Set up SAML authentication

Switch user authentication for Control Room from Control Room database to SAML single sign-on (SSO).

Prerequisites

Note: SAML integration is irreversible. After it has been established, you cannot modify the configuration.

When using SAML for authentication, use the network access capabilities of the IdP to restrict access of the Control Room to specific allowed IP addresses. Ensure all allowed IP addresses configured are removed from the Control Room network settings before switching to SAML for authentication. For more information, see Add access public IP addresses.

Ensure that you are logged in to the Control Room as the administrator.

Before you set up authentication for the Control Room, setup tasks (such as introducing credentials on a new system and importing users) might be required. If you import users, then you must also include matching user IDs, email addresses, first and last names, in both the Automation Anywhere credentials and matching records to log in after the SAML integration. For example, if using Okta as a SSO, then users must have matching IDs, email addresses, first name and last names in both Automation Anywhere and Okta to log in after the SAML integration.

You should have the required user information and certificate ready. Typical user information consists of user ID, first and last name, and an email address.

Note: You must validate the SAML IdP setup before you configure the Control Room. See Configure Control Room as a service provider.

After switching to SAML authentication, any users with non-SAML IdP formatted IDs will not be able to log in. You need to verify that any bots in the private workspace of such users are exported beforehand so that the bots can be imported for their new SAML SSO enabled user accounts.

Much of this configuration relies on third-party applications to create the necessary metadata. If you require more specific configuration information based on a specific provider, see Configure SSO authentication with Okta.

To switch the Control Room to SAML SSO, follow these steps.

Procedure

In the SAML metadata field, enter the metadata from your SAML IdP setup. The following shows an example SAML2 response:

<saml:AuthnStatement AuthnInstant="2022--10-24T13:41:04Z" SessionIndex="_dc2ab824-cb14-40d3-8e7f-d823193fd6a2">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>

Note: SAML metadata format varies based on your IdP.

In the Unique Entity ID for Control Room (Service Provider) field, enter the entity ID.

Note: The Unique Entity ID is defined in SAML IdP to identify the Control Room.

In the Sign authentication requests field, select one of the following options:

Option	Description
Do not sign	SAML authentication requests are not signed.
Sign	SAML authentication requests are signed.

In the Encrypt SAML Assertions field, select one of the following options:

Option	Description
Do not encrypt	SAML assertions are not encrypted.
Encrypt	SAML assertions are encrypted.

Note: The Encrypt SAML Assertions option is automatically enabled when you click the Validate SAML Settings button when the following conditions are met:

You have selected the Sign option in the Sign authentication requests field.
You have selected the Do not encrypt option in the Encrypt SAML Assertions field.

Automation 360

Set up SAML authentication