DocsActive Directory configuration
Blue Prism supports single sign-on using Microsoft Active Directory Domain Services which allows users who have been authenticated by the operating system, and who are members of appropriate domains and forests, to log into Blue Prism without resubmitting their credentials.
Integration with Active Directory is configured for specified instances of Blue Prism allowing full segregation of roles across multiple environments such as Development, Test, and Production.
Blue Prism provides two environments for managing Active Directory authentication to the platform:
- Single-authentication environment – Supports Active Directory accounts where roles are mapped to Active Directory security groups. In single-authentication environments, Active Directory users can be contained within multiple domains but only a single forest.
-
Multi-authentication environment – Supports Active Directory accounts where roles are mapped to individual users in Blue Prism. In multi-authentication environments, Active Directory users can be contained in multiple domains and multiple forests. This environment type also supports Blue Prism native authentication (see Authentication in Blue Prism for more details). This is the latest and recommended environment for enterprise deployments.
When configuring Blue Prism to use Active Directory authentication, the database must be configured at the time of creation to use either a multi-authentication or a single-authentication environment. For further details, see Create a new database.
Active Directory configuration in a single-authentication Blue Prism environment
The following steps are required for managing user access to Blue Prism with single-authentication Active Directory where Blue Prism is deployed within a single Active Directory forest:
-
Configure Active Directory security groups – Security groups should be set up in Active Directory to reflect each user role in a Blue Prism environment. The users within the domain should then be added to the relevant security group.
-
Specify the domain that hosts the Active Directory security groups – Blue Prism will be configured with the domain where the Active Directory security groups will reside. Only security groups in the specified domain can be associated with a Blue Prism user role, however users from any domain within the common Active Directory forest can be assigned to these security groups. They can either be direct members of this group, or be granted membership via a nested group. As part of the configuration it is necessary to select which Active Directory security group users should be members of in order to grant them System Administrator rights.
Single sign-on for Blue Prism does not support built-in groups or those with derived membership such as domain users or authenticated users. It is also recommended that the security groups used do not contain Foreign Security Principals.
-
Configure and map the Blue Prism roles to Active Directory security groups – The pre-configured Blue Prism user roles can then be edited or amended, and new roles can also be added on the
Users who belong to the groups that have been configured should now be able to log into Blue Prism and perform the actions permitted by the corresponding Blue Prism role.
Users may have to log out of Windows and log back in again for Active Directory changes to take effect.
Active Directory configuration in a multi-authentication Blue Prism environment
The following steps are required for managing user access to Blue Prism with multi-authentication Active Directory where Blue Prism is deployed within multiple Active Directory forests:
-
Enable Active Directory authentication in Blue Prism – Blue Prism administrators who are members of an Active Directory domain must enable Active Directory authentication on the System > Security - Sign-on Settings in Blue Prism before mapping Active Directory users to Blue Prism roles.
-
Map Active Directory users to Blue Prism roles – Active Directory users are retrieved from the Active Directory domains and forests and mapped individually to Blue Prism roles via the Create new user wizard in Blue Prism.
For further details, see
