cancel
Showing results for 
Search instead for 
Did you mean: 
TomiHeikkinen
Level 4

Currently when enabling Active Directory authentication for Blue Prism, it forces SSO. Please add option to switch from SSO to manual login (username & password prompt) with an AD account.

For example in our DEV environment, we use robot accounts (which has the required system access rights what are used in the process) that are used to login to development resource machines to do the development on. We are doing this to simulate how they are ran in production environment. These robot accounts have not been added to Blue Prism user roles or given access rights to log in to Blue Prism. This in turn means that we can't launch in a normal way, when the SSO is forced on. This will give an error that user is not authorized to connect to the Blue Prism server.

We have circumvented this by adding a separate batch script that prompts username & password (which has access rights to Blue Prism) to launch automate.exe with -> sends those credentials to Blue Prism server and allows login.

6 Comments
ChristianPanhan
Level 6

I wonder if the Windows-Option "Run As Different User" could help you. I'm using this in cases where I want to start Blu Prism on my Machine with a different AD-Account for testing purposes. And it works fine.

https://winaero.com/blog/add-run-start-menu-windows-10/

TomiHeikkinen
Level 4

Thanks Christian.

Yes, this is how we have circumvented this, we created a bat script + shortcut to Public folders on each machine:

@echo off
set /p Username=Insert Username:
C:\Windows\System32\runas.exe /savecred /user:DOMAIN\%Username% "C:\Program Files\Blue Prism Limited\Blue Prism Automate\Automate.exe"

However, we'd like to avoid any "extra" steps to launch the system, that might cause confusion in the users.

In my opinion manual login should be made available by default, any other authentication methods/features (in this case SSO) should come after that. Some organizations might run into issues with this or even unable to activate AD authentication, if security policies have forced "Deny logon locally" or other policies preventing launching applications as different user.

TomiHeikkinen
Level 4

We actually ran into issues with this workaround method.

If the automate.exe is started with "run as another account", all calls to launch applications from process are started with this same account.

1. Developer logs in to resource with robotic account "A". This account has proper permission to our business software.
2. Developer starts automate.exe with "runas" and uses their personal domain-account "B", these domain accounts have been granted login & edit rights to Blue Prism DEV environment. This way automate.exe can send "B" credentials to authenticate into BP.
3. Then on process level, when business application launches are called, automate.exe seems to call the target software to start with the same "B" credentials the automate.exe is running -> This account does not have access rights to the target software.

Only workaround is to grant login & edit rights to the robotic/development accounts (Type "A"). This defeats the purpose of AD authentication in our environment.

Implementing a "manual" AD login to the BP login screen, would fix this issue:

1. Developer logs in to Windows with robotic account "A"
2. Developer starts BP normally (no run as)
3. In Blue Prism login screen, developer types in manually the authorized personal domain account "B"

= Automate.exe is running with the robotic account, process level launches start with the robotic account that has proper access rights to target software. Blue Prism used with a personal domain account that leaves a clear audit trail and is managed centrally with our IDM & AD tools.

MelanieGiuliani
Community Team (Retired)
Hi Tomi,

Thanks so much for submitting your idea! We are moving it into the
 Under Consideration status while we route the idea through our internal review process. 

We will update you as your idea moves along the lifecycle.

Thank you!
Melanie 
RomanErlmoser
Level 2
From our side is the same need. But, with running BP on a different user on Windows, will not work. The Developer-User have no permission on the Ressource to login.
I would would prefer some LDAP-Integration. That might help.
RomanErlmoser
Level 2
In my opinion the easiest way to implement such function would be via LDAP.

I am planning a little workaround with using SAML in authentication. With our ADFS, we can configure forcing login there and login as a different windows account. Not the nicest solution, but actually Blue Prism haves room for improvement in authentication procedure.