ADFS (SSO) Integration with Automaton Anywhere Enterprise



We know how interesting and challenging to get SSO integrated with any application. I recently configured ADFS with Automation Anywhere Enterprise tool and following are the steps and configurations. SSO was not supported in Automation Anywhere 10.x versions and 11.x onwards SAML 2.0 support.

  1. Once the installation of Automation Anywhere Enterprise (AAE) completed, following Control Room window popup for configuration. Its important to know that we will not be able to switch or revert the authentication method in AAE once its configured until version 11.3.3. It will need a complete reinstallation to switch the authentication method. 
Welcome! Let's get started TYPE Authentication type for Control Room users sign-on Select the authentetion type Want to CcmtfOl Room YOM selection Will be and Can later REGISTERING co MTROLS CONTROL ROOM C) Active Directory Single Sign-On (SAML 20) C) Control database The Room Can Conr*t to your Id*ltity Provider database SAML 2 0 so that the user can with their Credential s Sn Metadata is empty. To continue. please type in a valid TO continue. Check the connecti Metadata. Uniqw Entity 10 for Control (Service Provider) Encrypt Public key Next >
  1. Copy the content from FederationMetadata.xml (https://adfsServerURL/federationmetadata/2007-06/federationmetadata.xml) and input as ‘SAML Metadata’ value.
Also provide the ‘Unique entity ID for control room(service provider)’. This value must match with Identifier name in ADFS relying party trust.
‘Encrypt SAML Assertion’ is optional.


  1. Click Next and you will get following screen where the AAE Control Room metadata is provided for ADFS relying party configuration. Copy the metadata and save it as xml file.

Welcome! Let's get started TYPE O Registering Control Room as a Service Provider in Idp: Instructions Sign-on 20' RECSTERING covnocs 1. Copy the Control Room Metadata trom the text below version- En:ityDescrigtor names metadata• cache oura:ion-TT604800s• entityID-'ADFSAAEIntegra-,ion• Login int the Idp Manager with the account that has privileges to add a new Service Provider. 3 Navigate to the Metadata Manager and add a new service provider Enter the Control Room Metadata into required fields 5 Enter the Entity ID •entity ID for Control Room Service Provider. Select the option to fetch users information such as Username (mandatory). first name. last name, email ID Save the new Service Provider. Please refer the Room for Copy The nominated Control Room Administrator has to login into IdP by clicking the Authenticate with IdP button below, On successful authentication. the user will be added as Control Room Administrator, Authenticate With IdP < Back Next >

  1. Now go to ADFS to create Relying party trust for AAE Control Room. Right click on ‘Relying party trusts’ in ADFS console and ‘Add relying party trust wizard’. 
Make sure ‘Claims aware’ is selected, then click ‘Start’.

5 0 50 Add P,eying partyTrustvv•zard

  1. Here chose ‘Import data about the relying party from a file’ and browse to the xml file created in Step 3.


  1. In next screen provide the ‘Unique entity ID for control room(service provider)’ from Step 2. 
R , 0 Tn Specify a Name •AddReyingP•rtyTrustWtzard ADFS EH

  1. In ‘Access control policy’, chose permit everyone.

Add Relyin9 PNty • ιο Τη.Μ ΜΕΑ ιο requi• to reql,l' [Ώ Ι d' to Μ f" thi'

  1. Keep check box selected for ‘Configure claims issuance policy for this application’ and finish the wizard.

Add R 9 partyTrustwvzard C d , 一 , ep far : 'n


  1. Now right click on the relying party created and chose ‘Edit claim issuance policy…’. Click on ‘Add Rule’. Chose the claim rule template value as ‘Send LDAP Attributes as Claims’

7 n 0 一 m S , Rule Ternplate Add &m RuleWurd

  1. Give some name as claim rule and chose Active Directory as LDAP store. Ensure following are the mapping of LDAP attributes to outgoing claim types. The value in the right side (outgoing claim types) are case sensitive.

E-Mail-Addresses E-Mail Address
E-Mail-Addresses EmailAddress
E-Mail-Addresses Name ID
SAM-Account-Name UserID
Given-Name FirstName
Surname LastName


  1. Now again right click on the relying party created and chose ‘Edit claim issuance policy…’. Click on ‘Add Rule’. Chose the claim rule template value as ‘Transform an incoming claim’.

PO - 一 fc 一 OFS - n 9 ; 1-0 Rule Template

  1. Give a claim rule name and chose values as follows and click finish.
Incoming claim type 🡪 E-Mail Address
Outgoing claim type 🡪 Name ID
Outgoing name ID format 🡪 Email
Select ‘Pass through all claim values’

RLÉ Type Configure Rule AddTransform 「 引 一 Now yo You should be able to login to Automation Anywhere Enterprise using SSO. You may use upn format of user name to login.

Comments

Post a Comment