Supported authentication methods for On-Premises Control Room

Review the authentication methods supported for an On-Premises Control Room.

Supported authentication methods

Note: Integration of LDAP with a load balancer for Active Directory using Kerberos authentication is not supported.
  • Active Directory using LDAP
  • Active Directory using Kerberos
  • SAML
  • Local authentication using a database

The benefits of integrating with Active Directory are as follows:

Easier adoption
Integrates with an existing authentication solution, compliant with the standards.
Maintenance
All passwords and password policies are centrally administered.
Better user experience
Fewer passwords to remember.

Kerberos provides additional benefits over NTLM pass-through authentication.

  • Open standard versus closed proprietary standard
  • Mutual authentication of client and server
  • Integration with smart cards for 2FA

Local authentication manages user passwords through the Credential Vault. Passwords are hashed using the HMACSHA512 algorithm, which is keyed by the output of the Password-Based Key Derivation Function (PBKDF2). User passwords are encrypted in transit through TLS 1.2.

All authentication and session management is handled through the well-tested Spring Security framework. Kerberos integration is provided through the well-tested Waffle framework. SAML integration is provided through the well-tested OneLogin framework.

Active Directory integration for authentication

Automation 360 offers seamless integration with Microsoft Windows Active Directory for access to the Control Room, Bot Creators, and Bot Runners.

When the Control Room is integrated with Active Directory, all the Active Directory users with basic details are directly available in the Control Room without any extra configuration. For Active Directory integration, user passwords stay only in the Active Directory and are not saved in the platform.

In addition to Active Directory authentication, the Control Room has its own controls to prevent unauthorized access to any automation data. See Dynamic access token authentication of Bot Runners.

Bot Runner users can also configure their Active Directory credentials for Bot Runner machine autologin. These credentials are saved in the centralized Credential Vault.

Multi-domain Active Directory support

The Automation 360 platform architecture supports multi-forest, multi-domain Active Directory integration. Multi-forest, multi-domain integration requires trust relationships between the forests and the domains. See Configure Control Room for Active Directory: auto mode for details.

Automation 360 On-Premises can be configured with an Active Directory global catalog server in a way that the Control Room, Bot Creators, and Bot Runners can all be in the same or different Active Directory forests and domains. This gives added flexibility and control for large-scale complex deployment where users are spread across geographies.

Multi-domain support is provided out-of-the-box and no additional configuration is required. User provisioning in an On-Premises Control Room from different Active Directory domains is also seamless. It enables the On-Premises admin to centrally orchestrate the digital workforce running across the globe.