Single sign-on

Blue Prism supports single sign-on using Microsoft Active Directory Domain Services which allows users who have been authenticated by the operating system, and who are members of appropriate domains and forests, to log into Blue Prism without resubmitting their credentials.

Blue Prism provides two types of environment for managing Active Directory authentication to the platform:

  • Multi-authentication environment – supports Active Directory accounts where roles are mapped to individual users in Blue Prism. In multi-authentication environments, Active Directory users can be contained in multiple domains and multiple forests. This environment type also supports Blue Prism native authentication, see Authentication in Blue Prism for more details.
  • Single-authentication environment – referred to as Active Directory Single Sign-On authentication in previous versions of Blue Prism, it supports Active Directory accounts only where roles are mapped to Active Directory security groups. In single-authentication environments, Active Directory users can be contained within multiple domains but only a single forest.

The environment type is selected when the database is created and it can only be changed when converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment.

A given Blue Prism device can only connect to one environment at any one time but it can be configured to connect to many environments, which can each be configured with one of the available sign-in methods.

Multi-authentication Active Directory

Blue Prism administrators who are members of an Active Directory domain must enable Active Directory authentication on the System > Security - Sign-on Settings screen in the Blue Prism client.

They must then create Active Directory user accounts by retrieving users from the Active Directory and assigning them to Blue Prism user roles, in order for the Active Directory sign-in option to display on the Blue Prism login screen.

To use Active Directory authentication in a multi-authentication environment, all devices must be connected via a Blue Prism application server with a secure connection type. See supported connection modes below.

Single-authentication Active Directory

When configuring Active Directory authentication in a single-authentication environment, it is necessary to specify the Active Directory domain where the security groups that will be associated with Blue Prism security roles will reside. Additionally, the security group whose members will be granted System Administrator access must be selected.

Once the system administrators have been configured with access, the mapping between the other Blue Prism security roles and Active Directory security groups can take place.

Supported connection modes in Active Directory environments

Only the following client/server connection modes are supported for Active Directory authentication:

  • WCF: SOAP with Message Encryption and Windows Authentication,
  • WCF: SOAP with Transport Encryption and Windows Authentication
  • .NET Remoting: Secure.

Convert single-authentication Active Directory to multi-authentication Active Directory

Blue Prism administrators can convert a single-authentication Active Directory database to a multi-authentication Active Directory environment. This is a one-way irreversible operation which converts all single-authentication accounts in a Blue Prism environment to multi- authentication accounts, automatically mapping roles to individual users based on their Active Directory security group membership (after which group membership is no longer relevant).

This feature is available in the single sign-on settings for administrators using the single-authentication environment.

Before starting the conversion please ensure:

  • you are using one of the supported connections for Active Directory authentication.
  • you have backed up your database.
  • you have stopped all processes.
  • all users and runtime resources are logged out of the environment.

After closing down any runtime resources the administrator will need to wait two minutes before they are able to perform the conversion, otherwise they will be reminded that all users must be logged out before they can proceed with the conversion.

Please be aware that depending on the number of users you are converting and any potential latency, the database conversion might take a few minutes.

Active Directory authentication for runtime resources

Runtime resources can authenticate via Active Directory either in a multi-authentication or single-authentication environment by passing the /sso switch in the command line at resource start-up. The /sso switch supports only the client/server connection modes mentioned above.

Authentication occurs using the currently logged-in Windows user's credentials. In a multi-authentication environment, the runtime resource inherits the Blue Prism user roles mapped to the currently logged-in Windows user. In a single-authentication environment, the runtime resource inherits the Blue Prism roles mapped to the Active Directory security groups to which the currently logged-in Windows user has been assigned.


If you experience any issues, see Single Sign-on troubleshooting.