Security Assertion Markup Language (SAML) is an XML-based specification for exchanging authentication information online, typically to establish single sign-on (SSO). This article describes how SAML works with Appian and how to configure SAML in the Appian Administration Console.
Principal (User) - the client attempt to connect to a service.
Identity Provider (IdP) - the provider of identity information and authentication.
Service Provider (SP) - the provider of the requested service.
Using the SAML model, the user attempting to connect to Appian is the Principal (User), Appian is the Service Provider (SP), and the customer is the Identity Provider (IdP).
For a typical SP-initiated login, when a user attempts to connect to Appian, Appian redirects the user’s browser to the IdP. The IdP makes an authentication decision and returns that decision to the user’s browser, which then sends that decision to Appian. Appian acts on that decision, either permitting or denying the user access to the requested resource without the user having to manually sign in.
The sequence diagram below offers more specificity to this process.
Appian also supports IdP-initiated login.
Appian supports SAML-based SSO using SAML 2.0 specifications, and SHA-1 or SHA-256 signature method algorithms.
To configure Appian to work with SAML, you will need:
A SAML identity provider using SAML 2.0, and SHA-1 or SHA-256 signature method algorithms.
Some browsers will detect the Service Provider Entity ID and the Service Provider Signing Certificate Password fields as username and password fields, and may auto-populate those fields. Be sure to clear any pre-populated fields on this form.
Enter a Service Provider Name. This is how you choose to label Appian in the message that will be sent to the IdP when a user attempts to sign into Appian. This should be a unique name for both the service and identity providers.
Enter a Service Provider Entity ID. This is the ID for Appian. This will typically be the Appian hostname.
Upload the IdP metadata into Identity Provider Metadata. This file will contain things like the address of the IdP and its supported protocols.
Choose the appropriate Signature Hashing Algorithm that matches the IdP.
Upload the Service Provider Signing Certificate.
Enter the Service Provider Signing Certificate Password if the certificate requires one. This is the password Appian uses to open the certificate to use it. Leave this blank if none is required.
You should find some metadata in the Generated Metadata field. This will provide a link to an XML file with the required connection information you'll need in your IdP. Upload that file to your IdP.
Click Test to see if you can successfully sign in. If successful, the Save Changes button will be available.
Other Configuration Options
This section describes each additional configuration option and provides an example.
This is the XML attribute label that identifies where the user’s email address can be found in the authentication response. For example:
First Name Attribute
This is the XML attribute label that identifies where the user’s first name can be found in the authentication response. For example:
Last Name Attribute
This is the XML attribute label that identifies where the user’s last name can be found in the authentication response. For example:
Use Subject from Assertion for Appian username
This option tells Appian to use the subject attribute from the authentication response.
If the username that you want to use is in the subject of the assertion (line 4) leave this box checked. If the username that you want to use is not what is in the subject of the assertion and is instead included as an attribute (line 16) uncheck this box.
Use Username Attribute from Assertion for Appian Username
This option tells Appian to use the username attribute from the authentication response.
Use Identity Provider’s Login Page
Enabling this option tells Appian to redirect unauthenticated users to the IdP’s login page. When not selected, users who aren’t logged in will be directed to Appian’s sign in page. When selected, unauthenticated users will be sent to the identity provider's login page. This configuration can be overridden using a web address identifier.
Web Address Identifier
The Web Address Identifier allows users to access the non-default login page on both web and mobile devices.
If Use Identity Provider's login page is enabled, unauthenticated users are sent to the identity provider's login by default. Users can still get to Appian's native sign-in page, however, by adding the query parameter "signin=native" to any Appian url, for example, "https://mysite.appiancloud.com/suite?signin=native".
If Use Identity Provider's login page is not enabled, unauthenticated users are sent to the Appian native sign-in page by default. If the Web Address Identifier is specified, users can still get to identity provider's login page by adding the query parameter "signin=[identifier]" to any Appian url. For example, if Web Address Identifier is set to "my-idp", users can get to the identity provider login page with the url "https://mysite.appiancloud.com/suite?signin=my-idp".
When selected, if the connecting user does not have an Appian account, one will be created for them based upon the first name, last name, username, and email address.
Use Lowercase Usernames for Appian User Lookup
When selected, Appian will force usernames to lowercase when logging into Appian, or when looking up accounts. For example, if Appian receives the username John.Doe it will treat it as john.doe.
Restrict SAML Authentication to Specific Group
We strongly recommend customers enable this feature to prevent being locked out of their site.
When selected, a field will appear into which you can specify one Appian user group. If the connecting user is a member of that group, they will be signed into Appian, otherwise they will see an error page telling them that they aren't authorized.
Any users who are configured to not use SAML authentication must go to /suite/portal/login.jsp.