Single sign-on

Blue Prism supports single sign-on using Microsoft Active Directory Domain Services, which allows users who have been authenticated by the operating system, and who are members of appropriate domains and forests, to log into Blue Prism without resubmitting their credentials. Integration with Active Directory is configured for specified instances of Blue Prism allowing full segregation of roles across multiple environments such as Development, Test, and Production.

Blue Prism provides two types of environments for managing Active Directory authentication to the platform:

  • Multi-authentication environment – supports Active Directory accounts where roles are mapped to individual users in Blue Prism. In multi-authentication environments, Active Directory users can be contained in multiple domains and multiple forests.
  • Single-authentication environment – referred to as Active Directory Single Sign-On authentication in previous versions of Blue Prism, it supports Active Directory accounts where roles are mapped to Active Directory security groups. In single-authentication environments, Active Directory users can be contained within multiple domains but only a single forest.

The environment type is selected when the database is created and it can only be changed when converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment.

Active Directory configuration in a single-authentication environment

Where Blue Prism is deployed within a single Active Directory forest, it can be configured to allow users to authenticate against the platform using single sign-on. It essentially requires an Active Directory security group to be mapped to each relevant Blue Prism role after which users will be granted access to the platform based on their Active Directory security group membership.

The steps required to configure Blue Prism integration with Active Directory for single sign-on in a single-authentication environment are illustrated in the diagram below:

  1. Configure Active Directory security groups – Security groups should be set up in Active Directory to reflect each user role in a Blue Prism environment. The users within the domain should then be added to the relevant security group.

  2. Specify the domain that hosts the Active Directory security groups – Blue Prism must be configured with the domain where the Active Directory security groups will reside. Only security groups in the specified domain can be associated with a Blue Prism user role, however, users from any domain within the common Active Directory forest can be assigned to these security groups. They can either be direct members of this group, or be granted membership via a nested group. As part of the configuration it is necessary to select which Active Directory security group users should be members of before granting them System Administrator rights.

  3. Configure and map the Blue Prism roles to Active Directory security groups – The pre-configured Blue Prism user roles can be edited if required, and new roles can also be added. Each active role in a given Blue Prism environment must then be mapped to an existing Active Directory security group within the configured domain.

    Blue Prism roles must be associated with security groups created in Active Directory. Single sign-on for Blue Prism does not support built-in groups or those with derived membership such as domain users or authenticated users. It is also recommended that the security groups used do not contain Foreign Security Principals.

Users who belong to the groups that have been configured should now be able to log into Blue Prism and perform the actions permitted by the corresponding Blue Prism role. Users may have to log out of Windows and log back in again for Active Directory changes to take effect.

Active Directory configuration in a multi-authentication environment

The following steps are required for managing Active Directory user access to a multi-authentication environment:

  1. Enable Active Directory authentication in Blue Prism – Blue Prism administrators who are members of an Active Directory domain must enable Active Directory authentication on the Security - Sign-on Settings screen in Blue Prism before mapping Active Directory users to Blue Prism roles.

  2. Map Active Directory users to Blue Prism roles – Active Directory users are retrieved from the Active Directory domains and forests and mapped individually to Blue Prism roles via the Create User Wizard in Blue Prism.

Database conversion

Blue Prism administrators can convert a single-authentication Active Directory database to a multi-authentication Active Directory environment. This is a one-way irreversible operation which converts all single-authentication accounts in a Blue Prism environment to multi- authentication accounts, automatically mapping roles to individual users based on their Active Directory security group membership (after which group membership is no longer relevant).

This feature is available in the single sign-on settings for administrators using the single-authentication environment.

Before starting the conversion please ensure:

  • you are using one of the supported connections for Active Directory authentication.
  • you have backed up your database.
  • you have stopped all processes.
  • all users and runtime resources are logged out of the environment.

After closing down any runtime resources the administrator will need to wait two minutes before they are able to perform the conversion, otherwise they will be reminded that all users must be logged out before they can proceed with the conversion.

Please be aware that depending on the number of users you are converting and any potential latency, the database conversion might take a few minutes.

When converting a single-authentication Active Directory environment to a multi-authentication Active Directory environment, administrators are prompted to create a recovery administrator user that uses Blue Prism native authentication. A native user with a secure password is required during the conversion process as Active Directory users in a multi-authentication environment cannot update an expired license using Active Directory credentials, since a Blue Prism server cannot be started with an expired license and Active Directory users cannot sign in to this environment using a direct SQL server database connection.

This user can be removed once the database conversion has completed, however it is recommended to retain it for troubleshooting purposes, particularly in environments where all administrator accounts use multi-authentication Active Directory.

For more information on managing multi-authentication user accounts, see Manage users.

Runtime resource authentication

Runtime resources can authenticate via Active Directory either in a multi-authentication or single‑authentication environment by passing the /sso switch in the command line at resource start-up. The /sso switch supports only the client/server connection modes mentioned above.

Authentication occurs using the currently logged-in Windows user's credentials. In a multi-authentication environment, the runtime resource inherits the Blue Prism user roles mapped to the currently logged-in Windows user. In a single-authentication environment, the runtime resource inherits the Blue Prism roles mapped to the Active Directory security groups to which the currently logged-in Windows user has been assigned.

Supported connection modes

Only the following client/server connection modes are supported for Active Directory authentication:

  • WCF: SOAP with Message Encryption and Windows Authentication,
  • WCF: SOAP with Transport Encryption and Windows Authentication
  • .NET Remoting: Secure.

Troubleshooting

If you experience any issues, see Single Sign-on troubleshooting.