Blue Prism Active Directory Integration
In most enterprises, Microsoft Active Directory (AD) is the authoritative user directory that governs access to basic IT services such as email and file sharing. Often, AD is also used to control access to a broader set of business applications and IT systems.
SaaS applications are each developed with their own native user directories that control direct access to their individual services. And, because they run outside of the firewall, SaaS applications have traditionally been beyond the reach of Active Directory.
Blue Prism can leverage Active Directory (AD) Domain Services to provide a range of enterprise-strength capabilities including the capability to integrate Blue Prism to use Active Directory for user authentication. In this scenario Active Directory is used to manage and control user access to the Blue Prism platform in line with existing security policies – this is the recommended approach for enterprise deployments. Furthermore Active Directory can be used to provide inter-component message security.
The Blue Prism Platform should be deployed within an Active Directory Network Infrastructure to enable a number of enterprise-strength capabilities:
- Message content security and integrity
When the Blue Prism components are deployed within an Active Directory Network Infrastructure configured with appropriate domain trusts, communication message security is enabled by default for the necessary inter-component communication.
Further information on securing connections by enabling message security is provided within the Securing Network Connectivity Data Sheet.
- Single sign-on for the Blue Prism Platform (provided by Active Directory Domain Services)
Integrating Blue Prism with Active Directory for single sign-on (SSO) leverages the functionality of Active Directory to validate users’ access to the platform. This approach not only simplifies the logon process but also aligns user access controls with existing network security policies.
- Run time Resources authenticate using a domain account
Where the Blue Prism Run time Resources are configured to authenticate using a domain account, they are able to utilize single sign-on methods to authenticate with the business applications and systems used as part of a process automation.
Benefits of Single Sign-on for the Blue Prism Platform
Blue Prism integration with Active Directory Domain Services for single sign-on is enabled as part of the installation procedure and leverages the .NET Directory Services libraries to validate that the currently authenticated user is a member of an Active Directory Security Group that is configured with access to Blue Prism.
Configuring Blue Prism to use Active Directory for single sign-on simplifies the administration and maintenance associated with managing large numbers of users across multiple environments whilst also ensuring that existing security policies are applied.
Using centralized authentication allows access rights to be
managed, maintained and audited within a central function and adds an additional layer of security that is independent of the platform. This places Blue Prism access control in the hands of the network administrators and provides a familiar and trusted mechanism for restricting access to important software.
Configuring Active Directory Integration for Single Sign-on
Integration with Active Directory is configured for specified instances of Blue Prism allowing full segregation of roles across multiple environments (e.g. Development, Test and Production).
The following steps are required for managing user access to Blue Prism with Active Directory:
- Configure Active Directory Security Groups Security Groups should be set up in Active Directory to reflect each security role in a Blue Prism environment. The users within the domain should then be added to the relevant Security Group.
- Specify the domain that hosts the AD Security Groups belong to Blue Prism will be configured with the domain where the Active Security Groups will reside. Only security groups in the specified domain can be associated with a Blue Prism security role, however when using Blue Prism 5.0.24 or above, users from any domain within the common Active Directory Forest can be assigned to these security groups. The can either be direct members of this group, or be granted membership via a nested group. As part of the configuration it is necessary to select which Active Directory Security Group users should be members of to be granted System Administrator rights.
- Configure and map the Blue Prism Roles with AD Security Groups The pre-configured Blue Prism security roles can then be edited or amended, and new security roles can also be added. Each active role in a given Blue Prism environment will then be mapped to an existing Active Directory Security Group within the configured domain.
Benefits of Run time Resources authenticating using domain account
The Blue Prism Run time Resources (often referred to as robots) are responsible for executing the processes designed and configured within the platform. Typically processes will require interaction with various applications and systems, some of which may be integrated with Active Directory for single sign-on (SSO). Using a domain account to authenticate the Run time Resources against the network allows a process to authenticate with relevant target systems using single sign-on. This simplifies the security model and accelerates development.
Additional benefits of using a domain account to authenticate a Run time Resource include:
- Enforces existing security policies for the Run time Resources (e.g. password reset and complexity requirements).
- Allows Active Directory Group Policy Objects (GPO) to be used to enforce user specific
- Provides audit-ability and control of the accounts via Active
- Simplifies access to network resources such as shared drives, mailboxes, printers