- Erste Schritte
- Datensicherheit und Compliance
- Organisationen
- Authentifizierung und Sicherheit
- Lizenzierung
- Über die Lizenzierung
- Einheitliche Preise: Lizenzierungsplan-Framework
- Aktivieren Ihrer Enterprise-Lizenz
- Migrieren von Test Suite zu Test Cloud
- Lizenzmigration
- Zuweisen von Lizenzen zu Mandanten
- Zuweisen von Benutzerlizenzen
- Freigegeben von Benutzerlizenzen
- Überwachung der Lizenzzuweisung
- Lizenzüberzuweisung
- Lizenzierungsbenachrichtigungen
- Benutzerlizenzverwaltung
- Mandanten und Dienste
- Konten und Rollen
- AI Trust Layer
- Externe Anwendungen
- Benachrichtigungen
- Protokollierung
- Data Export
- Tests in Ihrer Organisation
- Fehlersuche und ‑behebung
- Migration zur Test Cloud
Test Cloud-Administratorhandbuch
Public preview: SCIM User Sync is currently in public preview.
Diese Funktion ist mit dem Enterprise-Lizenzierungsplan verfügbar.
Die Verfügbarkeit der Funktionen hängt vom Cloud-Angebot ab, das Sie verwenden. Weitere Informationen finden Sie auf der Seite Funktionsverfügbarkeit.
The SCIM (System for Cross-domain Identity Management) directory integration enables enterprises to securely synchronize user identities and lifecycle events between UiPath and their corporate identity providers (IdPs). Building on existing Microsoft Entra ID and Security Assertion Markup Language (SAML)-based Single Sign-On (SSO) integrations, SCIM User Sync automates user creation, updates, and deprovisioning, eliminating manual identity management while maintaining centralized control.
Schlüsselfunktionen
Automated user lifecycle management
Synchronizes user creation, updates, and deletion between your IdP and UiPath.
User attribute synchronization
User attributes — name, email, job title, department, and other attributes — are automatically updated as directed by the SCIM source directory. Changes are reflected in UiPath without requiring a re-login.
Deprovisioning and compliance
Ensures secure access control and releases license allocations when employees leave the organization, helping you comply with data retention and audit requirements.
Supported identity providers
- Microsoft Entra ID (Azure AD)
- Okta
Supported SCIM operations
| Ressource | Betrieb | Beschreibung |
|---|---|---|
| Benutzer | GET, POST, PUT, PATCH, DELETE | Retrieve, create, modify, or deactivate users |
| Gruppen | Nicht unterstützt | Groups and group memberships are not synced through SCIM |
SCIM User Sync provisions users only — groups and group memberships are not synced. For how group-based access behaves under each SSO method, see the following Feature comparison by SSO method section.
The SCIM 2.0 server also exposes the standard service discovery endpoints under your SCIM base URL (the SCIM URL from setup, for example https://cloud.uipath.com/{orgId}/identity_/api/scim/v2):
.../ServiceProviderConfig.../ResourceTypes.../Schemas
These endpoints accept requests authenticated with your SCIM authorization token and return the supported server capabilities, resource types, and schemas.
User lifecycle management
SCIM manages the following lifecycle events:
- Provisioning: When a user is assigned in the source directory, the IdP pushes the user to UiPath.
- Updating: When a user's attributes change in the source directory, the IdP pushes updates to UiPath.
- Deprovisioning:
- Deactivate: When a user is deactivated or unassigned in the source directory, UiPath marks them as deactivated.
- Delete: When a user is deleted from the source directory, UiPath deletes the user.
- Reactivation: When a user is reactivated in the source directory, UiPath reactivates them. Licenses must be reassigned after reactivation.
The following table describes how each lifecycle event affects UiPath:
| Erstellen | Aktualisierung | Deaktivieren | Löschen | |
|---|---|---|---|---|
| Admin — user and group management | The user becomes available to query and assign groups, roles, and permissions. | User attributes are updated. | All roles and permissions are preserved. | All records of the user are deleted. |
| Lizenzverwaltung | – | – | The user's license is released and returned to your available pool. | The user's license is released and returned to your available pool. |
| First-party services (Orchestrator, Automation Hub, Task Mining) | – | – | The user is marked inactive; artifacts that reference them show an inactive indicator. | The user is removed; artifacts that reference them show an inactive indicator. |
| Andere Dienste | Future release | Future release | Future release | Future release |
When a user is deactivated or disabled in your identity provider — not only when they are deleted — UiPath automatically releases their license and returns it to your available pool for reassignment. This lets you reclaim licenses from departing or inactive users without manual cleanup. If the user is later reactivated, licenses must be reassigned.
