Normally you already have an identity provider that you want to use. If you don't already have an identity provider, a third-party identity provider can be used, such as Okta (3rd party SaaS) or Keycloak (open source that can be run on premise). With Okta, advanced security features such as two-factor authentication can be enabled, if that is a requirement.
B. Configure Orchestra to use https
To use SAML 2.0 Web SSO, HTTPS must be enabled in Orchestra. Otherwise there is a risk that the authorization tokens are compromised. Enable HTTPS according to the reference manual.
C. Configure Orchestra and the identity provider to trust each other
All identity providers have their own instructions on how to create and register an application. Set up the identity provider following those instructions. Below are the specific settings for configuring Orchestra in Azure AD, but these settings are valid for other identity providers as well.
Identifier (Entity ID) is what in Orchestra is called Service Provider Entity ID. What is configured as Entity ID in the identity provider and in Orchestra should be the same for this value. In Orchestra, this is found in System Administration > Parameters. In other identity providers, this could be called e.g. Audience URI, Entity ID or Client ID.
In this example the host is t92.qmaticcloud.com and the port is 8443.
The URL is different for every Orchestra agent which means you might have to add several URLs. The URL for your agent(s) can be found in System Administration > Queue Agents > Agents.
Once the Entity ID and the URL are configured, download the identity provider metadata file from the identity provider. For Azure AD, that can be downloaded from the link here.
Rename the downloaded file to saml-integration.xml and do the following:
• For Orchestra Central, put the file in orchestra/system/conf folder.
• For distributed queue agents, put the file in orchestra/system/media/agentProfile/ <wanted agent profile> /conf. Then do a remote upgrade.
Restart Orchestra for changes to go into effect.
At this point, you should make sure that the SAML flow between Orchestra and the identity provider is working.
1. Start by creating a test user in the identity provider that doesn't have any roles assigned.
2. Log out the test user from the identity provider.
3. Go to Orchestra and see if you are redirected to the identity provider.
4. Log in to the identity provider with your test user credentials.
5. If it is successful, you should be redirected to the following screen.
As you can see, it says User has no applications, which is correct because you have not yet configured any roles for this test user. However, it shows that the SAML flow between Orchestra and the identity provider is working. If it is not working, see “Troubleshooting”
If everything seems to be working properly, the next step is to assign roles and branch access to users.
D. Set up attribute identifiers and assign users with different access rights
1. Configure Orchestra and the identity provider to have the same attribute identifiers. This step is needed to provide roles, language settings and branch access for each user.
In Orchestra you can see the settings here:
• The default values are selected to match Azure AD. If you have another identity provider, make sure all the attribute identifiers match.
• The attribute for Locale attribute identifier should match a language previously added to Orchestra (see Localisation chapter). If the identity provider uses a combined format such as locale+country (e.g. sv_SE or sv-SE), only the first characters ("sv") are used to match against the Orchestra languages. Users with an unknown language code, or without the locale attribute will get English.
• The attribute for RTL controls whether the user should have a Right-To-Left layout. If this attribute contains "true" or "rtl" a Right-To-Left layout will be used. If the attribute is missing or contains some other value, Left-To-Right will be used.
Once this is done the identity provider and Orchestra can exchange user attributes.
2. The last step is to configure the role and branch mapping in Orchestra. This is configured in User management in the LDAP/SAML tab. You also need to implement a method for assigning user correct mapping and all users should be added to the identity provider. For more information about user management with SAML, see the SAML user management section in the User Management chapter in the Administrator’s Guide.
Identifier (Entity ID) is what in Orchestra is called Service Provider Entity ID. What is configured as Entity ID in the identity provider and in Orchestra should be the same for this value. In Orchestra, this is found in System Administration > Parameters. In other identity providers, this could be called e.g. Audience URI, Entity ID or Client ID.
Reply URL should be the following: 
Once the Entity ID and the URL are configured, download the identity provider metadata file from the identity provider. For Azure AD, that can be downloaded from the link here.
