Auto signup via SAML SSO not working, new users not provisioned on login

Help Orchestrator
1

With Automation Suite 2023.10.5

After setting SSO SAML at the organization level, I can login via SAML with my username that was already created.

But other users, they are able to login but their user is not actually created (I won’t appear on Orchestrator > Admin > Accounts & Groups > Users) and when the users try to do anything it will complain that “you’re are not authenticated”

What is actually needed for signup / user provisioned at SSO Login?

2

@ecerulm

I beleive you still need to on board the user and give roles to them to login

cheers

3

But Orchestrator > Admin > Security > SSO SAML > Provisioning settings says

Upon successful sign in, SAML users will automatically be provisioned into the Automation Cloud with Everyone Group membership.

(I’m not using Automation Cloud though, but Automation Suite on premise). I though that meant it will create a local user in Automation Suite > Orchestrator > Default (organization).

4

@ecerulm

Agreed on this

Can you please validate the steps you have done…

Users separately wont appear there check the doc above…it says they are automatically available to assign to groups but wont be seen

And also

5

Can you please validate the steps you have done…

What do you mean by validate? I created the SSO at Admin > Security > SSO

  • Step 1 General details: I’m pretty sure this is OK, since I can login using SSO
  • Step 2 : Provisioning settings:
    • allowed domains: xxxx.com , only users with this domain will be allowed to login, I’m also assuming this is ok since I’m able to login
    • Attribute Mapping: Only Display Name is required but I configured Display Name, First Name, Last Name, and Department. with the claim names that my on-prem active directory uses.
  • Step 3. Advanced details
    • Allow unsolicited autentication response
    • HTTP POST
    • Signing

I’m able to login with SSO (but I already have a local user too since I’m the admin), other new users are able to login too

  • They don’t show up in Admin > Accounts & Groups
  • They show up in Orchestrator > Tenant > Manage Access. I see them with “Account Type: Directory User”,
  • The “Role Assigment” for these users say “Inherited from groups”
  • Allow Orchestrator UI Access : Disabled (I would expect that it will inherit Enabled from group Automation Developers)

I believe the problem is that they are not getting assigned to any groups although I have in Admin > Security > View provisioning rules

  • In particular now while I’m working in this issue , I have only one rule with condition
  • claim: given_name
  • relationship: is
  • value: Jens
  • assign to groups: Automation Developers

So I’m expecting that any user that logs in with SAML claim “given_name” = “Jens” it should be assigned to “Automation Developer” and therefore able to use the Orchestrator UI. But the user logs in, gets to the home screen and as soon as it click on “Default Tenant” gets an error and becomes logged out. My expectation is that this user will get “Automation Developer” group and therefore able to use the orchestrator ui. and the folder Shared

6

I discovered that the users get the right groups , from the Orchestrator > Tenant > Manage Access, I click on “Jens”, three dots > Check roles & permissions and shows

  • Tenant,2 roles,
    • Allow to be Automation User (inherited from groups automation users),
    • Allow to be Automation Developer (inherited from group(s) automation developers)
  • Shared (folder), 2 Roles,
    • Automation User (Inherited from group(s) automation users)
    • Automation Developer (Inherited from group(s) automation developers)

So the user is properly assigned to groups, but it seems that it does NOT get the “Allow Orchestrator UI Access” from the group/roles, I don’t want to manually enable this for each user.

Should not be the “allow orchestrator UI access” be inherited from the roles/groups?

7

I was contacted by UiPath support, and one temporary solution was to

  • Make sure that ALL the groups the user is getting has the the “Allow orchestrator UI access”
  • Delete the “Directory User” from Orchestrator > Tenant > Manage Access
  • The user login again with SSO

After login the Directory User has “Allow Orchestrator UI access” (it shows on the user itself). So it seems (so far), that the “Allow Orchestrator UI access” gets set only on first login with the logical AND of the “Allow Orchestrator UI access” of all the groups instead of the logical OR of that setting.

The with UiPath case it’s not closed yet and there is some more tests to be done , but it looks that way so far.

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.