Orchestrator
2023.10
false
Banner background image
Orchestrator User Guide
Last updated Feb 15, 2024

Setting up SAML SSO with Azure AD

You can use the Azure portal to enable SSO for an Enterprise application that you added to your Azure AD tenant.

After you configure SSO, your users can sign in by using their Azure AD credentials.

Important:

If your users are in Azure AD but cannot use the Azure AD integration instructions to configure AAD to your UiPath organization, configuring AAD as a SAML-based IdP may be an option.

This is due to restrictions around giving permissions to read user details and group memberships of all UiPath application users.

Enabling SAML SSO for an application

  1. Log into the Azure portal using one of the roles listed in the prerequisites.

  2. Go to Azure AD, then select Enterprise applications.

    The All applications page opens that lists the applications in your Azure AD tenant.

    Search for and then select the application that you want to use. For example, UiPath.

    Note:

    To create an application for SSO, follow the steps in this section.

  3. From the left sidebar in the Manage section, select Single sign-on to open the SSO editing page.

  4. Select SAML to open the SSO configuration page.

    After the application has been configured, users can sign into it using their Azure AD tenant credentials.

  5. Under the Basic SAML Configuration section, click Edit.

  6. Fill out the Entity ID and Assertion Consumer Service (ACS) URL fields based on the values provided in the SAML configuration settings in the UiPath portal.

    docs image
    docs image
  7. Click Save.

    Note:

    UiPath requires either the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn claims to be sent by the SAML identity provider.

    If both claims are sent in the ACS payload, then UiPath will prioritize the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim.

    By default, the application in Azure AD is configured to send the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim, with the user's email address as the value for the claim.

    If you are switching from or planning to switch to Azure AD directory integration, please note:

    • The value passed in the prioritized claim is used by UiPath as a unique identifier and is used to link any existing local users (using the local user's email address) to this directory user in Azure AD.

    • For a smooth switch between Azure AD and SAML directory integration, it is recommended you pass in both of these claims with the appropriate user values.

      Here is an example configuration:

      docs image
  8. Copy the App Federation Metadata Url.

  9. Navigate to the UiPath Administration portal and go to the SAML Configuration page.

  10. Paste the App Federation Metadata Url in the Metadata URL field.

  11. Click Fetch data to have the system request user-related info from the identity provider.

Setting up claims for automatic provisioning to UiPath

  1. Log into the Azure portal using one of the roles listed in the prerequisites.

  2. Go to Azure AD, then select Enterprise applications.

    The All applications page opens that lists the applications in your Azure AD tenant.

    Search for and then select the application that you want to use. For example, UiPath.

    Note:

    To create an application for SSO, follow the steps in this section.

  3. From the left sidebar in the Manage section, select Single sign-on to open the SSO editing page.

  4. Click Edit in the Attributes & Claims section of the SSO editing page.

    docs image
  5. Click Add a group claim to configure the groups that you want to send to UiPath.

    Note:

    To set advanced configurations, choose from the Advanced Settings dropdown.

  6. Click Save.

  7. To finish the configuration, follow the steps from our public documentation.

Note:

If a customer prefers to use UPN, you can navigate to the Attributes & Claims section and change the value for the emailaddress attribute.

Create application for SSO

  1. Log into the Azure portal using one of the roles listed in the prerequisites.
  2. Go to Azure AD, then select Enterprise applications.The All applications page opens that lists the applications in your Azure AD tenant.
  3. click New Application > Create your own application.
  4. Give your application a name. For example, UiPath.
  5. Select Integrate any other application that you don't find in the gallery (Non-gallery).
  6. Click Create.

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.