orchestrator
2024.10
true
UiPath logo, featuring letters U and I in white

Orchestrator user guide

Last updated Sep 10, 2025

PingOne Authentication

Configure PingOne to Recognize a New Orchestrator Machine

Note: The following steps are valid for PingOne SAML setup. Please note that the procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official PingOne Documentation.
  1. Log in to the PingOne Administrator Console.
  2. On the Applications tab, select + Add Application. A new window opens.


  3. Select WEB APP, and select the Configure button in the SAML box.


  4. On the Create App Profile page, enter an application name in the dedicated field, and select the Next button.


  5. On the Configure SAML page, specify the ACS URL by filling in the URL of the Orchestrator instance plus the suffix identity/Saml2/Acs. For instance: https://orchestratorURL/identity/Saml2/Acs. Keep in mind that the ACS is case sensitive.
  6. Scroll down the Configure SAML page, and set the Entity ID to https://orchestratorURL.
  7. On the same page, select HTTP Redirect as your SLO binding.
  8. In the Assertion Validity Duration field, enter the desired validity period in seconds, and press Next.


  9. On the Map Attributes page, map the following attribute: Email Address = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


  10. Select Save and open the app from the Applications tab.


  11. In the newly opened window, copy the Single SignOn URL.


Set Orchestrator/Identity Server to Use PingOne Authentication

  1. Define a user in Orchestrator and have a valid email address set on the Users page.
  2. Import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
  3. Log in to the Management portal as a system administrator.
  4. Select Security.
  5. Select Configure under SAML SSO:

    The SAML SSO configuration page opens.

  6. Set it up as follows:
    • Optionally select the Force automatic login using this provider checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
    • Set the Service Provider Entity ID parameter to https://orchestratorURL.
    • Set the Identity Provider Entity ID parameter to the value obtained by configuring PingOne authentication.
    • Set the Single Sign-On Service URL parameter to the value obtained by configuring PingOne authentication.
    • Select the Allow unsolicited authentication response checkbox.
    • Set the Return URL parameter to https://orchestratorURL/identity/externalidentity/saml2redirectcallback.
    • Set the External user mapping strategy parameter to By user email.
    • Set the SAML binding type parameter to HTTP redirect.
    • In the Signing Certificate section, from the Store name list, select My.
    • From the Store location list, select LocalMachine.

    • In the Thumbprint field, add the thumbprint value provided in the Windows certificate store. Details.

      Note:
      Replace all occurrences of https://orchestratorURL with the URL of your Orchestrator instance.
      Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as https://orchestratorURL, not https://orchestratorURL/.
  7. Select Save to save the changes to the external identity provider settings.

    The page closes and you return to the Security Settings page.

  8. Select the toggle to the left of SAML SSO to enable the integration.
  9. Restart the IIS server.

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2025 UiPath. All rights reserved.