UiPath Documentation
orchestrator
2022.4
false
  • Getting started
    • Introduction
    • User Options
    • Logging in to Orchestrator
    • Resetting Your Password
    • My Profile
    • Robots
      • Robot Statuses
      • Robot Settings
    • Auto Updating Client Components
    • Orchestrator Configuration Checklist
  • Best practices
    • Organization Modeling in Orchestrator
    • Managing Large Deployments
    • Automation Best Practices
    • Optimizing Unattended Infrastructure Using Machine Templates
    • Organizing Resources With Tags
  • Tenant
    • About the Tenant Context
    • Searching for Resources in a Tenant
    • Robots
      • Managing Robots
      • Connecting Robots to Orchestrator
      • Setup Samples
      • Storing Robot Credentials in CyberArk
      • Setting up Attended Robots
      • Setting up Unattended Robots
      • Storing Unattended Robot Passwords in Azure Key Vault (read-only)
      • Storing Unattended Robot Credentials in HashiCorp Vault (read-only)
      • Deleting Disconnected and Unresponsive Unattended Sessions
      • Robot Authentication
      • Robot Authentication With Client Credentials
      • SmartCard Authentication
    • Folders
      • Managing Folders
      • Classic Folders Vs Modern Folders
      • Migrating From Classic Folders to Modern Folders
      • Administration of Modern Folders
      • Personal Workspaces
      • Managing Personal Workspaces
    • Monitoring
      • Unattended Sessions
      • User Sessions
      • License
    • Managing Access and Automation Capabilities
      • Assigning Roles
      • Managing Roles
      • Default Roles
      • FAQ
    • Machines
      • Managing Machines
      • Assigning Machine Objects to Folders
      • Configuring Account-machine Mappings
    • Packages
      • Managing Packages
      • About Libraries
      • Managing Libraries
    • Audit
    • Credential Stores
      • Managing Credential Stores
      • CyberArk® Integration
      • CyberArk® CCP Integration
      • Azure Key Vault Integration
      • HashiCorp Vault Integration
      • BeyondTrust Integration
    • Webhooks
      • Types of Events
      • Managing Webhooks
    • Licensing
      • Managing Your Licenses
    • Alerts
      • Setting Up Alert Emails
    • Settings
      • General Tab
      • Deployment Tab
      • Robot Security Tab
      • Scalability Tab
      • Non-Working Days Tab
  • Resource Catalog Service
    • About Resource Catalog Service
  • Folders Context
    • About the Folders Context
    • Home
  • Automations
    • About Automations
  • Processes
    • About Processes
    • Managing Processes
    • Managing Package Requirements
    • About Recording
  • Jobs
    • About Jobs
    • Managing Jobs
    • Job States
    • Working with long-running workflows
  • Triggers
    • About Triggers
    • Managing Triggers
    • Using Cron Expressions
  • Logs
    • About Logs
    • Managing Logs in Orchestrator
    • Logging Levels
    • Orchestrator Logs
  • Monitoring
    • About Monitoring
    • Machines
    • Processes
    • Queues
    • Queues SLA
    • Exporting usage data
  • Queues
    • About Queues and Transactions
      • Queue Item Statuses
      • Business Exception Vs Application Exception
      • Studio Activities Used With Queues
    • Bulk Uploading Queue Items Using a CSV File
    • Managing Queues in Orchestrator
    • Managing Queues in Studio
    • Managing Transactions
      • Editing Transactions
      • Field Descriptions for the Transactions .csv File
    • Review Requests
  • Assets
    • About Assets
    • Managing Assets in Orchestrator
    • Managing Assets in Studio
    • Storing Assets in Azure Key Vault (read-only)
    • Storing Assets in HashiCorp Vault (read-only)
  • Storage Buckets
    • About Storage Buckets
      • CORS/CSP Configuration
    • Managing Storage Buckets
    • Moving Bucket Data Between Storage Providers
  • Orchestrator testing
    • Test Automation
    • Test Cases
      • Field Descriptions for the Test Cases Page
    • Test Sets
      • Field Descriptions for the Test Sets Page
    • Test Executions
      • Field Descriptions for the Test Executions Page
    • Test Schedules
      • Field Descriptions for the Test Schedules Page
    • Test Data Queues
      • Managing Test Data Queues in Orchestrator
      • Managing Test Data Queues in Studio
      • Field Descriptions for the Test Data Queues Page
      • Test Data Queue Activities
  • Other Configurations
    • Increasing the Size Limit of Package Files
    • Setting up Encryption Key Per Tenant
    • GZIP Compression
  • Integrations
    • About Input and Output Arguments
      • Example of Using Input and Output Arguments
  • Classic Robots
    • Robots
      • Managing Robots
      • Robot Statuses
      • Setup Samples
    • Environments
      • Managing Environments
    • Jobs
    • Triggers
    • Monitoring
      • Robots
    • Resources
  • Host administration
    • About the host level
    • Managing system administrators
    • Managing tenants
    • Configuring host authentication settings
      • Reconfiguring authentication after upgrade
      • Allowing or restricting basic authentication
      • Configuring SSO: SAML 2.0
        • ADFS Authentication
        • Google Authentication
        • Okta Authentication
        • PingOne Authentication
        • Custom Mapping
        • Self-signed Certificates
        • Private Key Certificates
      • Configuring SSO: Google
      • Configuring SSO: Azure Active Directory
      • Configuring the Active Directory Integration
        • Switching between Active Directory adapters
    • Managing your host license
      • Allocating Licenses to Tenants
    • Configuring system email notifications
    • Configuring other host settings
      • Customizing the Login page
      • Session Policy
      • Orchestrator host settings
    • Audit logs for the host portal
    • Maintenance Mode
  • Organization administration
    • About organizations
    • Managing organization administrators
    • Configuring organization authentication
      • Allowing or restricting basic authentication
      • Setting up the Azure AD integration
      • Configuring the SAML integration
    • Configuring security options
    • Licensing
      • Activating your license
    • Accounts and Groups
      • About accounts and groups
      • Managing accounts and groups
      • Managing access
    • Registering External Applications
      • Managing External Applications
    • Overriding System Email Settings
    • Audit Logs
  • Troubleshooting
    • About Troubleshooting
    • Frequently Encountered Orchestrator Errors
    • Cron Expressions
    • Upgrade troubleshooting
UiPath logo, featuring letters U and I in white
OUT OF SUPPORT

