Switch user authentication for Control Room from Control Room database to SAML single sign-on (SSO).

Prerequisites

Note:
  • SAML configuration cannot be changed to other authentication methods after it is established.
  • When using SAML for authentication, use the network access capabilities of the IdP to restrict access of the Control Room to specific allowed IP addresses. Ensure all allowed IP addresses configured are removed from the Control Room network settings before switching to SAML for authentication. For more information, see Allowed IP addresses.

  • For any On-Premises Control Room configured to use Transport Layer Security (TLS) termination at the load balancer and uses HTTP to connect to Control Room nodes, additional Control Room configurations are required to forward all X-Forwarded-* headers. See A360 | Forward all X-Forwarded-* headers during TLS termination

Before setting up SAML authentication, do the following:

  • Ensure that you are logged in to the Control Room as the administrator.

  • You have collected all the necessary user information in advance, such as user ID, first name, last name, and email address for the user who accesses the Control Room.
  • You might need to complete setup tasks:
    • Introducing credentials on a new system (creating user accounts).
    • Importing users (uploading user details such as user ID, name, and email address so they are recognized by the Control Room).
      Note: If you are importing users, make sure these details are consistent and identical in both Automation Anywhere and your identity provider (such as Okta when using SSO/SAML). This matching is required for users to log in after SAML integration.
  • You have the SAML certificate provided by your identity provider ready for upload during the authentication setup process.
Note: You must validate the SAML IdP setup before you configure the Control Room. See Configure Control Room as a service provider.

To switch the Control Room to SAML SSO, follow these steps.

Procedure

  1. Navigate to Administration > Settings > User authentication.
  2. Select the Use SAML option.
    Note: The Use Control Room database option is selected by default.
  3. In the SAML metadata field, enter the metadata from your SAML IdP setup. The following shows an example SAML2 response: 
    <saml:AuthnStatement AuthnInstant="2022--10-24T13:41:04Z" SessionIndex="_dc2ab824-cb14-40d3-8e7f-d823193fd6a2">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    Note: SAML metadata format varies based on your IdP.
  4. In the Unique Entity ID for Control Room (Service Provider) field, enter the entity ID.
    Note: The Unique Entity ID is defined in SAML IdP to identify the Control Room.
  5. In the Sign authentication requests field, select one of the following options:
    OptionDescription
    Do not sign SAML authentication requests are not signed.
    Sign SAML authentication requests are signed.
  6. In the Encrypt SAML Assertions field, select one of the following options:
    OptionDescription
    Do not encrypt SAML assertions are not encrypted.
    Encrypt SAML assertions are encrypted.
    Note: The Encrypt SAML Assertions option is automatically enabled when you click the Validate SAML Settings button when the following conditions are met:
    • You have selected the Sign option in the Sign authentication requests field.
    • You have selected the Do not encrypt option in the Encrypt SAML Assertions field.
  7. Optional: Enter the Public key and Private key values.
    • Public key: Specifies the SAML IdP X.509 format certificate.
    • Private key: Specifies the private key generated for signing SAML authentication requests and/or encrypting SAML assertions for the Control Room.
    Note: Enter keys only if you require signed SAML authentication requests and/or encrypted SAML assertions.

    Refer to the following article for generating public and private key pair for signing SAML authentication requests and/or encrypting SAML assertions for Control Room: How to generate signing certificate public and private keys to sign SAML authentication request.

  8. Click Validate SAML Settings.
    The Control Room will log in through the SAML IdP and redirect back to the Control Room User Authentication section on the settings page.
    When you click this option, you will be redirected to a SAML 2.0 IdP webpage where you will be prompted to enter your SAML SSO user credentials and other applicable data.
  9. Log in to your SAML IdP when prompted.
  10. Click Save changes.
    The Control Room authentication is switched to SAML SSO.