Removed users still received the prompt to select tenant on Orchestrator standalone

Help Orchestrator
1

I granted a user to two tenants/organizations (UAT and PROD) on our Orchestrator standalone. The authentication method is Windows/Active Directory (AD).

However, after removing the user from the UAT tenant, she still received the prompt to choose between the tenants after getting authenticated via SSO. In UAT, I removed the AD group which she is a member of. Subsequently, I removed her account from the Manage Access section.

The expectation is that she would automatically be routed to the PROD tenant after the SSO authentication.

  • Is this the correct expectation?
  • If so, how do I ensure her account is correctly removed from the UAT tenant?

Thanks.

Forum Engagement Daily Reports
2

Hi @judewong,

No, automatic routing to PROD only doesn’t happen with AD auth - users still see tenant selector for all accessible tenants.

To fix:

In UAT tenant > Manage Access: Unassign AD group/user completely

User must clear browser cache/cookies for Orchestrator URL (or use incognito)

Access PROD directly via https://your-orchestrator/tenant/PROD

The tenant chooser persists due to browser session cache even after removal. Cache clear is mandatory

3

Hi @judewong

Yes, your expectation is correct.

Orchestrator doesn’t remove tenant access instantly. Even after removing the AD group and user from UAT, the tenant choice can still show because of cached login info.

  • Make sure the AD group removal is synced
  • User should fully log out and close the browser
  • Clear browser cache or use incognito
  • Wait a few minutes and log in again

After this, she should be taken directly to PROD and UAT should no longer appear.

4

Tenant selection appears whenever Orchestrator detects more than one tenant association, even if access was recently removed and not yet fully synced.

Orchestrator still thinks the user has access to more than one tenant, so it shows the tenant selection screen.
Orchestrator does not automatically redirect the user to PROD just because UAT access was removed.

Also, sometimes when Windows/AD authentication (SSO) is used, Orchestrator relies on cached identity + directory sync, not only current UI access. Ask them to logout and login again.

5

Hi @judewong

Yes, that expectation makes sense, but in the tenant selection is driven by Identity, not just orchestrator access.

Even if you remove the AD group and tenant access in UAT, the user will still see the tenant choice as long as her account exists in the uat organization in Identity Management, so you need to remove her (or the AD group) from the UAT organization there to ensure she is routed directly to PROD after SSO.

If helpful, mark as solution. Happy automation with UiPath

6

Thank you all for your feedback and suggestions.

Unfortunately, none of them worked in my case. I verified that the user has been removed from Tenant > Manage Access and that all AD groups the user belongs to have been removed from that tenant.

After one day, the user opens an InPrivate (Incognito) session and still faces the same prompt. When the user clicks the tenant he was removed from, he repeatedly receives the Windows Security prompt asking for his credentials.