Your organization can choose from the following models for creating users in Automation Cloud:
- When using the invitation-based model, which is the default model set for any new organization, the organization administrator sends an email invitation to users and they in turn create a UiPath account to accept the invitation and sign in to Automation Cloud.
- If you have a Microsoft Azure or Office 365 subscription, you can also integrate Azure with Automation Cloud to use your existing users and groups from Azure Active Directory with the Azure Active Directory model (preview).
More about cloud identity and authentication
The identity of your users is verified in Automation Cloud, more precisely by the Cloud Portal, based on your organization directory. From here, based on user permissions assigned through roles and groups, they can access all your UiPath cloud services with only one set of credentials.
The below diagram describes the two identity models, how they work with the various user identities, and how federation can be achieved.
In the invitation-based model, identity management is performed on a user reference in the organization directory, while users remain in control of their accounts. But if integrated with Azure Active Directory (Azure AD), it's as simple as looking at the contents of your tenant directory in Azure AD, depicted below with an orange arrow. You can read more about each model in the following sections.
Organization administrators can chose the model to use for your organization by going to Admin > Users and Groups > Authentication Settings:
The invitation-based model (selected in the image above) is set by default for any new organization.
The invitation-based model allows you to enforce sign in with a chosen provider. For more information about this model, see Invitation-based Model with Enforced Sign In Option.
To switch to this model, go to Admin > Users and Groups > Authentication Settings, select one of the Enforce Sign In with... options, and then click Save.
After saving, users can only see the sign in option for the provider you selected. If they are already signed in using a different provider, they are asked to sign out and sign back in using the chosen provider.
If you have authorized external applications for your organization, tokens generated while using other providers remain valid, but any new tokens follow the enforced sign in policy.
To switch to the Azure AD model, see Setting Up the Azure AD Integration for instructions.
The API Access option (Admin > Tenants) is not available when using the Azure AD model.
If you have processes in place that use the information from the API Access window to authenticate API calls to UiPath services, you must register external applications to switch to using OAuth for authorization, in which case the information from API Access is no longer required.
To switch from the Azure AD model back to the invitation-based model...
- Log in as an organization administrator using a UiPath account. The options are not active otherwise.
- If you removed UiPath user accounts when you moved to the Azure AD model, invite all users to the organization so that users are created again for their UiPath accounts.
- Assign users to groups and, if needed, assign individual roles.
- Go to **Admin** > **Users and Groups** > **Authentication Settings** and select one of the other options.
- Click **Save**.
After saving, users must sign in with the UiPath account (new or existing) that they used to accept the invitation.
Updated 5 months ago