Orchestrator user guide

Last updated Dec 16, 2025

ADFS Authentication

Configure a machine to support ADFS and make sure you have access to the ADFS Management software. Address to your system administrator in this regard.

Configure ADFS to Recognize a New Orchestrator Instance

Note: The following steps are valid for the ADFS Management tool. Please note that the following procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official ADFS Documentation.
  1. Open ADFS Management and define a new relying party trust for Orchestrator as follows:
    1. Select Relying Party Trusts.
    2. In the Actions panel, select Add Relying Party Trust. The Add Relying Party Trust Wizard is displayed.
    3. In the Welcome section, select Claims Aware.
    4. In the Select Data section, choose the Enter data about relying party manually option.
    5. In the Specify Display Name section, in the Display name field, insert the URL of the Orchestrator instance.
    6. The Configure Certificate section does not need any specific settings so you may leave it as it is.
    7. In the Configure URL section, select the Enable support for the SAML 2.0 Web SSO Protocol and fill in the URL of the Orchestrator instance plus the suffix identity/Saml2/Acs in the Relying party SAML 2.0 SSO service URL field. For example, https://orchestratorURL/identity/Saml2/Acs.
    8. In the Configure Identifiers section, fill in the URL of the Orchestrator instance in the Relying party trust identifier field.
    9. In the Choose Access Control Policy section make sure to select the Permit everyone access control policy.
    10. The next two sections (Ready to Add Trust and Finish) do not need any specific settings so you may leave them as they are.
    11. The newly added party trust is displayed on the Relying Party Trusts window.
    12. Make sure that the default value for your URL is Yes (Actions > Properties > Endpoints).

  2. Select the relying party trust and select Edit Claim Issuance Policy from the Actions panel. The Edit Claim Issuance Policy wizard is displayed.
  3. Select Add rule and create a new rule using the Send LDAP Attributes as Claims template with the following settings:


  4. Once ADFS is configured, open PowerShell as an administrator and run the following commands:
    • Set-ADFSRelyingPartyTrust -TargetName "DISPLAYNAME" -SamlResponseSignature MessageAndAssertion (Replace DISPLAYNAME with the value set on point 1.e.)
    • Restart-Service ADFSSRV

Set Orchestrator/Identity Server to Use ADFS Authentication

  1. Define a user in Orchestrator and have a valid email address set on the Users page.
  2. Import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
  3. Log in to the Management portal as a system administrator.
  4. Go to Users and select the Security Settings tab.
  5. In the External Providers section, click Configure under SAML 2.0:


    The Configure SAML 2.0 panel opens at the right of the window.

  6. Set it up as follows:
    • Select the Enabled checkbox.
    • Set the Service Provider Entity ID parameter to https://orchestratorURL/identity/Saml2/Acs.
    • Set the Identity Provider Entity ID parameter to the value obtained by configuring ADFS authentication.
    • Set the Single Sign-On Service URL parameter to the value obtained by configuring ADFS authentication.
    • Select the Allow unsolicited authentication response checkbox.
    • Set the Return URL parameter to https://orchestratorURL/identity/externalidentity/saml2redirectcallback.
    • Set the External user mapping strategy parameter to By user email.
    • Set the SAML binding type parameter to HTTP redirect.
    • In the Signing Certificate section, set Store name parameter to My from the drop-box.
    • Set the Store locationparameter to LocalMachine.

    • Set the Thumbprint parameter to the thumbprint value provided in the Windows certificate store. Details here .

      Note:
      Replace all occurrences of https://orchestratorURL with the URL of your Orchestrator instance.
      Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in as https://orchestratorURL/identity, not https://orchestratorURL/identity/.
  7. Click Save to save the changes to the external identity provider settings.
  8. Restart the IIS server.

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated