Configure external authentication in Blue Prism

The following are the configuration steps that this section will take you through:

  • Configure your Blue Prism deployment to support external authentication
  • Configure users either by adding new external users, or converting existing Blue Prism native or Active Directory users to external authentication users

Enable external authentication

  1. Log into Blue Prism with an account with system administrator access.
  2. Navigate to System > Security - Sign-on Settings and click Enable external authentication.
  3. Enter your Authentication Gateway URL, comprising of the hostname and port configured for the site in the installer. This should take the form https://{hostname}:{port}, for example https://authgateway.com:44300.

  4. Click Apply.

Add external authentication users to Blue Prism

To enable a user to authenticate via an external identity provider, follow the steps below:

  1. Navigate to System > Security - Users and select New from the menu icon.

  2. Select the option to create a single external authentication user and click Next.

  3. Enter a username and external user ID for the new user, and click Next.

    The external user ID must match the ID configured in the external identity provider and is case-sensitive.

  4. Assign the roles and permissions to the new user, and click Finish when the confirmation displays that the user has been successfully created.

Sign into Blue Prism using external authentication

Once the Blue Prism user has been associated with the identity for the external identity provider, they should now be able to authenticate with this provider to sign into Blue Prism:

  1. On the Blue Prism login page, click Sign in using your configured service provider.
  2. A browser window will open and direct you to the login page for your configured service provider.
  3. Enter your credentials and complete the sign-in process with the provider.
  4. Once you have authenticated with the identity provider, the browser window will close and you will be returned to Blue Prism as a logged-in user.

Convert existing Blue Prism users to external authentication users

Existing Blue Prism users currently authenticating with native and/or Active Directory account credentials in a multi-authentication database can be converted to authenticate via an external identity provider if external authentication has been enabled in Blue Prism. Please note that if you have only just enabled external authentication, you may need to browse away from the System tab and back before you will see the option to convert users as described below.

The user conversion is irreversible and converted users will only be able to authenticate via the new external identity provider IDs once the conversion has completed.

Before starting the conversion, please ensure:

  • You have installed and configured Authentication Gateway.
  • You have backed up your database.
  • Any users you intend to convert have logged out of Blue Prism. This prevents you from also converting the current logged-in user.

  1. Navigate to System > Security - Users and select Convert from the menu icon (ensure you select the Users node and not an individual user).

  2. Select the required users for conversion from the available list of existing native and Active Directory users and click Next.

    You can sort the list by username and authentication type, and filter users by username or parts thereof, or click Select All to select all users in the list.

  3. Add the external user ID for each user you selected.

    The external user ID must be unique for each user and is case-sensitive so it must match exactly the value the users will enter in the external identity provider’s login page.

  4. Click Convert.

If required, update the roles and permissions of the newly converted users by clicking Edit in a user's context menu.

Once the users have been successfully converted, you will be returned to the Security - Users screen and can view the authentication type of each user in the list.

Resolve partial user conversion

Sometimes not all selected users for conversion can be converted. This is usually due to duplicate external identities that have been entered against more than one username. If this occurs, the wizard will list the names of the users who could not be converted, allowing you to take note and attempt the conversion again.

Users who have not been converted will still be able to log into Blue Prism with the originally configured mechanism and credentials.

For more information on managing users in Blue Prism, see Manage users.