UiPath Documentation
orchestrator
2024.10
false
UiPath logo, featuring letters U and I in white

Orchestrator installation guide

Last updated Mar 24, 2026

Identity Server Scripts

Publish to Identity Server

The following table describes all the parameters that you can use with the Publish-IdentityServer.ps1 script.

Parameter

Description

-action

Mandatory. Indicates the type of scenario you want to start. The following options are available:

  • Deploy - specifies it is a clean installation.
  • Update - specifies you are updating your Identity Server instance.

-azureAccountApplicationId

Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope.

-azureAccountPassword

Mandatory. The Azure token password for the service principal ID.

-azureSubscriptionId

Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator.

-azureAccountTenantId

Mandatory. The Azure tenant ID.

-orchestratorUrl

Mandatory. The URL of the Orchestrator instance.

-identityServerUrl

Mandatory. The URL of the Identity Server.

Important: The URL must contain the Identity Server address + the suffix /identity in lowercase. Example: https://[identity_server]/identity

-resourceCatalogUrl

 Mandatory. The URL of the Resource

Catalog.

-orchDetails

This parameter is a hash table that contains the following values:

  • resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service.
  • appServiceName - Mandatory. The Orchestrator Azure App Service name.
  • targetSlot - Mandatory. The Target App Service Slot set by Azure.

-identityServerDetails

This parameter is a hash table that contains the following values:

  • resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service.
  • appServiceName - Mandatory. The Identity Server Azure App Service name.
  • targetSlot - Mandatory. The Target App Service Slot set by Azure.

-package

 Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Web.zip archive.

-cliPackage

 Mandatory. Indicate the full path or relative path of the UiPath.IdentityServer.Migrator.Cli.zip archive.

-productionSlotName

Optional. It can be used only if the Identity Server App Service deployment slot is different from the default Production App Service Slot set by Azure.

-stopApplicationBeforePublish

Optional. If present, it stops the application before deployment and it starts it after the deployment is completed.

-unattended

Optional. If present, the deployment continues without any user confirmation.

-tmpDirectory

Optional. Enables the specification of a directory where needed files are downloaded and unzipped.

-noAzureAuthentication

 Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the UseServicePrincipal parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary.

The Publish-IdentityServer.ps1 script is used for the initial deployment or update of Identity Server. The script assumes that the web app already has the DefaultConnection database connection string configured.

.\Publish-IdentityServer.ps1 `
    -action Deploy `
    -orchestratorUrl "<orchestrator_address>" `
    -identityServerUrl "https://<identity_server_url>/identity" ` // must be in lowercase
    -resourceCatalogUrl "<resource_catalog_address>" `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -azureSubscriptionId "<subscription_id>" `
    -azureAccountTenantId "<azure_tenant_id>" `
    -azureAccountApplicationId "<azure_application_id>" `
    -azureAccountPassword "<azure_account_password>" `
    -package "UiPath.IdentityServer.Web.zip" `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -stopApplicationBeforePublish `
    -unattended
.\Publish-IdentityServer.ps1 `
    -action Deploy `
    -orchestratorUrl "<orchestrator_address>" `
    -identityServerUrl "https://<identity_server_url>/identity" ` // must be in lowercase
    -resourceCatalogUrl "<resource_catalog_address>" `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -azureSubscriptionId "<subscription_id>" `
    -azureAccountTenantId "<azure_tenant_id>" `
    -azureAccountApplicationId "<azure_application_id>" `
    -azureAccountPassword "<azure_account_password>" `
    -package "UiPath.IdentityServer.Web.zip" `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -stopApplicationBeforePublish `
    -unattended
Important:

After running the above script, make sure you perform the extra steps listed below for a successful initial deployment.

After publishing Identity Server, perform the following steps:

  1. Go to Azure Portal.
  2. Select your Identity Server App Service.
  3. In the Certificates menu, go to Bring your own certificates.
  4. Upload a private key certificate .pfx file with a valid password.
Note:

This certificate is used to sign the access tokens and the ID tokens.

  1. Under Configuration menu, add the following application settings exactly as written in the Application Settings column:

    Application Setting

    Value

    Description 

    
   AppSettings__IdentityServerAddress
  

   AppSettings__IdentityServerAddress

    https://[identity_server]/identity

    The public URL of the Identity Server.