Autorisierungsmethoden
The following authorization methods are available depending on your identity provider:
| Authorization method | Entra ID | Okta |
|---|---|---|
| Long-lived bearer token | Wird unterstützt | Wird unterstützt |
| OAuth authorization code grant | Nicht unterstützt | Wird unterstützt |
| OAuth client credentials grant | Wird unterstützt | Nicht unterstützt |
Directory behavior with SCIM enabled
When SCIM is enabled, UiPath sources directory users exclusively from the users provisioned through SCIM. Only SCIM-provisioned users are returned wherever directory users are searched or queried — including when you search for users in the UiPath admin portal and through the directory API. This applies to both Microsoft Entra ID and SAML integrations:
- Microsoft Entra ID: UiPath does not call the Microsoft Graph API to fetch users — users are served from the SCIM-provisioned directory. (Group search still uses a real-time Graph API call.)
- SAML: Users that were not provisioned through SCIM are filtered out of directory results.
The set of users who can sign in must be exactly the same as the set of users provisioned through SCIM. Because directory queries return only SCIM-provisioned users, a user who can authenticate but was not provisioned through SCIM cannot be found, assigned permissions, or otherwise managed in UiPath. The users assigned to your SSO application and your SCIM application must be identical.
Feature comparison by SSO method
The following table compares how SCIM User Sync behaves depending on the SSO method configured for your organization:
| Entra ID SSO + SCIM | SAML SSO + SCIM | |
|---|---|---|
| How are directory users logged in? | Single sign-on using the OpenID Connect (OIDC) protocol via the organization-specific URL. | Single sign-on using SAML 2.0 protocol via the organization-specific URL. |
| How and when are directory users provisioned? | Users are provisioned from the SCIM source directory to UiPath upon configuration; subsequent updates are pushed asynchronously. | Users are provisioned from the SCIM source directory to UiPath upon configuration; subsequent updates are pushed asynchronously. |
| How and when are directory user attributes updated? | User attributes are updated in UiPath asynchronously as directed by the SCIM source directory. | User attributes are updated in UiPath asynchronously as directed by the SCIM source directory. |
| How and when are directory users deprovisioned or deactivated? | Users are deprovisioned or deactivated in UiPath asynchronously as directed by the SCIM source directory. | Users are deprovisioned or deactivated in UiPath asynchronously as directed by the SCIM source directory. |
| How and when are directory groups provisioned? | Directory groups are not provisioned via SCIM, but are materialized in a cached directory upon permission or role assignment in UiPath. | Directory groups are not provisioned via SCIM. |
| How is directory group membership evaluated? | Group membership is evaluated with a real-time Microsoft Graph API call. | Group membership is not evaluated via SCIM. Just-in-time (JIT) provisioning rules can place users into local UiPath groups based on SAML claims. |
| How are directory users searched and assigned permissions? | A call is made to UiPath's cached directory of SCIM-provisioned users. You must be signed in using Enterprise SSO to query directory users. | A call is made to UiPath's cached directory of SCIM-provisioned users. You must be signed in using Enterprise SSO to query directory users. |
| How are directory groups searched and assigned permissions? | A call is made to UiPath's directory for local users and to Entra ID for directory groups via a real-time Microsoft Graph API call. | Directory groups cannot be queried. JIT provisioning rules can be configured to automatically place users into local UiPath groups. |
Attributzuordnung
The following table shows how SCIM attributes map to UiPath user attributes. Your identity provider sends the SCIM attribute; UiPath stores it as the UiPath user attribute.
| SCIM attribute | UiPath user attribute | Erforderlich |
|---|---|---|
externalId | Directory identifier used to match and link the user | Ja |
userName | Benutzername | Ja |
displayName | Anzeigename | Ja |
emails[type eq "work"].value | ||
name.givenName | Vorname | |
name.familyName | Nachname | |
title | Bezeichnung der Tätigkeit | |
addresses[type eq "work"].locality | Stadt | |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | Department | |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization | Name des Unternehmens |
externalId is how UiPath identifies and links each provisioned user, so it must be stable and unique — it is stored as the user's directory ID. Okta populates externalId automatically; in Microsoft Entra ID you must map it explicitly (typically to the user's object ID) in the SCIM attribute mappings.
Your identity provider's attribute mappings must include these required fields before SCIM provisioning is enabled.
The attributes your identity provider sends must map to the SCIM attributes UiPath expects, as listed in the preceding attribute mapping table. When SAML SSO is in use, the SAML attribute mappings must produce these values — in particular, the userName sent through SCIM must match the identifier used in the SAML assertion, so that a provisioned user and their SSO login resolve to the same UiPath user.
Einschränkungen
- Stale users: Existing inactive users are not automatically deleted. A future update will provide tooling to clean up inactive users.
- Group and group membership sync: Not supported.
- Consistent user sets: The set of users configured for SSO must match the set of users configured for SCIM sync.
Ratenlimits
SCIM requests are rate limited per organization:
| Anforderungstyp | Grenzwert |
|---|---|
Read requests (GET) | 300 requests per 5 minutes |
Write requests (POST, PUT, PATCH, DELETE) | 160 requests per 5 minutes |
Requests that exceed these limits receive an HTTP 429 Too Many Requests response. Identity provider connectors back off and retry throttled requests automatically, so provisioning continues without manual intervention.
Einrichtungshandbücher
SSO must be configured for your identity provider before SCIM User Sync can be enabled. Setup guides are available for: