- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Configuring automation capabilities
- Audit
- Settings - Tenant Level
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Test Suite - Orchestrator
- Other Configurations
- Integrations
- Host administration
- Organization administration
- Troubleshooting
Custom Mapping
ADFS, Google, and Okta all use your email address as a SAML attribute. This section handles custom SAML mapping based on either your username or an external provider key.
The following parameters need to be configured in this regard in Identity Server's SAML2 settings within the External Providers page (read here how to access Identity Server):
-
External user mapping strategy - Defines the mapping strategy. The following options are available:
By user email
- Your email address is set as the attribute. This is the default value.By username
- Your username is set as the attribute.By external provider key
- An external provider key is set as the attribute.
- External user identifier claim name - Defines the claim to be used as an identifier for the mapping. This is only required if you set your username as the attribute.
See below a configuration example for each mapping strategy using OKTA.
This is the default mapping strategy. User identification is made using an email claim.
To use the user email, configure SAML in the host Management portal (Users > Authentications Settings > External Providers > SAML 2.0) as follows:
- Select the Enabled checkbox.
- Set the External user mapping strategy parameter to
By user email
.
This enables the administrator to define a specific claim for user identification.
To use the user name, configure SAML in the host Management portal (Users > Authentications Settings > External Providers > SAML 2.0) as follows:
- Select the Enabled checkbox.
- Set the External user mapping strategy parameter to
By username
. - Set the External user identifier claim name parameter to the previously created claim, in our example,
auid-claim
.
This option is recommended if the users are already defined in Orchestrator and Okta.
An administrator with access to the Identity Server users database is required to run the following SQL command:
INSERT INTO [identity].[AspNetUserLogins] (UserId,LoginProvider,ProviderKey)
VALUES (<userid>,'http://www.okta.com/exkh4xo7uoXgjukfS0h7','[email protected]')
INSERT INTO [identity].[AspNetUserLogins] (UserId,LoginProvider,ProviderKey)
VALUES (<userid>,'http://www.okta.com/exkh4xo7uoXgjukfS0h7','[email protected]')
- Set the
LoginProvider
parameter to the entityId used in Okta - Set the
ProviderKey
parameter to the user's email address
To use the external provider key, configure SAML in the host Management portal (Users > Authentication Settings > External Providers > SAML 2.0) as follows:
- Select the Enabled checkbox.
- Set the External user mapping strategy parameter to
By external provider key
.