UiPath Orchestrator

The UiPath Orchestrator Guide

PingOne Authentication

Configure PingOne to Recognize a New Orchestrator Machine



The following steps are valid for PingOne SAML setup. Please note that the procedure is a broad description of a sample configuration. For a fully detailed how-to, visit the official PingOne Documentation.

  1. Log in to the PingOne Administrator Console.
  2. On the Applications tab, click + Add Application. A new window opens.
  1. Select WEB APP, and click the Configure button in the SAML box.
  1. On the Create App Profile page, enter an application name in the dedicated field, and click the Next button.
  1. On the Configure SAML page, specify the ACS URL by filling in the URL of the Orchestrator instance plus the suffix Saml2/Acs. For instance: https://orchestratorURL/Saml2/Acs. Keep in mind that the ACS is case sensitive.
  2. Scroll down the Configure SAML page, and set the Entity ID to https://orchestratorURL.
  3. On the same page, select HTTP Redirect as your SLO binding.
  4. In the Assertion Validity Duration field, enter the desired validity period in seconds, and press Next.
  1. On the Map Attributes page, map the following attribute:
    Email Address =
  1. Click Save and open the app from the Connections tab.
  1. In the newly opened window, copy the Single SignOn URL.

Set Orchestrator to Use PingOne Authentication

  1. Define a user in Orchestrator and have a valid email address set on the Users page.
  2. Set the ExternalAuth.Saml2.Enabled parameter to true in Orchestrator's Web.Config file.
<add key="ExternalAuth.Saml2.Enabled" value="true" />
  1. Set the ExternalAuth.UserMappingStrategy parameter to ByUserName in the Web.Config file.
<add key="ExternalAuth.UserMappingStrategy" value="ByUserEmail" />
  1. Import the signing certificate provided by PingOne to the Orchestrator machine, under Local Machine > Personal Store. See here how to do that.
  2. Add the following node in the Web.Config under the configuration node.
<sustainsys.saml2 entityId="https://orchestratorurl" returnUrl="https://orchestratorurl/Account/ExternalLoginCallback">
    <nameIdPolicy format="EmailAddress"/>
        <add entityId="issuerid" signOnUrl="singlesignonservice" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
            <signingCertificate storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="thumbprintforpingcertificate"/>

The values for issuerid and singlesignonservice are available in the PingOne console's Configuration page.




Whenever filling in the URL of the Orchestrator instance, make sure it does not contain a trailing slash. Always fill it in as https://orchestratorURL, not https://orchestratorURL/.

Updated 2 years ago

PingOne Authentication

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.