- Getting started
- Best practices
- Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Managing Robots
- Connecting Robots to Orchestrator
- Storing Robot Credentials in CyberArk
- Storing Unattended Robot Passwords in Azure Key Vault (read only)
- Storing Unattended Robot Credentials in HashiCorp Vault (read only)
- Storing Unattended Robot Credentials in AWS Secrets Manager (read only)
- Deleting Disconnected and Unresponsive Unattended Sessions
- Robot Authentication
- Robot Authentication With Client Credentials
- SmartCard Authentication
- Configuring automation capabilities
- Audit
- Settings - Tenant Level
- Resource Catalog Service
- Folders Context
- Automations
- Processes
- Jobs
- Triggers
- Logs
- Monitoring
- Queues
- Assets
- Storage Buckets
- Orchestrator testing
- Other Configurations
- Integrations
- Host administration
- Organization administration
- About organizations
- Managing organization administrators
- Managing organization settings
- Setting up the Azure AD integration
- Setting up SAML SSO with Microsoft Entra ID
- Managing tags
- Audit logs
- Troubleshooting
Orchestrator user guide
Setting up SAML SSO with Microsoft Entra ID
You can use the Azure portal to enable SSO for an Enterprise application that you added to your Microsoft Entra ID tenant.
After you configure SSO, your users can sign in by using their Microsoft Entra ID credentials.
If your users are in Microsoft Entra ID, but you cannot use the Microsoft Entra ID integration instructions to configure Microsoft Entra ID to your UiPath® organization, configuring Microsoft Entra ID as a SAML-based identity provider may be an option.
This is due to restrictions around giving permissions to read user details and group memberships of all Orchestrator users.
The is recommended due to its advanced features. If however, you switch to SAML, you must manually replace role assignation done through directory groups with direct role assignation to the directory accounts to keep your access schema without having to recreate it from scratch.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn claims to be sent by the SAML identity provider. The http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim is case-sensitive.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim.
By default, the application in Microsoft Entra ID is configured to send the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim, with the user's email address as the value for the claim.
If you are switching from or planning to switch to Microsoft Entra ID directory integration, please note:
-
The value passed in the prioritized claim is used by Orchestrator as a unique identifier and is used to link any existing local users (using the local user's email address) to this directory user in Microsoft Entra ID.
-
For a smooth switch between Microsoft Entra ID and SAML directory integration, it is recommended you pass in both of these claims with the appropriate user values.
The following configuration is an example:
-
Log into the Azure portal using one of the roles listed in the prerequisites.
-
Go to Microsoft Entra ID, then select Enterprise applications.
The All applications page opens that lists the applications in your Microsoft Entra ID tenant.
Search for and then select the application that you want to use. For example, UiPath.
Note:To create an application for SSO, follow the steps in Create application for SSO.
-
From the left sidebar in the Manage section, select Single sign-on to open the SSO editing page.
-
Select SAML to open the SSO configuration page.
After the application has been configured, users can sign into it using their Microsoft Entra ID tenant credentials.
-
Under the Basic SAML Configuration section, select Edit.
-
Fill out the Entity ID and Assertion Consumer Service (ACS) URL fields based on the values provided in the SAML configuration settings in the Orchestrator portal.
-
Select Save.
-
Copy the App Federation Metadata Url.
-
Navigate to the UiPath Administration portal and go to the SAML Configuration page.
-
Paste the App Federation Metadata Url in the Metadata URL field.
-
Select Fetch data to have the system request user-related info from the identity provider.
-
Log into the Azure portal using one of the roles listed in the prerequisites.
-
Go to Microsoft Entra ID, then select Enterprise applications.
The All applications page opens that lists the applications in your Microsoft Entra ID tenant.
Search for and then select the application that you want to use. For example, UiPath.
Note:To create an application for SSO, follow the steps in Create application for SSO.
-
From the left sidebar in the Manage section, select Single sign-on to open the SSO editing page.
-
Select Edit in the Attributes & Claims section of the SSO editing page.
-
Select Add a group claim to configure the groups that you want to send to Orchestrator.
Note:To set advanced configurations, choose from the Advanced Settings dropdown.
-
Select Save.
-
To finish the configuration, follow the Step 2.5 Configure Provisioning Rules (optional) steps from our public documentation.
If a customer prefers to use UPN, you can navigate to the Attributes & Claims section and change the value for the emailaddress attribute.
- Log into the Azure portal using one of the roles listed in the prerequisites.
- Go to Microsoft Entra ID, then select Enterprise applications.The All applications page opens that lists the applications in your Microsoft Entra ID tenant.
- Select New Application > Create your own application.
- Give your application a name. For example, UiPath.
- Select Integrate any other application that you don't find in the gallery (Non-gallery).
- Select Create.
