a set of users
- About licensing
  - Activating your license
- Accounts and groups
  - Managing access
  - Managing accounts and groups
- Authorizing external applications
  - Managing external OAuth applications
  - Configuring fine-grained access for confidential apps
- Managing tags
- Overriding system email settings
  - Email setup
    - System emails are not sent - SslHandshakeException
- Audit logs
Troubleshooting
- About Troubleshooting
- Alerts troubleshooting
- General troubleshooting
- Frequently Encountered Orchestrator Errors

Orchestrator user guide

DELIVERY:

Last updated Aug 26, 2025

PingOne Authentication

Configure PingOne to Recognize a New Orchestrator Machine

Note: The following steps are valid for PingOne SAML setup. Please note that the procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official PingOne Documentation.

Log in to the PingOne Administrator Console.
On the Applications tab, select + Add Application. A new window opens.
Select WEB APP, and select the Configure button in the SAML box.
On the Create App Profile page, enter an application name in the dedicated field, and select the Next button.
On the Configure SAML page, specify the ACS URL by filling in the URL of the Orchestrator instance plus the suffix identity/Saml2/Acs. For instance: https://orchestratorURL/identity/Saml2/Acs. Keep in mind that the ACS is case sensitive.
Scroll down the Configure SAML page, and set the Entity ID to https://orchestratorURL.
On the same page, select HTTP Redirect as your SLO binding.
In the Assertion Validity Duration field, enter the desired validity period in seconds, and press Next.
On the Map Attributes page, map the following attribute: Email Address = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Select Save and open the app from the Applications tab.
In the newly opened window, copy the Single SignOn URL.

Set Orchestrator/Identity Server to Use PingOne Authentication

Define a user in Orchestrator and have a valid email address set on the Users page.
Import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
Log in to the Management portal as a system administrator.
Select Security.
Select Configure under SAML SSO:

The SAML SSO configuration page opens.
Set it up as follows:
- Optionally select the Force automatic login using this provider checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
- Set the Service Provider Entity ID parameter to https://orchestratorURL.
- Set the Identity Provider Entity ID parameter to the value obtained by configuring PingOne authentication.
- Set the Single Sign-On Service URL parameter to the value obtained by configuring PingOne authentication.
- Select the Allow unsolicited authentication response checkbox.
- Set the Return URL parameter to https://orchestratorURL/identity/externalidentity/saml2redirectcallback.
- Set the External user mapping strategy parameter to By user email.
- Set the SAML binding type parameter to HTTP redirect.
- In the Signing Certificate section, from the Store name list, select My.
- From the Store location list, select LocalMachine.
- In the Thumbprint field, add the thumbprint value provided in the Windows certificate store. Details.
  
  Note:
  Replace all occurrences of https://orchestratorURL with the URL of your Orchestrator instance.
  
  Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as https://orchestratorURL, not https://orchestratorURL/.
Select Save to save the changes to the external identity provider settings.

The page closes and you return to the Security Settings page.
Select the toggle to the left of SAML SSO to enable the integration.
Restart the IIS server.

On this page

Configure PingOne to Recognize a New Orchestrator Machine
Set Orchestrator/Identity Server to Use PingOne Authentication

Was this page helpful?

PREVIOUSOkta Authentication

NEXTCustom Mapping