UiPath Documentation
test-cloud
latest
false
重要 :
このコンテンツの一部は機械翻訳によって処理されており、完全な翻訳を保証するものではありません。 新しいコンテンツの翻訳は、およそ 1 ~ 2 週間で公開されます。

Test Cloud 管理ガイド

SCIM User Sync

注:

Public preview: SCIM User Sync is currently in public preview.

Enterprise この機能は、Enterprise ライセンス プランで利用できます。

注:

利用可能な機能は、使用するクラウド製品によって異なります。詳しくは、「 機能の提供状況」をご覧ください。

The SCIM (System for Cross-domain Identity Management) directory integration enables enterprises to securely synchronize user identities and lifecycle events between UiPath and their corporate identity providers (IdPs). Building on existing Microsoft Entra ID and Security Assertion Markup Language (SAML)-based Single Sign-On (SSO) integrations, SCIM User Sync automates user creation, updates, and deprovisioning, eliminating manual identity management while maintaining centralized control.

主な機能

Automated user lifecycle management

Synchronizes user creation, updates, and deletion between your IdP and UiPath.

User attribute synchronization

User attributes — name, email, job title, department, and other attributes — are automatically updated as directed by the SCIM source directory. Changes are reflected in UiPath without requiring a re-login.

Deprovisioning and compliance

Ensures secure access control and releases license allocations when employees leave the organization, helping you comply with data retention and audit requirements.

Supported identity providers

  • Microsoft Entra ID (Azure AD)
  • Okta

Supported SCIM operations

リソース操作説明
ユーザーGET, POST, PUT, PATCH, DELETERetrieve, create, modify, or deactivate users
グループサポート対象外Groups and group memberships are not synced through SCIM

SCIM User Sync provisions users only — groups and group memberships are not synced. For how group-based access behaves under each SSO method, see the following Feature comparison by SSO method section.

The SCIM 2.0 server also exposes the standard service discovery endpoints under your SCIM base URL (the SCIM URL from setup, for example https://cloud.uipath.com/{orgId}/identity_/api/scim/v2):

  • .../ServiceProviderConfig
  • .../ResourceTypes
  • .../Schemas

These endpoints accept requests authenticated with your SCIM authorization token and return the supported server capabilities, resource types, and schemas.

User lifecycle management

SCIM manages the following lifecycle events:

  • Provisioning: When a user is assigned in the source directory, the IdP pushes the user to UiPath.
  • Updating: When a user's attributes change in the source directory, the IdP pushes updates to UiPath.
  • Deprovisioning:
    • Deactivate: When a user is deactivated or unassigned in the source directory, UiPath marks them as deactivated.
    • Delete: When a user is deleted from the source directory, UiPath deletes the user.
  • Reactivation: When a user is reactivated in the source directory, UiPath reactivates them. Licenses must be reassigned after reactivation.

The following table describes how each lifecycle event affects UiPath:

作成更新するディアクティベーションする削除する
Admin — user and group managementThe user becomes available to query and assign groups, roles, and permissions.User attributes are updated.All roles and permissions are preserved.All records of the user are deleted.
ライセンス管理The user's license is released and returned to your available pool.The user's license is released and returned to your available pool.
First-party services (Orchestrator, Automation Hub, Task Mining)The user is marked inactive; artifacts that reference them show an inactive indicator.The user is removed; artifacts that reference them show an inactive indicator.
その他Future releaseFuture releaseFuture releaseFuture release
注:

When a user is deactivated or disabled in your identity provider — not only when they are deleted — UiPath automatically releases their license and returns it to your available pool for reassignment. This lets you reclaim licenses from departing or inactive users without manual cleanup. If the user is later reactivated, licenses must be reassigned.

認可方法

The following authorization methods are available depending on your identity provider:

Authorization methodEntra IDOkta
Long-lived bearer tokenサポート対象サポート対象
OAuth authorization code grantサポート対象外サポート対象
OAuth client credentials grantサポート対象サポート対象外

Directory behavior with SCIM enabled

When SCIM is enabled, UiPath sources directory users exclusively from the users provisioned through SCIM. Only SCIM-provisioned users are returned wherever directory users are searched or queried — including when you search for users in the UiPath admin portal and through the directory API. This applies to both Microsoft Entra ID and SAML integrations:

  • Microsoft Entra ID: UiPath does not call the Microsoft Graph API to fetch users — users are served from the SCIM-provisioned directory. (Group search still uses a real-time Graph API call.)
  • SAML: Users that were not provisioned through SCIM are filtered out of directory results.
重要:

The set of users who can sign in must be exactly the same as the set of users provisioned through SCIM. Because directory queries return only SCIM-provisioned users, a user who can authenticate but was not provisioned through SCIM cannot be found, assigned permissions, or otherwise managed in UiPath. The users assigned to your SSO application and your SCIM application must be identical.

