Supported Active Directory infrastructure

Blue Prism supports authentication/authorization for multiple Active Directory domains within a single forest or across multiple forests, provided the correct forest trusts and domain trusts are established. The following diagrams provide examples of some of the different trusts that are supported:

The diagrams show the Active Directory domains that could be used as part of the authentication/authorization process, for example, domains which:

  • Contain Active Directory users that need to authenticate in Blue Prism.
  • Contain security groups that are assigned directly to roles in Blue Prism.
  • Contain any parent security groups which include security groups directly assigned to roles in Blue Prism.

By default, the Blue Prism applications requiring authentication/authorization will discover the available domains by traversing the forest trusts and domain trusts. However, it is also possible to explicitly configure which of the trusted domains you want to include in your authentication/authorization process. For more information, see Check if you need to manually configure Active Directory domains that will be queried during the login process.

The blue dot in all diagrams represents the Active Directory domain where Blue Prism applications are installed, for example, Blue Prism Application Server, Blue Prism API, Authentication Server, or Digital Worker API.

Single forest trust

Within a single forest, all trusts are two-way transitive trusts. As a result, all the domains within the forest can be used as part of the authentication/authorization process.

Two-way forest trust

Two-way forest trusts are transitive as well. As a result, all of the domains within the trusted forest can be used as part of the authentication/authorization process.

One-way outgoing forest trust

If the forest where the Blue Prism applications are installed has an outgoing transitive trust to another forest, all domains in the trusted forest can be used as part of the authentication/authorization process. However, domain credentials must be provided for each of the domains in the trusted forest so that the Blue Prism applications can query those domains. For more information, see Active Directory domains.

Two-way external trust

A non-transitive external trust can be set up between domains in different forests. This trust only allows the specific domain from that forest to be used as part of the authentication/authorization process.

One-way outgoing external trust

The one-way outgoing external trust behaves the same way as the two-way external trust, however, domain credentials must be provided for the external domain so that the Blue Prism applications can query those domains. For more information, see Active Directory domains.