Set up SAML authentication

Switch user authentication for Control Room from Control Room database to SAML single sign-on (SSO).

Prerequisites

Note: SAML integration is irreversible. After it has been established, you cannot modify the configuration.

When using SAML for authentication, use the network access capabilities of the IdP to restrict access of the Control Room to specific allowed IP addresses. Ensure all allowed IP addresses configured are removed from the Control Room network settings before switching to SAML for authentication. For more information, see Allowed IP addresses.

Ensure that you are logged in to the Control Room as the administrator.

Before you set up authentication for the Control Room, setup tasks (such as introducing credentials on a new system and importing users) might be required. If you import users, then you must also include matching user IDs, email addresses, first and last names, in both the Automation Anywhere credentials and matching records to log in after the SAML integration. For example, if using Okta as a SSO, then users must have matching IDs, email addresses, first name and last names in both Automation Anywhere and Okta to log in after the SAML integration.

You should have the required user information and certificate ready. Typical user information consists of user ID, first and last name, and an email address.

Note: You must validate the SAML IdP setup before you configure the Control Room. See Configure Control Room as a service provider.

After switching to SAML authentication, any users with non-SAML IdP formatted IDs will not be able to log in. You need to verify that any bots in the private workspace of such users are exported beforehand so that the bots can be imported for their new SAML SSO enabled user accounts.

Much of this configuration relies on third-party applications to create the necessary metadata. If you require more specific configuration information based on a specific provider, see Configure SSO authentication with Okta.

To switch the Control Room to SAML SSO, follow these steps.

Procedure

  1. Navigate to Administration > Settings > User authentication.
  2. Select the Use SAML option.
    Note: The Use Control Room database option is selected by default.
  3. In the SAML metadata field, enter the metadata from your SAML IdP setup. The following shows an example SAML2 response: 
    <saml:AuthnStatement AuthnInstant="2022--10-24T13:41:04Z" SessionIndex="_dc2ab824-cb14-40d3-8e7f-d823193fd6a2">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    Note: SAML metadata format varies based on your IdP.
  4. In the Unique Entity ID for Control Room (Service Provider) field, enter the entity ID.
    Note: The Unique Entity ID is defined in SAML IdP to identify the Control Room.
  5. In the Sign authentication requests field, select one of the following options:
    OptionDescription
    Do not sign SAML authentication requests are not signed.
    Sign SAML authentication requests are signed.
  6. In the Encrypt SAML Assertions field, select one of the following options:
    OptionDescription
    Do not encrypt SAML assertions are not encrypted.
    Encrypt SAML assertions are encrypted.
    Note: The Encrypt SAML Assertions option is automatically enabled when you click the Validate SAML Settings button when the following conditions are met:
    • You have selected the Sign option in the Sign authentication requests field.
    • You have selected the Do not encrypt option in the Encrypt SAML Assertions field.
  7. Optional: Enter the Public key and Private key values.
    • Public key: Specifies the SAML IdP X.509 format certificate.
    • Private key: Specifies the private key generated for signing SAML authentication requests and/or encrypting SAML assertions for the Control Room.
    Note: Enter keys only if you require signed SAML authentication requests and/or encrypted SAML assertions.

    Refer to the following article for generating public and private key pair for signing SAML authentication requests and/or encrypting SAML assertions for Control Room: How to generate signing certificate public and private keys to sign SAML authentication request.

  8. Click Validate SAML Settings.
    The Control Room will log in through the SAML IdP and redirect back to the Control Room User Authentication section on the settings page.
    When you click this option, you will be redirected to a SAML 2.0 IdP webpage where you will be prompted to enter your SAML SSO user credentials and other applicable data.
  9. Log in to your SAML IdP when prompted.
  10. Click Save changes.
    The Control Room authentication is switched to SAML SSO.