Feature comparison by SSO method

The following table compares how SCIM User Sync behaves depending on the SSO method configured for your organization:

Entra ID SSO + SCIMSAML SSO + SCIM
How are directory users logged in?Single sign-on using the OpenID Connect (OIDC) protocol via the organization-specific URL.Single sign-on using SAML 2.0 protocol via the organization-specific URL.
How and when are directory users provisioned?Users are provisioned from the SCIM source directory to UiPath upon configuration; subsequent updates are pushed asynchronously.Users are provisioned from the SCIM source directory to UiPath upon configuration; subsequent updates are pushed asynchronously.
How and when are directory user attributes updated?User attributes are updated in UiPath asynchronously as directed by the SCIM source directory.User attributes are updated in UiPath asynchronously as directed by the SCIM source directory.
How and when are directory users deprovisioned or deactivated?Users are deprovisioned or deactivated in UiPath asynchronously as directed by the SCIM source directory.Users are deprovisioned or deactivated in UiPath asynchronously as directed by the SCIM source directory.
How and when are directory groups provisioned?Directory groups are not provisioned via SCIM, but are materialized in a cached directory upon permission or role assignment in UiPath.Directory groups are not provisioned via SCIM.
How is directory group membership evaluated?Group membership is evaluated with a real-time Microsoft Graph API call.Group membership is not evaluated via SCIM. Just-in-time (JIT) provisioning rules can place users into local UiPath groups based on SAML claims.
How are directory users searched and assigned permissions?A call is made to UiPath's cached directory of SCIM-provisioned users. You must be signed in using Enterprise SSO to query directory users.A call is made to UiPath's cached directory of SCIM-provisioned users. You must be signed in using Enterprise SSO to query directory users.
How are directory groups searched and assigned permissions?A call is made to UiPath's directory for local users and to Entra ID for directory groups via a real-time Microsoft Graph API call.Directory groups cannot be queried. JIT provisioning rules can be configured to automatically place users into local UiPath groups.

属性マッピング

The following table shows how SCIM attributes map to UiPath user attributes. Your identity provider sends the SCIM attribute; UiPath stores it as the UiPath user attribute.

SCIM attributeUiPath user attributeRequired
externalIdDirectory identifier used to match and link the userはい
userNameユーザー名はい
displayName表示名はい
emails[type eq "work"].valueメール
name.givenName
name.familyName
title役職
addresses[type eq "work"].locality市町村
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:departmentDepartment
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization会社名
注:

externalId is how UiPath identifies and links each provisioned user, so it must be stable and unique — it is stored as the user's directory ID. Okta populates externalId automatically; in Microsoft Entra ID you must map it explicitly (typically to the user's object ID) in the SCIM attribute mappings.

Your identity provider's attribute mappings must include these required fields before SCIM provisioning is enabled.

重要:

The attributes your identity provider sends must map to the SCIM attributes UiPath expects, as listed in the preceding attribute mapping table. When SAML SSO is in use, the SAML attribute mappings must produce these values — in particular, the userName sent through SCIM must match the identifier used in the SAML assertion, so that a provisioned user and their SSO login resolve to the same UiPath user.

制限事項

  • Stale users: Existing inactive users are not automatically deleted. A future update will provide tooling to clean up inactive users.
  • Group and group membership sync: Not supported.
  • Consistent user sets: The set of users configured for SSO must match the set of users configured for SCIM sync.

レート制限

SCIM requests are rate limited per organization:

要求の種類上限量
Read requests (GET)300 requests per 5 minutes
Write requests (POST, PUT, PATCH, DELETE)160 requests per 5 minutes

Requests that exceed these limits receive an HTTP 429 Too Many Requests response. Identity provider connectors back off and retry throttled requests automatically, so provisioning continues without manual intervention.

セットアップ ガイド

SSO must be configured for your identity provider before SCIM User Sync can be enabled. Setup guides are available for:

このページは役に立ちましたか?

接続

ヘルプ リソース サポート

学習する UiPath アカデミー

質問する UiPath フォーラム

最新情報を取得