Authentication

Overview

This article provides guidance on the authentication mechanisms that Appian supports. Read on to find out which mechanism best meets your organization's needs.

Identity Management

Authentication is only a part of the larger identity management strategy you need to consider for your system. The authentication mechanism you pick determines how users access the Appian system from various devices, but it does not determine how users are created in the system or what authorizations they will have once authenticated. Although you may be using an external authentication provider, Appian requires that local user accounts are created in the personalization engine.

External Authentication Versus Local Authentication

Due to the nature of centralized user management, certain system authentication features only apply to locally managed accounts.

The following table lists authentication features and whether they are enforced for locally authenticated or externally authenticated users. Locally authenticated user credentials are validated by Appian.

Feature Local Authentication External Authentication
Deactivation of Inactive Users Yes Yes
Disabled Login for Deactivated Users Yes Yes
Password Complexity Requirements Yes Yes
Password Expiration Yes No
Password Expiration Warning Yes No
Account Locking (due to failed login attempts) Yes No
Temporary Passwords Yes No

NOTE: If you configure external authentication, login failures in the external system are not logged as failed logins to Appian.

Resetting Passwords with External Authentication

When external authentication is enabled, the password reset process must be handled by the external authentication mechanism. The password reset feature performs in the following manner when external authentication is enabled.

  • The link used to change and reset the user's password remains available.
  • If a user clicks Reset Password an email is still sent.
  • If a user clicks an emailed link to reset their password, it is not reset.

Remember Me Authentication

By default, a user must provide their username and password once every two weeks for each browser on which they access Appian. The user may opt out by clearing the Remember Me checkbox on the Appian login screen. System Administrators can modify the authentication validity period and disable the capability site-wide through configuration.

Remember Me uses an authentication token to allow users to bypass the Appian login screen. The authentication token is a cookie that replaces the need to enter a username and password and is used only to create an authenticated browser session for a given user on a specific browser.

Remember Me and per-user third-party credentials are not available for Appian accounts that authenticate via SAML.

When Remember Me is Enabled

  • By default, an authentication token is generated for each browser on which the user accesses Appian, and this token lasts for the configured amount of time (the validity period).
  • System Administrators are never granted a Remember Me token and must authenticate with their username and password every time they access the system.
  • When an authentication token expires or becomes otherwise invalidated (more on this below), a user is redirected to the Appian login page and is asked to provide their username and password.
  • Clearing authentication tokens will not invalidate an active browser session, and a browser session can expire without authentication being invalidated. See the section "Validity Period vs. Active Browser Session" for more information.
  • System Administrators can clear authentication tokens for individuals or entire organizations, which means the token will be removed from the Appian data source so that any attempt to use that token will not result in an authenticated session.
    • Deactivating a user clears all authentication tokens assigned to that user.
    • Password resets clear all authentication tokens associated with a user, but will not clear the authentication token associated with an active browser session for that user.
    • Disabling the Remember Me capability will clear all tokens for all users across all browsers, upon application server restart.
  • Users can clear their own authentication tokens.
    • Changing their own password clears all authentication tokens associated with that user, but will not clear the authentication token associated with their current session.
    • Clearing cookies in a browser clears the authentication tokens associated with that browser.
    • Clicking the "Sign Out" link clears all authentication tokens associated with that user and ends their active browser session.

Clearing an authentication token does not have any impact on a current active browser session, and only takes effect the next time the user attempts to authenticate.

Validity Period vs. Active Browser Session

Remember Me's validity period is the time during which an authentication token is valid. This period is the duration of time for which the System Administrator has configured Remember Me to work in the Appian Administration Console. The validity period can be shortened or terminated by events such as password resets or explicit logouts, and can only be changed by a System Administrator.

An active browser session refers to the browsing session a user has after they have authenticated and before the session timeout occurs. Sessions can be configured to last for a specific duration by a System Administrator, and accounts for both active and idle portions of time. Session time is configurable in the Appian Administration Console, and by default is 65 minutes.

Authentication Logging

Successful authentication via a Remember Me token is logged as a successful login. If a user attempts to access Appian using an expired authentication token, this is not logged as a failed login attempt; the user is redirected to the login page to provide their username and password.

Remember Me and External Authentication

Remember Me does not interfere with external authentication configuration supported by Appian. System Administrators may want to consider configuring (or disabling) Remember Me to comply with your organization's authentication requirements.

Customers using external authentication integration with strict password expiration policies may want to disable Remember Me as users whose passwords have expired in the external identity management system are able to access Appian with a valid Remember Me authentication token until that token expires or is revoked.

Configuring Authentication

The following authentication mechanisms are available with Appian.

Method Browser Mobile SSO Effort
Appian Authentication Form Login Yes No ZERO
LDAP Authentication Form Login Yes No LOW
SAML Authentication Provider specific Yes* Yes MEDIUM

Support for mobile authentication depends on the authentication provider.

Appian can authenticate users via other authentication mechanisms (such as Kerberos, request header pre-authentication, central authentication service, or certificate-based authentication) by integrating with a SAML identity provider that uses those mechanisms to authenticate users.

Customers upgrading from a version of Appian prior to 7.11 should note that support for custom Spring Security configurations has been deprecated and Appian encourages you to convert your authentication configuration to one of the three out-of-the-box authentication mechanisms listed below.

Appian Authentication

This is the standard Appian authentication mechanism that is configured out of the box. It is configured by default to use standard mobile authentication and allows for configuration of password policies.

For a complete list of features see Appian Authentication.

LDAP Authentication

Appian allows you to configure user authentication against an external directory server. This method does not require work with configuration files and is done through the Administration Console. It allows usage of the same corporate logon information but does not support Single Sign-On.

For a complete list of configuration options, see LDAP Authentication.

SAML Authentication

SAML is a set of standards that govern communication between a service provider (in this case Appian), a client, and an identity provider. The standards allow for secure exchange of authentication information over multiple domains and environments.

Appian allows you to configure user authentication against a SAML identity provider server. This method does not require work with configuration files and is done through the Administration Console.

When SAML authentication is enabled, unauthenticated users without a web address identifier in their URL will be redirected based on the default sign-in page.

Users who authenticate via SAML authentication cannot use Appian's Remember Me authentication and must rely on the SAML identity provider to manage when they need to re-authenticate.

Support for mobile authentication depends on the identity provider. Some mechanisms for authenticating with an identity provider (e.g., Kerberos) do not support mobile Web sign-in.

For a complete list of configuration options, see SAML Authentication.

For instructions on configuring SAML through the Appian Administration Console, refer to KB-1073.

Troubleshooting

The following troubleshooting methods are useful when researching common problems with authentication. Otherwise, contact Appian Support if you need assistance configuring or troubleshooting external authentication.

Analyze Network Traffic

Network traffic analyzers can help diagnose problems related to communication between the user's browser and the server. Utilize your browser's built-in network capture tools for high level information. If insufficient, use other tools like Firebug, WireShark, and Fiddler to provide very detailed network traffic data.

FEEDBACK