Link to Scenario 1: Configuring new environments Link to Scenario 2: Existing Blue Prism environment – Blue Prism native users who do not have corresponding Hub user accounts Link to Scenario 3: Existing Blue Prism environment – Blue Prism native users who have existing Hub user accounts Link to Enable the Authentication Server login in your Blue Prism environment

Configuring Authentication Server in Blue Prism Cloud

Authentication Server provides centralized common authentication for users across key components of the Blue Prism platform, such as, SS&C | Blue Prism Enterprise, SS&C | Blue Prism API, the SS&C | Blue Prism Hub platform, and SS&C | Blue Prism Interact.

Once Authentication Server has been configured and enabled, all user access for Blue Prism Enterprise will be directed through Authentication Server.

Blue Prism native can still be used to authenticate runtime resources, AutomateC commands, and when calling web services exposed on runtime resources. These services cannot be authenticated using Authentication Server.

This topic provides you with the steps that you need to configure Authentication Server in Blue Prism Cloud. For information about the on-premise configuration of Authentication Server, see the Blue Prism documentation system.

Use Authentication Server with Blue Prism

New Blue Prism Cloud platforms are automatically configured to use Authentication Server. You will need to add your users to Hub and assign them to the appropriate user roles in Blue Prism. For more information, see Create Authentication Server users.

If you are upgrading your platform to Blue Prism Cloud 2023.1, your Blue Prism Cloud platform has been prepared to enable you to activate Authentication Server for your organization in your development and production environments, should your organization wish to use it. To do this, you will need to carry out the following steps in both the development and production environments:

  1. Configure Blue Prism users to authenticate via Authentication Server
  2. Enable Authentication Server login in your Blue Prism environment

Configure Blue Prism users to authenticate via Authentication Server

The process you use to generate the user accounts is dependent on whether you are configuring a new environment, or configuring an existing environment.

If you are updating an existing development or production Blue Prism environment, existing Blue Prism native user accounts must be synchronized with the Authentication Server database so that users can continue to log in. To achieve this, a mapping tool is provided to synchronize the existing native users in your Blue Prism and Authentication Server databases for the following scenarios:

  • Create native user accounts in Hub for existing Blue Prism native users who do not have a Hub user account yet.
  • Link accounts for native users who already exist in both Blue Prism and Hub.

The mapping tool cannot be used to add Authentication Server users automatically to Blue Prism – Authentication Server users are only added to Blue Prism at the time when they are assigned to a Blue Prism role. For more details, see New Blue Prism environments.

To jump to the information you need, click on the required scenario below.

You will need to configure the required users for each of your development and production environments.

In all of these scenarios, it is recommended that you maintain at least two administrator accounts for Hub and for Blue Prism that are not synchronized between the systems. One for your organization's use, and one for Blue Prism Cloud Operation's use. These accounts will be used in the event that there are any support issues that need to be resolved.

New Blue Prism environments

New Blue Prism environments are automatically configured to use Authentication Server. Users must be created in Blue Prism Hub first by a Hub administrator and then added to Blue Prism by assigning them to a Blue Prism role.

  1. On the Users page, click Add user.

    The Add user section displays.

  2. Enter the user's details:
    • Authentication type (if displayed) – Select Native authentication.

      This field only displays if both native and Windows authentication have been configured in your environment. If only native authentication has been configured, the added user is a native user by default.

    • Username– Enter a username for the user.
    • First name– Enter the user's first name.
    • Last name– Enter the user's last name.
    • Email address– Enter the user's email address.
    • Theme – The default theme is automatically selected. You can select a different theme for the user. Themes are only applied to Blue Prism Interact.
  3. Select the permissions for the user:

    • Hub – Select this check box for standard hub users and administrators.
    • Hub administrator – Select this check box to give the user role administrator permissions. You need to select Hub before this option becomes available.
    • Interact – Select this check box to enables the user to be assigned Interact Forms. See the Interact user guide for more information.
    • Approver – Select this check box to give the user role approval rights for Interact. You need to select Interact before this option becomes available.
  4. Select the roles for the user:

    • Hub roles – Select the Hub roles required for the user. If the required role has not yet been created, you can edit the user at a later date to assign new roles.

      If the user is created without a Hub role, the user is underlined in the user list to indicate that the user setup has not been completed, for example:

      The user will be able to log in to Hub, but they will not be able to perform any tasks as they will not have access to any plugins.

    • Interact roles – Select the Interact roles required for the user. If the required role has not yet been created, you can edit the user at a later date to assign new roles. You can select more than one role.

    Users can also be added to roles from the Roles and Permissions page. For more information, see the Hub administrator guide.

