- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Configuring automation capabilities
- Audit
- Settings - Tenant Level
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Orchestrator testing
- Other Configurations
- Integrations
- Host administration
- About the host level
- Managing system administrators
- Managing tenants
- Configuring system email notifications
- Audit logs for the host portal
- Maintenance Mode
- Organization administration
- Troubleshooting
Orchestrator user guide
ADFS Authentication
Configure a machine to support ADFS and make sure you have access to the ADFS Management software. Address to your system administrator in this regard.
Configure ADFS to Recognize a New Orchestrator Instance
The following steps are valid for the ADFS Management tool. Please note that the following procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official ADFS Documentation.
-
Open ADFS Management and define a new relying party trust for Orchestrator as follows:
-
Select Relying Party Trusts.
-
In the Actions panel, select Add Relying Party Trust. The Add Relying Party Trust Wizard is displayed.
-
In the Welcome section, select Claims Aware.
-
In the Select Data section, choose the Enter data about relying party manually option.
-
In the Specify Display Name section, in the Display name field, insert the URL of the Orchestrator instance.
-
The Configure Certificate section does not need any specific settings so you may leave it as it is.
-
In the Configure URL section, select the Enable support for the SAML 2.0 Web SSO Protocol and fill in the URL of the Orchestrator instance plus the suffix
identity/Saml2/Acsin the Relying party SAML 2.0 SSO service URL field. For example,https://orchestratorURL/identity/Saml2/Acs. -
In the Configure Identifiers section, fill in the URL of the Orchestrator instance in the Relying party trust identifier field.
-
In the Choose Access Control Policy section make sure to select the Permit everyone access control policy.
-
The next two sections (Ready to Add Trust and Finish) do not need any specific settings so you may leave them as they are.
-
The newly added party trust is displayed on the Relying Party Trusts window.
-
Make sure that the default value for your URL is Yes (Actions > Properties > Endpoints).
-
-
Select the relying party trust and select Edit Claim Issuance Policy from the Actions panel. The Edit Claim Issuance Policy wizard is displayed.
-
Select Add rule and create a new rule using the Send LDAP Attributes as Claims template with the following settings:
-
Once ADFS is configured, open PowerShell as an administrator and run the following commands:
Set-ADFSRelyingPartyTrust -TargetName "DISPLAYNAME" -SamlResponseSignature MessageAndAssertion(ReplaceDISPLAYNAMEwith the value set on point 1.e.)Restart-Service ADFSSRV
Set Orchestrator/Identity Server to Use ADFS Authentication
-
Define a user in Orchestrator and have a valid email address set on the Users page.
-
Import the signing certificate provided by the Identity Provider to the Windows certificate store using Microsoft Management Console.
-
Log in to the host Management portal as a system administrator.
-
Select Security.
-
Select Configure under SAML SSO.
The SAML SSO configuration page opens.
-
Set it up as follows:
- Optionally select the Force automatic login using this provider checkbox if, after the integration is enabled, you want your users to only sign in through the SAML integration.
- In the Display Name field, type the name that you want to show for the SAML login option on the Login page.
- Set the Service Provider Entity ID parameter to
https://orchestratorURL/identity/Saml2/Acs. - Set the Identity Provider Entity ID parameter to the value obtained by configuring ADFS authentication.
- Set the Single Sign-On Service URL parameter to the value obtained by configuring ADFS authentication.
- Select the Allow unsolicited authentication response checkbox.
- Set the Return URL parameter to
https://orchestratorURL/identity/externalidentity/saml2redirectcallback. - Set the External user mapping strategy parameter to
By user email. - Set the SAML binding type parameter to
HTTP redirect. - In the Signing Certificate section, from the Store name list, select My.
- From the Store location list, select
LocalMachine. - In the Thumbprint field, add the thumbprint value provided in the Windows certificate store. Details.
Note:
Replace all occurrences of
https://orchestratorURLwith the URL of your Orchestrator instance. Make sure that the URL of the Orchestrator instance does not contain a trailing slash. Always fill it in ashttps://orchestratorURL/identity, nothttps://orchestratorURL/identity/.
-
Select Save to save the changes to the external identity provider settings.
The page closes and you return to the Security Settings page.
-
Select the toggle to the left of SAML SSO to enable the integration.
-
Restart the IIS server.