Skip to main content

Federated identity credentials

Federated identity credentials let external OAuth applications authenticate with UiPath using a JSON Web Token (JWT) issued by an external identity provider, instead of a client secret. This eliminates the need to store, rotate, and secure client secrets for machine-to-machine authentication.

Organizations adopting a Zero Trust security model can use federated credentials to authenticate OAuth applications through trusted identity providers such as Microsoft Entra ID, AWS, or Google Cloud, without managing long-lived secrets.

How federated identity credentials work

  1. The external application requests a JWT from the configured identity provider.
  2. The identity provider issues a signed JWT containing the configured issuer, audience, and subject claims.
  3. The application sends a token request to the UiPath token endpoint, presenting the JWT as a client_assertion parameter.
  4. UiPath fetches the identity provider's public signing keys from its JWKS endpoint and validates the JWT signature, issuer, audience, subject, and expiry.
  5. On successful validation, UiPath issues an access token with the same scopes and lifetime as the client credentials flow.

Credential fields

Each federated credential defines three token validation parameters:

FieldDescription
IssuerThe HTTPS URI of the external identity provider. Must match the JWT iss claim exactly. UiPath verifies that the issuer's JWKS endpoint is reachable when you create or update the credential.
AudienceA single string value that must appear in the JWT aud claim.
SubjectA value that must exactly match the JWT sub claim.

Constraints

  • JWTs must use the RS256 signing algorithm.
  • JWTs exceeding 8 KB are rejected before validation.
  • Each OAuth application supports a maximum of 20 federated credentials.
  • Access tokens issued via federated credentials have a one-hour lifetime.
  • To authenticate from multiple subjects or issuers, register a separate federated credential for each combination.

Limitations

The following are not supported in this release:

  • JWT algorithms other than RS256.
  • Wildcard matching for issuer, audience, or subject values.
  • Multiple audience values in a single federated credential.