    Important: The URL must contain the address of Identity Server + the suffix 
    
  /identity
 

  /identity
    in lowercase. 

    
   AppSettings__SigningCredentialSettings__StoreLocation__Location
  

   AppSettings__SigningCredentialSettings__StoreLocation__Location

    CurrentUser

    This has to point to CurrentUser . 

    
   AppSettings__SigningCredentialSettings__StoreLocation__Name
  

   AppSettings__SigningCredentialSettings__StoreLocation__Name

    XXXXXXXXXXXXXXXXXXXXXXXXXXXX

    The thumbprint of your certificate that you've uploaded earlier. 

    
   AppSettings__SigningCredentialSettings__StoreLocation__NameType
  

   AppSettings__SigningCredentialSettings__StoreLocation__NameType
  


    
   Thumbprint
  

   Thumbprint

    		Enter 
    
  Thumbprint
 

  Thumbprint
    as the type of the previous field. 

    
   AppSettings__LoadBalancerSettings__RedisConnectionString
  

   AppSettings__LoadBalancerSettings__RedisConnectionString
  


    
   XXXXXXXXXXXX:XXXX,password=XXXXXX
  

   XXXXXXXXXXXX:XXXX,password=XXXXXX

    The connection string needed to set up your Redis server, which contains the URL of the server, the password, and the port. You can also enable SSL encrypted connections between the Orchestrator nodes and the Redis service. 

    
   AppSettings__LoadBalancerSettings__SlidingExpirationTimeInSeconds
  

   AppSettings__LoadBalancerSettings__SlidingExpirationTimeInSeconds

    Number of seconds

    The sliding expiration time of an item inside the cache. This expiration time applies to both Redis Cache and InMemory Cache. 

    
   AppSettings__RedisSettings__UseRedisStoreCache
  

   AppSettings__RedisSettings__UseRedisStoreCache
  


    
  true
 

  true
    / 
    
  false
 

  false
    		Set its value to 
    
  true
 

  true
    to enable Redis caching of OAuth client data. This helps prevent performance issues when using Interactive Sign In to connect a large number of robots in a short amount of time. This cache uses the same Redis connection string specified in the 
    
  AppSettings__LoadBalancerSettings
 

  AppSettings__LoadBalancerSettings
    Note: This is not recommended if you are using the External Applications feature since this setting caches clients, and updates to External Applications will not be reflected. 

    
   AppSettings__RedisSettings__UseRedisStoreClientCache
  

   AppSettings__RedisSettings__UseRedisStoreClientCache
  


    
  true
 

  true
    / 
    
  false
 

  false

    Set its value to true to enable Redis caching for first-party clients (UiPath applications) or third-party clients (external applications). If you have a large-scale deployment, it is recommended to enable this flag. 

    
   App__Saml2ValidCertificateOnly
  

   App__Saml2ValidCertificateOnly
  


    
  true
 

  true
    / 
    
  false
 

  false
    		For Orchestrator deployments via an Azure web app, this parameter must be set to 
    
  false
 

  false
    . This is because SAML2 requires certificates to be added to its trust store, but Azure web apps do not allow this action. Setting the value to 
    
  false
 

  false
    means that the certificate check is bypassed. 

    
   WEBSITE_LOAD_CERTIFICATES
  

   WEBSITE_LOAD_CERTIFICATES

    XXXXXXXXXXXXXXXXXXXXXXXXXXXX

    The thumbprint value of your certificate that you've uploaded earlier. 

    
   WEBSITE_LOAD_USER_PROFILE
  

   WEBSITE_LOAD_USER_PROFILE

    1

    		The user profile. 
    
  -azureUSGovernmentLogin
 

  -azureUSGovernmentLogin
    		Optional. This parameter is only used for US Government deployments.  

  2. Save the changes.

Find more details in the Microsoft Azure documentation.

Replacing the private key certificate

When you replace a private key certificate with a new one, make sure to follow these steps:

  1. Replace the values of the AppSettings__SigningCredentialSettings__StoreLocation__Name and WEBSITE_LOAD_CERTIFICATES parameters with the thumbprint of the new certificate.
  2. Restart the Identity app service.
  3. Restart the Orchestrator app service.

Migrate to Identity Server

The following table describes all the parameters that can be used with the MigrateTo-IdentityServer.ps1.

