Subscribe

UiPath Automation Cloud™

UiPath Automation Cloud™ Guide

For information about the current status of Automation Cloud and our cloud services, see the Status page.

Authentication options

Overview


This page describes the available authentication models for Automation Cloud that you can choose from.
Choosing the authentication settings for your organization (Admin > Security Settings > Authentication Settings) affects more than the way your users sign in to Automation Cloud. The selected option can also change the way in which you manage user accounts for Automation Cloud.

While we offer several authentication models for you to control access to your Automation Cloud organization, they can be regarded as models that use local user accounts or directory user accounts.

Local user accounts represent each user's UiPath account that are internal to Automation Cloud.
On the other hand, directory user accounts are created and maintained in a directory which is external to Automation Cloud. Directory accounts are only referenced in Automation Cloud and used as identities for your users.

 

Models that use local accounts


Invitation-based model

This model applies to any new organization by default. It is easy to use, quick to set up, and convenient for your users.

The process for creating a user is as follows:

  1. Organization administrators must obtain the email addresses of users and use them to invite each user to join their organization. They can do this in bulk.

  2. Each invited employee accepts the invitation by navigating to the link provided in the invitation email and creates a UiPath user account. They can:

    • Use the invited email as a username and create a password.
    • Use an existing account they have with Microsoft (personal, Azure AD-linked account, or Office 365 account), Google (personal or Google Workspace account), or their personal LinkedIn account to sign in to (or federate in to) their UiPath user account.

    The ability to use one of the providers mentioned above is convenient for users who do not have to remember additional passwords. And using organization-owned accounts in Azure AD or Google Workspace lets you enforce organization sign-in policies.

350350
  1. Organization administrators can now add users to groups to grant roles as needed so that users have the required access.

 

Invitation-based model with enforced sign in option

In this model you create users in the same way as in the invitation-based model: you issue an invitation to their email address and your users must create a UiPath account. The difference is that you can choose to enforce sign in using either:

  • Google or
  • Microsoft

So instead of seeing all sign in options, your users see only the one you selected.

For example, here's what your users would see if you chose to enforce sign in with Microsoft:

350350

They still use their UiPath account to sign in. The account must use the email address where the invitation was sent.

📘

Tokens for external applications

If you have authorized external applications for your organization, tokens generated while using other providers remain valid, but any new tokens follow the enforced sign in policy.

 

Models that use directory accounts


These models all rely on a third-party directory that you integrate with Automation Cloud. This lets you reuse your company's established identity scheme in Automation Cloud.

📘

Compatibility with the invitation-based model

You can continue to use all the features of the invitation-based model in conjunction with a directory model. But to maximize the benefits, we recommend relying exclusively on centralized account management from your integrated directory.

Azure Active Directory model

🚧

Enterprise only

This feature is only available if your organization has an Enterprise license.

The integration with Azure Active Directory (Azure AD) can offer scalable user and access management for your organization, allowing for compliance across all the internal applications used by your employees. If your organization is using Azure AD or Office 365, you can connect your Automation Cloud organization directly to your Azure AD tenant to obtain the following benefits:

Automatic user onboarding with seamless migration
  • All users and groups from Azure AD are readily available for any Automation Cloud service to assign permissions, without the need to invite and manage Azure AD users in the Automation Cloud organization directory.

  • You can provide Single Sign-On for users whose corporate username differs from their email address, which is not possible with the invitation-based model.

  • All existing users with UiPath user accounts have their permissions automatically migrated to their connected Azure AD account.


Simplified sign-in experience
  • Users do not have to accept an invitation or create a UiPath user account to access the Automation Cloud organization. They sign in with their Azure AD account by selecting the Enterprise SSO option or using their organization-specific URL.

    If the user is already signed in to Azure AD or Office 365, they are automatically signed in.

  • UiPath Assistant and Studio versions 20.10.3 and higher can be preconfigured to use a custom Orchestrator URL, which leads to the same seamless connection experience.


Scalable governance and access management with existing Azure AD groups
  • Azure AD security groups or Office 365 groups, also known as directory groups, allow you to leverage your existing organizational structure to manage permissions at scale. You no longer need to configure permissions in Automation Cloud services for each user.

  • You can combine multiple directory groups into one Automation Cloud group if you need to manage them together.

  • Auditing Automation Cloud access is simple. After you've configured permissions in all Automation Cloud services using Azure AD groups, you utilize your existing validation processes associated with Azure AD group membership.


