SAML and OIDC Support - AssistEdge Features

The SAML/OIDC specifications and configurations lets you utilize the SAML/OIDC based authentications and authorizations within the AE product. It provides the ability to integrate AE RPA and AE Engage with the client provided Identity Provider (IDP) that is based on SAML 2.0 and OIDC specifications.

 

NOTE:  

AssistEdge supports SP initiated sign-in flows for SAML and Autorization code flow for OIDC. 

 

SAML and OIDC Features


SSO (Single Sign-On)

  • Single sign-on as per SAML and OIDC specifications is supported across all AssistEdge components (Administration Module/ Control Tower, Kibana, Robots, Automation Studio, EnterprisePersonalAssistant and Engage).

 

Manual assignment of User roles 

  • By default, manual role assignment is enabled, i.e., Administrator will need to assign role from Control Tower; only after role is assigned, User is authorized to access the product.
  • With SAML/OIDC enabled, user will get auto-created in the system on first login. This user will be created without any role assignment (even if either SSO token has a role assigned to the user, the incoming role is ignored). Note – User will not see AssistEdge system data unless admin assigns a role.
  • It is possible to bulk upload users and roles in the system from Admin module in this mode. This will avoid dependency of User login before administrator can assign role in the system.

 

(Optional) Auto role assignment based on incoming auth token 

  • This optional feature allows direct mapping of organization roles to AE specific roles.
  • Role assignment feature from Admin module is disabled for this SAML/OIDC based setup. User role is auto-provisioned post authentication through the SSO token. The updated role must flow through SSO token. 
  • Bulk upload of users is also allowed from the Admin portal. Note in case role is provided in the excel, this information will be ignored. 

 

Other Important Features

  • It is possible to set robot authentication different from the user authentication scheme. Following is supported 
    • Set User authentication scheme to SAML/OIDC/custom 
    • Set Robot authentication scheme to AD.
    • If SAML/OIDC scheme is enabled and you need the robot authentication (roboScheme parameter) to be done with a different authentication scheme (scheme parameter) such as AD change the roboScheme value in <<AssistEdge Build Folder>>\scripts\auth.yml  to ad.

      NOTE:  

      		 Reverse of above, user authentication scheme as AD and robot authentication scheme as SAML/OIDC/Custom is not supported.
  • SAML/OIDC authentication from Automation Studio/ Engage
    • For Automation Studio authentication IE and MS Edge browsers are supported. Ensure that any one of these browsers is installed on the system where automation needs to be performed.
  • SAML/OIDC authentication for Robots
    • For robot authentication, Chrome and IE browsers are supported. Ensure that any one of these browsers is installed on the system where automation needs to be performed.
  • SAML/OIDC authentication & validation of user input on Control Tower
    • By default, the robot credentials entered by the user are not validated on the AE server-side. 
    • User credentials input on Control Tower on either of following screens can optionally be validated on the server-side components before accepting the user input – 
      • Robot setup (Credential validation)
      • Update Robot credentials. 
      • Credential manager login 

 

NOTE:  
  • Only chrome browser is supported for this backend validation. Ensure chrome is installed on AE server side and chrome browser path is provided in <<AssistEdge Build Folder>>\scripts\auth.yml in the Validation section.
  • Assertion encryption is not supported. Assertion can be signed not encrypted.
  • If signed, SAML token should be signed only with a single sign key.