UiPath Documentation
orchestrator
2025.10
true
UiPath logo, featuring letters U and I in white

Orchestrator user guide

Last updated Mar 25, 2026

About Identity Server

UiPath® Identity Server is the authentication service of standalone Orchestrator. It provides secure authentication and token issuance for Orchestrator and its management portals. Identity Server implements OAuth 2.0 and OpenID Connect standards and integrates with enterprise identity systems such as Active Directory. Check out the following diagram for understanding how Identity Server operates in standalone Orchestrator.

Figure 1. Identity Server diagram

About Identity Server diagram

Role within Orchestrator

Identity Server is responsible for:

  • Authenticating users and applications accessing Orchestrator
  • Issuing access and identity tokens
  • Supporting OAuth 2.0 and OpenID Connect flows
  • Integrating with external identity providers (for example, Active Directory, SAML providers)
  • Enabling single sign-on (SSO)
  • Securing communication between Orchestrator and the Identity Management Portal

Orchestrator and its management portals rely on Identity Server for authentication.

Authentication flow in Orchestrator

  1. User authentication

When a user accesses Orchestrator or the Identity Management Portal:

  • The request is redirected to Identity Server.
  • Identity Server validates the user against:
    • Local accounts, or
    • External identity providers (for example, Active Directory, SAML).
  • Upon successful authentication, Identity Server issues a security token.
  1. Token-based access

After authentication:

  • An OAuth access token is issued.
  • The token accompanies subsequent requests to Orchestrator.
  • Orchestrator validates the token.
  • Authorization is determined based on roles and permissions. Identity Server handles authentication. Orchestrator enforces authorization.

Active Directory and Kerberos integration

In domain-joined environments, standalone Orchestrator supports Kerberos-based authentication:

  • The client resolves the Orchestrator host name using DNS.
  • The client obtains a Kerberos Ticket Granting Ticket (TGT) from Active Directory.
  • The client requests a service ticket for the configured Service Principal Name (SPN).
  • The IIS web server validates the Kerberos ticket.
  • Identity Server processes the authenticated identity and issues a platform token.

This enables seamless single sign-on in enterprise Windows environments.

High availability considerations

In multi-node deployments:

  • Identity Server runs on multiple nodes behind a load balancer.
  • Clients access Orchestrator and Identity Server through a shared load balancer host name.
  • Redis is used to cache OAuth client data and session state across nodes, ensuring consistent authentication across the cluster.
  • The Service Principal Name (SPN) must match the load balancer host name when Kerberos is used.
  • When changing from a single-node to a multi-node setup, the Identity Server public URL must be updated in the database and in the UiPath.Orchestrator.dll.config file.

External application authentication

Orchestrator supports secure access for:

  • External applications
  • API integrations
  • Robot-to-Orchestrator communication

Applications authenticate using supported OAuth flows (such as ROPC) and receive tokens from Identity Server.

Security model

Standalone Orchestrator uses a centralized authentication model:

  • Identity Server performs authentication.
  • Orchestrator enforces authorization.
  • Token-based access secures APIs and the Orchestrator UI.
  • Integration with external identity providers (Active Directory, SAML) supports enterprise security requirements.

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated