Blue Prism supports single sign-on using Microsoft Active Directory Domain Services which allows users who have been authenticated by the operating system, and who are members of appropriate domains and forests, to log into Blue Prism without resubmitting their credentials.
Blue Prism provides two types of environment for managing Active Directory authentication to the platform:
- Multi-authentication environment – supports Active Directory accounts where roles are mapped to individual users in Blue Prism. In multi-authentication environments, Active Directory users can be contained in multiple domains and multiple forests. This environment type also supports Blue Prism native authentication and external identity provider authentication, see Authentication in Blue Prism for more details.
- Single-authentication environment – referred to as Active Directory Single Sign-On authentication prior to Blue Prism 6.8, it supports Active Directory accounts only where roles are mapped to Active Directory security groups. In single-authentication environments, Active Directory users can be contained within multiple domains but only a single forest.
The environment type is selected when the database is created and it can only be changed when converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment.
A given Blue Prism device can only connect to one environment at any one time but it can be configured to connect to many environments, which can each be configured with one of the available sign-in methods.
Blue Prism administrators who are members of an Active Directory domain must enable Active Directory authentication on the System > Security - Sign-on Settings screen in the Blue Prism client.
They must then create Active Directory user accounts by retrieving users from the Active Directory and assigning them to Blue Prism user roles, in order for the Active Directory sign-in option to display on the Blue Prism login screen.
To use Active Directory authentication in a multi-authentication environment, all devices must be connected via a Blue Prism application server with a secure connection type. See supported connection modes below.
Single-authentication Active Directory
When configuring Active Directory authentication in a single-authentication environment, it is necessary to specify the Active Directory domain where the security groups that will be associated with Blue Prism security roles will reside. Additionally, the security group whose members will be granted System Administrator access must be selected.
Once the system administrators have been configured with access, the mapping between the other Blue Prism security roles and Active Directory security groups can take place.
Only the following client/server connection modes are supported for Active Directory authentication:
- WCF: SOAP with Message Encryption and Windows Authentication,
- WCF: SOAP with Transport Encryption and Windows Authentication
- .NET Remoting: Secure.
Blue Prism administrators can convert a single-authentication Active Directory database to a multi-authentication Active Directory environment. This is a one-way irreversible operation which converts all single-authentication accounts in a Blue Prism environment to multi- authentication accounts, automatically mapping roles to individual users based on their Active Directory security group membership (after which group membership is no longer relevant).
This feature is available in the single sign-on settings for administrators using the single-authentication environment.
Before starting the conversion please ensure:
- you are using one of the supported connections for Active Directory authentication.
- you have backed up your database.
- you have stopped all processes.
- all users and runtime resources are logged out of the environment.
After closing down any runtime resources the administrator will need to wait two minutes before they are able to perform the conversion, otherwise they will be reminded that all users must be logged out before they can proceed with the conversion.
Please be aware that depending on the number of users you are converting and any potential latency, the database conversion might take a few minutes.
When converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment, administrators are prompted to create a recovery administrator user that uses Blue Prism native authentication. A native user with a secure password is required during the conversion process as Active Directory users in a multi-authentication environment cannot update an expired license using Active Directory credentials, since a Blue Prism server cannot be started with an expired license and Active Directory users cannot sign in to this environment using a direct SQL server database connection.
This user can be removed once the database conversion has completed, however it is recommended to retain it for troubleshooting purposes, particularly in environments where all administrator accounts use multi-authentication Active Directory.
For more information on managing multi-authentication user accounts, see Manage users.
Runtime resource authentication
Runtime resources can authenticate via Active Directory either in a multi-authentication or single‑authentication environment by passing the /sso switch in the command line at resource start-up. The /sso switch supports only the client/server connection modes mentioned above.
Authentication occurs using the currently logged-in Windows user's credentials. In a multi-authentication environment, the runtime resource inherits the Blue Prism user roles mapped to the currently logged-in Windows user. In a single-authentication environment, the runtime resource inherits the Blue Prism roles mapped to the Active Directory security groups to which the currently logged-in Windows user has been assigned.
If you experience any issues, see Single Sign-on troubleshooting.