Configure CoE Manager for SSO

Use the single sign-on (SSO) option to enable the CoE Manager authentication through an identity provider (IdP) using Security Assertion Markup Language (SAML) 2.0 protocol.

SAML SSO login setup

Before configuring the CoE Manager, ensure you have completed the following requirements:

  1. Download the Service Provider (SP) metadata for your respective CoE Manager region using the links provided below:
  2. Configure your Identity Provider (IdP) with the metadata obtained from the previous step and in SAML assertion, provide the following:
    • Email, First Name, Last Name, and NameID
    • Redirect URL for IdP-initiated login as a relay-state parameter
  3. Provide the IdP metadata and the attribute names received from IdP (Email, Last Name, and First Name) to the Automation Anywhere support team.

Login workflow

SAML SSO login can be configured using one of the following methods:

  • Service provider-initiated login: The SP-initiated login starts with the CoE Manager and is triggered when a user attempts to access the application through a URL. SP-initiated login requires a redirect to the appropriate IdP to ensure proper authentication before access is granted to the service or to any specific object. Depending on whether SSO is configured as mandatory or optional, your login workflow will vary. See below for more information.
    • Mandatory SSO: After SSO is enabled, enter your email address in the CoE Manager login page and click Next.

      As the CoE Manager is a multi-tenant application, you must use an email address to determine the IdP to be redirected to. This email address can be from any domain associated with your organization. CoE Manager will redirect to the IdP based on the entered email domain. For example, if your organization is Acme Corp, you might have acme.com and acmeent.com as associated domains. In this event, any address with @acme.com and @acmeent.com will redirect to the IdP when you click Next. You will be redirected back to the CoE Manager page after IdP authentication.

    • Optional SSO: On the login page, enter the email address and click Next. Instead of being automatically redirected to the IdP, you will be prompted to either enter a password or select the option to log in with SSO, which will be sent to your IdP for authentication.
    Note:
    • CoE Manager supports deep linking with SSO. After clicking the link, you should enter your email address in the CoE Manager login page. You are then redirected to the IdP for authentication. After authentication, you are redirected to the URL initially requested.
    • CoE Manager creates a cookie after successfully logging in to the application using SSO. This ensures the subsequent logins toCoE Manager will bypass the username and password screen and redirects to the appropriate SSO login page automatically. You can also override the cookie by navigating directly to the CoE Manager login page, that is https://<region>.shibumi.com/shibumi/login.
    • A user account is automatically created after successfully logging in to the CoE Manager using SSO for the first time.
  • IdP-initiated login: With IdP-initiated login, you can access the CoE Manager directly through the IdP (without a login page being displayed). When CoE Manager is launched using this method, you are taken directly to your organization's CoE Manager home page or to a URL provided by the IdP as a relay state parameter.

Account provisioning

CoE Manager provisions user accounts as needed for organizations with enabled SSO. Accounts are generated when:

  • A user is assigned a role on an object in CoE Manager
  • A user is invited to a CoE Manager work item
  • A user first attempts to access CoE Manager

The typical account provisioning sequence would be for a user to be invited into a work item in CoE Manager by an existing user. This triggers the auto-provisioning of their account. If this is not done, when the user attempts to access CoE Manager the first time the account is provisioned, the user will not have access to any work items. This can be a confusing experience. Therefore, it is a recommended best practice to ensure that the users are invited to participate in a work item prior to the first access.

Note: User accounts are not imported in bulk from the IdP. Users are not automatically added or removed from the CoE Manager instance when a person joins or leaves the organization.

When a user is authenticated via an IdP, their first and last name are updated in CoE Manager to reflect the attribute values supplied in the SAML payload (the mapping of first name and last name to attributes is part of the SAML configuration in CoE Manager and in IdP).