  5. Click Create user.

    The Create password dialog displays.

  6. Select one of the password options:

    • Send the user a password update email – This sends the user an email prompting them to enter a password on login using a link.
    • Manually update the user’s password – This enables you to set a password for the user.

    Passwords must obey the restrictions within Hub.

  7. Click Continue.

    • If you have selected to send the user a password update email, click Finish in the confirmation dialog.
    • If you have selected to set a password for the user, set a password and click Create.
  8. Launch the Blue Prism interactive client and log in using the required connection. This connection must have the Connection Type set to Blue Prism Server.

    To view the connection information, click Configure Connection. The Connection Type must be set to Blue Prism Server – this type of connection is required for the Authentication Server. You must not use a connection where the type is set to SQL Server (SQL Authententication).

  9. In the Blue Prism interactive client, navigate to System > Security - User Roles.
  10. Select a role from the list and edit the associated permissions if required.
  11. Click Manage role membership.

    The Role Membership screen displays.

  12. Click Add.

    The Add users dialog displays.

  13. Select the Authentication Server user(s) you want to add to the selected role, or search for them using the search box, and click OK.

    The added Authentication Server user(s) now display on the Role Membership dialog.

  14. Click OK to save your changes.

Existing Blue Prism environment – Blue Prism native users who do not have corresponding Hub user accounts

Before starting the mapping, please ensure that a Blue Prism native administrator user exists in the system, and that this user is manually removed from the mapping file before carrying out the mapping process outlined below. This is to ensure that in the event of any issues with the Authentication Server or system configuration, there is always an administrator user available who can log in via a direct database connection.

You can only perform the mapping once. Once users have been mapped, they cannot be mapped again once Authentication Server has been enabled.

  1. Open Command Prompt as an administrator and navigate to the Blue Prism installation directory containing AutomateC.exe (for example C:\Program Files\Blue Prism Limited\Blue Prism Automate).
  2. Run the following command to get a CSV template file containing a list of all the Blue Prism native users in the database who are available for mapping:

    Copy
    automatec /getblueprismtemplateforusermapping <pathtooutputfile> /user <adminuser> <adminpwd> 
  3. From Windows Explorer, open the output file and add the first name, last name, and email address for each Blue Prism user you want to add.

    The First Name, Last Name, and Email Address fields do not exist in Blue Prism, so they must be added to create the users in Authentication Server.

  4. Delete any users from the file who should not log in via Authentication Server. At least one native administrator user should be removed from the file so they can still log in via a direct database connection.

    If you are using native authentication to also authenticate runtime resources, AutomateC commands, or web service requests, you should also remove from the file any native user accounts required to authenticate these.

  5. Save the CSV file.

  6. Open Command Prompt as an administrator and navigate to the Blue Prism installation directory containing AutomateC.exe.

  7. Run the following command to complete the user mapping:

    Copy
    automatec /mapauthenticationserverusers <input CSV> <output CSV for errors> /user <admin username> <admin password> /dbconname <Blue Prism Server connection name>

    Where:

    • <input CSV> – The path to your saved CSV file.
    • <output CSV for errors> – The path for a file automatically created if there are errors in the mapping process.
    • <admin username> and <admin password> – The credentials for a native admin user in Blue Prism.
    • <Blue Prism server connection name> – The name of your Blue Prism server connection as set in the Blue Prism Server settings.

    For example:

    AutomateC mapping command

  8. Once the command has finished, verify that users have been mapped correctly. To do this:

    1. In the Blue Prism interactive client, navigate to System > Security - Users and check the following:

      • The Authentication Server account type displays for native users mapped from the Authentication Server database.

      • The Authentication Server service account account type displays for service accounts mapped from the Authentication Server database.

    2. In Hub, navigate to Settings > Users and refresh the users list.

      Users mapped from Blue Prism now display in the list.

Users created via the mapping tool will be sent an email to set their password manually before logging in for the first time. They will not be able to access Blue Prism until this step has been taken. Users will only receive this email if their email settings have been configured in Hub. For more details, see the Hub administrator guide

Next, you must enable the Authentication Server login in your Blue Prism environment.

Existing Blue Prism environment – Blue Prism native users who have existing Hub user accounts

Before starting the mapping, please ensure that a Blue Prism native administrator user exists in the system, and that this user is manually removed from the mapping file before carrying out the mapping process outlined below. This is to ensure that in the event of any issues with the Authentication Server or system configuration, there is always an administrator user available who can log in via a direct database connection.

You can only perform the mapping once. Once users have been mapped, they cannot be mapped again once Authentication Server has been enabled.

