- Release notes
- Getting started
- Installation
- Configuration
- Integrations
- Authentication
- Working with Apps and Discovery Accelerators
- AppOne menus and dashboards
- AppOne setup
- TemplateOne 1.0.0 menus and dashboards
- TemplateOne 1.0.0 setup
- TemplateOne menus and fashboards
- TemplateOne 2021.4.0 setup
- Purchase to Pay Discovery Accelerator menus and dashboards
- Purchase to Pay Discovery Accelerator Setup
- Order to Cash Discovery Accelerator menus and dashboards
- Order to Cash Discovery Accelerator Setup
- Basic Connector for AppOne
- SAP Connectors
- Introduction to SAP Connector
- SAP input
- Checking the data in the SAP Connector
- Adding process specific tags to the SAP Connector for AppOne
- Adding process specific Due dates to the SAP Connector for AppOne
- Adding automation estimates to the SAP Connector for AppOne
- Adding attributes to the SAP Connector for AppOne
- Adding activities to the SAP Connector for AppOne
- Adding entities to the SAP Connector for AppOne
- SAP Order to Cash Connector for AppOne
- SAP Purchase to Pay Connector for AppOne
- SAP Connector for Purchase to Pay Discovery Accelerator
- SAP Connector for Order-to-Cash Discovery Accelerator
- Superadmin
- Dashboards and charts
- Tables and table items
- Application integrity
- How to ....
- Working with SQL connectors
- Introduction to SQL connectors
- Setting up a SQL connector
- CData Sync extractions
- Running a SQL connector
- Editing transformations
- Releasing a SQL Connector
- Scheduling data extraction
- Structure of transformations
- Using SQL connectors for released apps
- Generating a cache with scripts
- Setting up a local test environment
- Separate development and production environments
- Useful resources
Set up single sign-on through SAML for Microsoft Active Directory
This page describes how to set up single sign-on based on SAML for Microsoft Active Directory.
To enable single sign-on based on SAML, both UiPath Process Mining and ADFS must be properly configured so that they can communicate with each other. See also Configuring ADFS.
Refer to the official Microsoft documentation, and make sure to configure the authentication using the response elements as described below.
Subject
nameID
: A persistent identifier for the user (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
).
Attribute Statements ("claims")
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
: The user's full name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
: The user's email address.-
http://schemas.xmlsoap.org/claims/Group
: Either a single group identifier, or an array of group identifiers.
RelayState
parameter. This means that the user navigates to the Process Mining login page, from which the user will be redirected to
the Identity Provider to login.
If SAML is enabled and correctly configured, a button is displayed at the bottom of the Login page. See the illustration below.
If multi-factor authentication is used, the user needs to comply with the corresponding rules as well in order to successfully log in.
ExternalAuthenticationProviders
setting with the saml
object for a basic ADFS configuration.
Below is an example of the Server Settings with the ExternalAuthenticationProviders
setting with the saml
object for an ADFS configuration with two-way certificate checking.
3. Click on SAVE to save the new settings.
4. Press F5 to refresh the Superadmin page. This loads the new settings and enables SAML groups to be created based on these settings.
Auto-login
AutoLogin
Server Setting, the user will be automatically logged in using the current active SSO method.
AutoLogin
is set to none
. If you want to enable auto-login for end-users and/or Superadmin users, you can specify this in the AutoLogin
in the Superadmin Settings tab. See The Settings Tab.
Note especially the contents of the `saml:AttributeStatement` element.
Click here to see how the expected response should look like for the `saml:AttributeStatement`, which can help in configuring the Identity Provider.
[INSTALLDIR]/logs
folder.
Below is an example logline from a denied access.
[2021-08-03T16:45:25.291Z] STDERR: Log: failed Superadmin login for 'Jim Jones' ([email protected]) from '10.11.22.33'.
Member-of: ["Admins"]. Valid groups: ["CN=Admins,OU=Company,OU=Applications,OU=Groups,DC=abc,DC=DEF,DC=CompanyName,DC=Com"].
The Valid groups list contains the set of groups received from the Identity Provider for the user ‘Jim Jones’. ‘Jim Jones’ is a member of one group, “Admins”. In Process Mining only the group with the long Distinguished Name is configured. ‘Jim Jones’ is denied access because “Admins” is not listed in the Valid groups.
Solution
You should either configure the Identity Provider to send the full distinguished name, or configure the “Admins” group in Process Mining to only reference the common name.
To use authentication using SAML, you must create one or more AD groups to allow members to log in. For Superadmin users, or app developers you can create AD groups on the Superadmin users tab. See Adding Superadmin AD Groups.
For end user authentication, AD groups can be created on the End user administration page. See Adding end user AD Groups.