- Overview
- Data security and compliance
- Organizations
- Tenants
- Licensing
- Accounts and roles
- External applications
- Logging
Authentication Settings
Automation Cloud™ offers several options so that you can choose your preferred authentication type.
You can customize authentication settings from Admin > Security Settings > Authentication Settings.
The directory accounts model relies on a third-party directory that you integrate with Automation Cloud. This lets you reuse your company's established identity scheme in Automation Cloud.
- Azure Active Directory: If you have a Microsoft Azure or Office 365 subscription, you can integrate Azure with Automation Cloud to use your existing users and groups from Azure Active Directory within Automation Cloud.
- SAML 2.0: Lets you integrate Automation Cloud with your chosen identity provider (IdP). This lets your users connect to Automation Cloud with single sign-on (SSO) using the accounts that are already registered with your IdP.
Directory user accounts are created and maintained in a directory which is external to Automation Cloud. Directory accounts are only referenced in Automation Cloud and used as identities for your users.
The integration with Azure Active Directory (Azure AD) can offer scalable user and access management for your organization, allowing for compliance across all the internal applications used by your employees. If your organization is using Azure AD or Office 365, you can connect your Automation Cloud organization directly to your Azure AD tenant to obtain the following benefits:
-
Automatic user onboarding with seamless migration
- All users and groups from Azure AD are readily available for any Automation Cloud service to assign permissions, without the need to invite and manage Azure AD users in the Automation Cloud organization directory.
- You can provide Single Sign-On for users whose corporate username differs from their email address, which is not possible with the invitation-based model.
- All existing users with UiPath user accounts have their permissions automatically migrated to their connected Azure AD account.
-
Simplified sign-in experience
- Users do not have to accept an invitation or create a UiPath user account to access the Automation Cloud organization. They sign in with their Azure AD account by selecting the Enterprise SSO option or using their organization-specific URL. If the user is already signed in to Azure AD or Office 365, they are automatically signed in.
- UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Orchestrator URL, which leads to the same seamless connection experience.
-
Scalable governance and access management with existing Azure AD groups
- Azure AD security groups or Office 365 groups, also known as directory groups, allow you to leverage your existing organizational structure to manage permissions at scale. You no longer need to configure permissions in Automation Cloud services for each user.
- You can combine multiple directory groups into one Automation Cloud group if you need to manage them together.
-
Auditing Automation Cloud access is simple. After you've configured permissions in all Automation Cloud services using Azure AD groups, you utilize your existing validation processes associated with Azure AD group membership.
This model allows you to connect Automation Cloud to your chosen identity provider (IdP) so that:
- your users can benefit from single sign-on (SSO) and
- you can manage existing accounts from your directory in Automation Cloud, without having to re-create identities.
Automation Cloud can connect to any external identity provider that uses the SAML 2.0 standard.
Benefits
-
Automatic onboarding of users to Automation Cloud: All users from your external identity provider are authorized to sign in to Automation Cloud with basic rights when the SAML integration is active. What this means is:
- Users can sign in to your Automation Cloud organization via SSO using their existing company account, as defined in the IdP.
- Without any further setup, they become members of the Everyone user group, which grants them the User organization role by default. To be able to work in Automation Cloud, users require roles and licenses, as appropriate for their role.
-
If you need to restrict access to only some of your users, you can define the set of users who are allowed to access Automation Cloud in your identity provider.
-
User management: You can add users by directly assigning them to Automation Cloud groups, to do this all you have to do is enter their email address when adding users to the group.
Typically, organization administrators manage local accounts from Admin > Accounts & Groups > Users tab. But SAML users are directory accounts in Automation Cloud, so they are not visible on this page.
After a user has been added to a group or they have signed in at least once (which automatically adds them to the Everyone group), they are available in search in all services across Automation Cloud for direct role or license assignment.
- Attribute mapping: If you use UiPath Automation Hub, for example, you can define custom attribute mapping to propagate attributes from your identity provider into Automation Cloud. For example, when an account is first added to Automation Hub, the first name, last name, email address, job title, and department of the user are already populated.
More about cloud identity and authenticationThe identity of your users is verified in Automation Cloud, more precisely by the Cloud Portal, based on your organization directory. From here, based on user permissions assigned through roles and groups, they can access all your UiPath cloud services with only one set of credentials.The below diagram describes the two identity models, how they work with the various user identities, and how federation can be achieved.In the invitation-based model, identity management is performed on a user reference in the organization directory, while users remain in control of their accounts. But if integrated with Azure Active Directory (Azure AD), it's as simple as looking at the contents of your tenant directory in Azure AD, depicted below with an orange arrow.