📘

API Access

The API Access option (Admin > Tenants) is not available when using the Azure AD model.
If you have processes in place that use the information from the API Access window to authenticate API calls to UiPath services, you must switch to using OAuth for authorization, in which case the information from API Access is no longer required.
To use OAuth, you must register external applications to Automation Cloud.

 

SAML model

🚧

Enterprise only

This feature is only available if your organization has an Enterprise license.

This model allows you to connect Automation Cloud to your chosen identity provider (IdP) so that:

  • your users can benefit from single sign-on (SSO) and
  • you can manage existing accounts from your directory in Automation Cloud, without having to re-create identities.

Automation Cloud can connect to any external identity provider that uses the SAML 2.0 standard.

Benefits

Automatic onboarding of users to Automation Cloud

All users from your external identity provider are authorized to sign in to Automation Cloud with basic rights when the SAML integration is active. What this means is:

  • Users can sign in to your Automation Cloud organization via SSO using their existing company account, as defined in the IdP.

  • Without any further setup, they become members of the Everyone user group, which grants them the User organization role by default. To be able to work in Automation Cloud, users require roles and licenses, as appropriate for their role.

If you need to restrict access to only some of your users, you can define the set of users who are allowed to access Automation Cloud in your identity provider.


User management

You can add users by directly assigning them to Automation Cloud groups, to do this all you have to do is enter their email address when adding users to the group.

Typically, organization administrators manage local accounts from Admin > Accounts & Groups > Users tab. But SAML users are directory accounts in Automation Cloud, so they are not visible on this page.

After a user has been added to a group or they have signed in at least once (which automatically adds them to the Everyone group), they are available in search in all services across Automation Cloud for direct role or license assignment.


Attribute mapping

If you use UiPath Automation Hub, you can define custom attribute mapping to propagate attributes from your identity provider into Automation Cloud. For example, when an account is first added to Automation Hub, the first name, last name, email address, job title, and department of the user are already populated.


686686

Setup

Organization administrators can configure and enable the SAML integration for your entire organization from Admin > Security Settings > Authentication Settings.
For instructions, see Configuring the SAML integration.

Transitioning from the Azure AD integration to the SAML integration

After switching to the SAML integration, the Azure AD integration is disabled. Azure AD group assignments no longer apply, so Automation Cloud group membership and the permissions inherited from Azure AD are no longer respected.

 

Which model is best for me?


Here are some factors to consider when choosing the authentication setting for your Automation Cloud organization:

Factor

Invitation-based

Invitation-based with enforced option

Azure Active Directory

SAML

Community license

Enterprise license

Support for local accounts
(UiPath account)

Support for directory accounts

User account management

Automation Cloud organization administrator

Automation Cloud organization administrator

Azure AD administrator

Administrator of your identity provider

User access management

Automation Cloud organization administrator

Automation Cloud organization administrator

Automation Cloud user management can be delegated entirely to Azure AD

Automation Cloud organization administrator

Single sign-on

(with Google, Microsoft, or LinkedIn)

(with Google or Microsoft)

(with Azure AD account)

(with IdP account)

Enforce a complex password policy

(if enforced from the IdP)

(if enforced from AAD)

(if enforced from the IdP)

Multi-factor authentication

(if enforced from the IdP)

(if enforced from AAD)

(if enforced from the IdP)

Reuse your company's existing identities

Large-scale user onboarding

(all users must be invited)

(all users must be invited)

(just-in-time account provisioning)

(just-in-time account provisioning)

Access for collaborators from outside your company

(through invitation)

(through invitation for account on enforced IdP)

(if allowed by the IdP)

Restrict access from inside corpnet

(if enforced from the IdP)

Restrict access to trusted devices

(if enforced from the IdP)

 

Reusing your identity directory

If your company already uses a directory to manage employee accounts, the following table can help you find the more advantageous authentication option for you.

Invitation-based

Invitation-based with enforced option

Azure Active Directory

SAML

Already using Google Workspace as your identity provider?

users need a UiPath account, but SSO is also possible

users need a UiPath account, but enforced SSO with Google is possible

N/A

N/A

Already using Office 365 with your identity provider?

users need a UiPath account

users need a UiPath account

you can grant access to Automation Cloud to existing user accounts

you can grant access to Automation Cloud to existing user accounts

Already using Azure AD as your identity provider?

users need a UiPath account

users need a UiPath account

you can grant access to Automation Cloud to existing user accounts

we recommend using the AAD integration instead of the SAML integration

Already using another identity provider?

users need a UiPath account

users need a UiPath account

you can grant access to Automation Cloud to existing user accounts

you can grant access to Automation Cloud to existing user accounts

Updated a day ago


Authentication options


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.