  1. Open Command Prompt as an administrator and navigate to the Blue Prism installation directory containing AutomateC.exe (for example, C:\Program Files\Blue Prism Limited\Blue Prism Automate).
  2. Run the following command to get a CSV template file containing a list of all users available for mapping in the Blue Prism database:

    Copy
    automatec /getblueprismtemplateforusermapping <pathtooutputfile> /user <adminuser> <adminpwd> 
  3. Run the following command to get a CSV template file containing a list of all users who are available for mapping in the Authentication Server database:

    Copy
    automatec /getauthenticationservertemplateforusermapping {outputpath} /dbconname <Blue Prism Server connection name>
  4. From Windows Explorer, open both output files, and for each Blue Prism user you wish to map, find the corresponding Authentication Server user and copy the Blue Prism username into the Authentication Server output file.

    A Blue Prism username and an Authentication Server User ID are required as a minimum. The additional First Name, Last Name, and Email Address fields required in the Authentication Server database should already be present for the Authentication Server users.

  5. Delete any users who should not be mapped from the Authentication Server output file. At least one native administrator user should be removed from the file so they can still log in via a direct database connection. You may also want to remove from the file any native user accounts which will be required to authenticate runtime resources, AutomateC commands, or web service requests.
  6. Save the Authentication Server output file.
  7. Open Command Prompt as an administrator and navigate to the Blue Prism installation directory containing AutomateC.exe.
  8. Run the following command to complete the user mapping:

    Copy
    automatec /mapauthenticationserverusers <input CSV> <output CSV for errors> /user <admin username> <admin password> /dbconname <Blue Prism Server connection name>

    Where:

    • <input CSV> – The path to your saved CSV file.
    • <output CSV for errors> – The path for a file automatically created if there are errors in the mapping process.
    • <admin username> and <admin password> – The credentials for a native admin user in Blue Prism.
    • <Blue Prism server connection name> – The name of your Blue Prism server connection as set in the Blue Prism Server settings.

    For example:

    AutomateC mapping command

    Authentication Server users cannot be mapped to Blue Prism users that do not exist. If an administrator does not enter a Blue Prism username in the CSV file, but enters an Authentication Server User ID, an error message displays.

    For example:

    CSV file example

  9. Once the command has finished, verify that users have been mapped correctly. To do this:

    1. In the Blue Prism interactive client, navigate to System > Security - Users and check the following:

      • The Authentication Server account type displays for native users mapped from the Authentication Server database.

      • The Authentication Server service account account type displays for service accounts mapped from the Authentication Server database.

    2. In Hub, navigate to Settings > Users and refresh the users list.

      Users mapped from Blue Prism now display in the list.

Users created via the mapping tool will be sent an email to set their password manually before logging in for the first time. They will not be able to access Blue Prism until this step has been taken. Users will only receive this email if their email settings have been configured in Hub. For more details, see the Hub administrator guide

Next, you must enable the Authentication Server login in your Blue Prism environment.

Enable Authentication Server login in your Blue Prism environment

Once you have configured your users using the instructions in Configure Blue Prism users to authenticate via Authentication Server, you need to configure Blue Prism to use the Authentication Server in your development and production environments.

Ensure you have mapped your users before you enable Authentication Server.

  1. In the Blue Prism interactive client, navigate to System > Security - Sign-on Settings.

  2. Select User login via Authentication Server.

    The URL for the Authentication Server is displayed beneath the User authentication section. This information has been configured by the Blue Prism Cloud operations team. Do not change the URL. For example:

    Development environment:

    Production environment:

  3. Click Apply.

  4. Sign out of the Blue Prism interactive client.

    The login screen now only displays a Sign in using Authentication Server option.

  5. Click Sign in using Authentication Server.

    You will be directed to the Authentication Server login page.

  6. Enter your username and password and click Log in.

    An access token is issued from the Authentication Server in the background which will then be used to automatically log you into the Blue Prism interactive client.

    The date and time you last signed in now displays on the System > Security - Users screen when right-clicking your username.

    Last signed in date and time for a user

  7. Sign out of Blue Prism and restart the Blue Prism Application Server to ensure the changes are fully applied.

Once Authentication Server has been enabled, native accounts can be added, edited, or deleted locally in Blue Prism, however they can no longer be used to log into the interactive client. These accounts can only be used to authenticate runtime resources, AutomateC commands, and when calling web services exposed on runtime resources.

Troubleshooting

For troubleshooting information, see Troubleshooting Authentication Server. If you experience any issues that are related to the configuration of the Authentication Server, please contact the Blue Prism Cloud operations team.