Single sign-on

Blue Prism supports single sign-on using Microsoft Active Directory Domain Services which allows users who have been authenticated by the operating system, and who are members of appropriate domains and forests, to log into Blue Prism without resubmitting their credentials.

Blue Prism provides two types of environment for managing Active Directory authentication to the platform:

  • Multi-authentication environment – supports Active Directory accounts where roles are mapped to individual users in Blue Prism. In multi-authentication environments, Active Directory users can be contained in multiple domains and multiple forests. This environment type also supports Blue Prism native authentication, see Authentication in Blue Prism for more details.
  • Single-authentication environment – referred to as Active Directory Single Sign-On authentication in previous versions of Blue Prism, it supports Active Directory accounts only where roles are mapped to Active Directory security groups. In single-authentication environments, Active Directory users can be contained within multiple domains but only a single forest.

The environment type is selected when the database is created and it cannot be changed later.

A given Blue Prism device can only connect to one environment at any one time but it can be configured to connect to many environments, which can each be configured with one of the available sign-in methods.

Multi-authentication Active Directory

Blue Prism administrators who are members of an Active Directory domain must enable Active Directory authentication on the System > Security - Sign-on Settings screen in the Blue Prism client.

They must then create Active Directory user accounts by retrieving users from the Active Directory and assigning them to Blue Prism user roles, in order for the Active Directory sign-in option to display on the Blue Prism login screen.

To use Active Directory authentication in a multi-authentication environment, all devices must be connected via a Blue Prism application server with a secure connection type. See supported connection modes below.

Single-authentication Active Directory

When configuring Active Directory authentication in a single-authentication environment, it is necessary to specify the Active Directory domain where the security groups that will be associated with Blue Prism security roles will reside. Additionally, the security group whose members will be granted System Administrator access must be selected.

Once the system administrators have been configured with access, the mapping between the other Blue Prism security roles and Active Directory security groups can take place.

Supported connection modes in Active Directory environments

Only the following client/server connection modes are supported for Active Directory authentication:

  • WCF: SOAP with Message Encryption and Windows Authentication,
  • WCF: SOAP with Transport Encryption and Windows Authentication
  • .NET Remoting: Secure.

Active Directory authentication for runtime resources

Runtime resources can authenticate via Active Directory either in a multi-authentication or single-authentication environment by passing the /sso switch in the command line at resource start-up. The /sso switch supports only the client/server connection modes mentioned above.

Authentication occurs using the currently logged-in Windows user's credentials. In a multi-authentication environment, the runtime resource inherits the Blue Prism user roles mapped to the currently logged-in Windows user. In a single-authentication environment, the runtime resource inherits the Blue Prism roles mapped to the Active Directory security groups to which the currently logged-in Windows user has been assigned.


If you experience any issues, see Single Sign-on troubleshooting.