Parameter

Description

-cliPackage

 Mandatory . Indicate the full path or relative path of the UiPath.IdentityServer.Migrator.Cli.zip archive.

-azureDetails

This parameter is a hash table that contains the following values:

  • azureAccountApplicationId - Mandatory. The Azure service principal ID. Please note that the used service principal needs to be assigned the Contributor role to the app service at the subscription scope.
  • azureSubscriptionId - Mandatory. The Azure subscription ID for the App Service that hosts Orchestrator.
  • azureAccountTenantId - Mandatory. The Azure tenant ID.
  • azureAccountPassword - Mandatory. The Azure token password for the service principal ID.

-orchDetails

This parameter is a hash table that contains the following values:

  • resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Orchestrator App Service.
  • appServiceName - Mandatory. The Orchestrator Azure App Service name.
  • targetSlot - Mandatory. The Target App Service Slot set by Azure.

-identityServerDetails

This parameter is a hash table that contains the following values:

  • resourceGroupName - Mandatory. The name of the Azure Resource Group that contains the Identity Server App Service.
  • appServiceName - Mandatory. The Identity Server Azure App Service name.
  • targetSlot - Mandatory. The Target App Service Slot set by Azure.

-identityServerUrl

Mandatory. The public address of the Identity Server.

Important: The URL must contain the address of Identity Server + the suffix /identity in lowercase. Example: https://[identity_server]/identity

-orchestratorUrl

Mandatory. The public address of the Orchestrator.

-tmpDirectory

Optional. Enables the specification of a directory where needed files are downloaded and unzipped.

-hostAdminPassword

 Mandatory only for fresh deployments, when-action is set to Deploy . Specify a custom password for the host administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit.

-isHostPassOneTime

Optional. Enables you to enforce a password reset on the first login for the host administrator. If this parameter is omitted, the host admin password is not a one-time password.

-defaultTenantAdminPassword

 Mandatory only for fresh deployments, when-action is set to Deploy . Specify a custom password for the default tenant administrator. Please note that passwords have to be least 8 characters long, and must have at least one lowercase character and at least one digit.

-isDefaultTenantPassOneTime

Optional. Enables you to enforce a password reset on the first login for the default tenant administrator. If this parameter is omitted, the tenant admin password is not a one-time password.

-noAzureAuthentication

 Optional. Allows you to publish to the Azure App Service by relying on your own user identity, without having to create a service principal. If this parameter is used, the UseServicePrincipal parameter set (which includes items such as the Azure application ID, password, subscription ID, and tenant ID) are no longer necessary.

The MigrateTo-IdentityServer.ps1 script is used to migrate user data from Orchestrator to Identity Server and set the configurations for both. It sets the identity authority of Orchestrator to Identity Server, and it creates client configuration for Orchestrator in Identity Server.

The script assumes that Orchestrator and Identity Server are already published.

.\MigrateTo-IdentityServer.ps1 `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -identityServerUrl "https://<identity_server_url>/identity" ` // must be in lowercase
    -orchestratorUrl "https://<OrchestratorURL>" `
    -hostAdminPassword "12345qwert" `
    -defaultTenantAdminPassword "12345qwert"
.\MigrateTo-IdentityServer.ps1 `
    -cliPackage "UiPath.IdentityServer.Migrator.Cli.zip" `
    -azureDetails @{azureSubscriptionId = "<subscription_id>"; azureAccountTenantId = "<azure_tenant_id>"; azureAccountApplicationId = "<azure_application_id>"; azureAccountPassword = "<azure_account_password>" } `
    -orchDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>";  targetSlot = "Production" } `
    -identityServerDetails @{ resourceGroupName = "<resourcegroup_name>"; appServiceName = "<appservice_name>"; targetSlot = "Production" } `
    -identityServerUrl "https://<identity_server_url>/identity" ` // must be in lowercase
    -orchestratorUrl "https://<OrchestratorURL>" `
    -hostAdminPassword "12345qwert" `
    -defaultTenantAdminPassword "12345qwert"
  • Publish to Identity Server
  • Replacing the private key certificate
  • Migrate to Identity Server

Was this page helpful?

Connect

Need help? Support

Want to learn? UiPath Academy

Have questions? UiPath Forum

Stay updated