I was contacted by UiPath support, and one temporary solution was to
- Make sure that ALL the groups the user is getting has the the “Allow orchestrator UI access”
- Delete the “Directory User” from Orchestrator > Tenant > Manage Access
- The user login again with SSO
After login the Directory User has “Allow Orchestrator UI access” (it shows on the user itself). So it seems (so far), that the “Allow Orchestrator UI access” gets set only on first login with the logical AND of the “Allow Orchestrator UI access” of all the groups instead of the logical OR of that setting.
The with UiPath case it’s not closed yet and there is some more tests to be done , but it looks that way so far.