DocsSingle sign-on
Blue Prism supports single sign-on using Microsoft Active Directory Domain Services, which allows users who have been authenticated by the operating system, and who are members of appropriate domains and forests, to log into Blue Prism without resubmitting their credentials. Integration with Active Directory is configured for specified instances of Blue Prism allowing full segregation of roles across multiple environments such as Development, Test, and Production.
When using Active Directory single sign-on in Blue Prism, it is possible to configure the system to support users from across multiple forests within a common Active Directory network infrastructure with options for role management either in Blue Prism or Active Directory, or both.
This applies to the following scenarios:
- Active Directory users logging into the interactive client via Authentication Server.
- Active Directory users logging into the interactive client using built-in authentication.
- Authentication of AutomateC commands, runtime resources, and process alerts via the /sso command line parameter.
- Authentication of telnet commands and web service requests.
Active Directory user authentication
The following prerequisites must be met before configuring Active Directory authentication in Blue Prism:
- The local machine on which the Blue Prism interactive client is installed and on which the Blue Prism administrator is logged on must be a member of an Active Directory domain.
- All devices must be connected via a Blue Prism application server with a secure connection mode.
- If using multiple Active Directory domains, the appropriate credentials for each relevant
The following configuration must be carried out to enable Active Directory user authentication in Blue Prism:
- The Blue Prism administrator must enable Active Directory authentication and select at least one of the role management options for Active Directory users on the System >
Manage role membership in Blue Prism – Active Directory users are directly assigned to Blue Prism roles.
Manage role membership in Active Directory – Active Directory security groups are mapped to Blue Prism roles. Users are assigned the relevant Blue Prism roles based on their Active Directory security group membership when they log in.
-
Depending on the role management option(s) selected on the
- Manually creating users and directly assigning them roles and permissions via the
- Assigning Active Directory security groups to Blue Prism roles via the
Active Directory authentication in Blue Prism does not support built-in security groups or those with derived membership such as domain users or authenticated users.
- Manually creating users and directly assigning them roles and permissions via the
Active Directory can be integrated with both Blue Prism and Authentication Server. Authentication Server users configured to use Active Directory authentication in Hub can also be added to Blue Prism based on their Active Directory security group membership. For more details, see Add Active Directory users to Blue Prism based on their security group membership and the Hub administrator guide.
|
Watch this video for an overview of Active Directory integration with Blue Prism and Authentication Server. |
Runtime resource authentication
Runtime resources can authenticate via Active Directory by passing the /sso switch in the command line at resource start-up. The /sso switch supports only the client/server connection modes mentioned above. Authentication occurs using the currently logged-in Windows user's credentials. The runtime resource inherits the Blue Prism user roles mapped to the currently logged-in Windows user.
Supported connection modes
Only the following client/server connection modes are supported for Active Directory authentication:
- WCF: SOAP with Message Encryption and Windows Authentication,
- WCF: SOAP with Transport Encryption and Windows Authentication
- .NET Remoting: Secure.
Troubleshooting
If you experience any issues, see Single Sign-on troubleshooting.
