This page provides guidance on the authentication mechanisms that Appian supports. Read on to find out which mechanism best meets your organization's needs.
Note: External systems connected to Appian require Transport Layer Security (TLS) 1.2 or above. If you are trying to connect to an older system that only supports TLS 1.0 or 1.1, follow the steps in the Post-Install Configurations page.
Authentication is only a part of the larger identity management strategy you need to consider for your system. The authentication mechanism you pick determines how users access the Appian system from various devices, but it does not determine how users are created in the system or what authorizations they will have once authenticated. Although you may be using an external authentication provider, Appian requires that local user accounts are created in the personalization engine.
Due to the nature of centralized user management, certain system authentication features only apply to locally managed accounts.
The following table lists authentication features and whether they are enforced for locally authenticated or externally authenticated users. Locally authenticated user credentials are validated by Appian.
| Feature | Local Authentication | External Authentication |
|---|---|---|
| Deactivation of Inactive Users | Yes | Yes |
| Disabled Login for Deactivated Users | Yes | Yes |
| Password Complexity Requirements | Yes | No |
| Password Expiration | Yes | No |
| Password Expiration Warning | Yes | No |
| Account Locking (due to failed login attempts) | Yes | No |
| Temporary Passwords | Yes | No |
Note: If you configure external authentication, login failures in the external system are not logged as failed logins to Appian.
When external authentication is enabled, the password reset process must be handled by the external authentication mechanism. The password reset feature performs in the following manner when external authentication is enabled.
By default, a user must provide their username and password once every two weeks for each browser on which they access Appian. The user may opt out by clearing the Remember Me checkbox on the Appian login screen. System administrators can modify the authentication validity period and disable the capability site-wide through configuration.
Remember Me uses an authentication token to allow users to bypass the Appian login screen. The authentication token is a cookie that replaces the need to enter a username and password and is used only to create an authenticated browser session for a given user on a specific browser.
Remember Me and per-user third-party credentials are not available for Appian accounts that authenticate via SAML.
Clearing an authentication token does not have any impact on a current active browser session, and only takes effect the next time the user attempts to authenticate.
Remember Me's validity period is the time during which an authentication token is valid. This period is the duration of time for which the System administrator has configured Remember Me to work in the Admin Console. The validity period can be shortened or terminated by events such as password resets or explicit logouts, and can only be changed by a System administrator.
An active browser session refers to the browsing session a user has after they have authenticated and before the session timeout occurs. Sessions can be configured to last for a specific duration by a System administrator, and accounts for both active and idle portions of time. Session time is configurable in the Admin Console, and by default is 65 minutes.
Successful authentication via a Remember Me token is logged as a successful login. If a user attempts to access Appian using an expired authentication token, this is not logged as a failed login attempt; the user is redirected to the login page to provide their username and password.
Remember Me does not interfere with external authentication configuration supported by Appian. System administrators may want to consider configuring (or disabling) Remember Me to comply with your organization's authentication requirements.
Customers using external authentication integration with strict password expiration policies may want to disable Remember Me as users whose passwords have expired in the external identity management system are able to access Appian with a valid Remember Me authentication token until that token expires or is revoked.
The following authentication mechanisms are available with Appian.
| Method | Browser | Mobile | SSO | Effort |
|---|---|---|---|---|
| Appian Authentication | Form Login | Yes | No | ZERO |
| LDAP Authentication | Form Login | Yes | No | LOW |
| SAML Authentication | Provider specific | Yes | Yes | MEDIUM |
Appian can authenticate users via other authentication mechanisms (such as Kerberos, request header pre-authentication, central authentication service, or certificate-based authentication) by integrating with a SAML identity provider that uses those mechanisms to authenticate users.
Customers upgrading from a version of Appian prior to 7.11 should note that support for custom Spring Security configurations has been deprecated and Appian encourages you to convert your authentication configuration to one of the three out-of-the-box authentication mechanisms listed below.
This is the standard Appian authentication mechanism that is configured out of the box and allows for configuration of password policies.
For a complete list of configuration options, see Appian Authentication.
Appian allows you to configure user authentication against an external directory server. This method does not require work with configuration files and is done through the Admin Console. It allows usage of the same corporate logon information but does not support Single Sign-On.
For a complete list of configuration options, see LDAP Authentication.
SAML is a set of standards that govern communication between a service provider (in this case Appian), a client, and an identity provider. The standards allow for secure exchange of authentication information over multiple domains and environments.
Appian allows you to configure user authentication against a SAML identity provider server. This method does not require work with configuration files and is done through the Admin Console.
When SAML authentication is enabled, unauthenticated users without a web address identifier in their URL will be redirected based on the default sign-in page.
Users who authenticate via SAML authentication cannot use Appian's Remember Me authentication and must rely on the SAML identity provider to manage when they need to re-authenticate.
For a complete list of configuration options, see SAML Authentication.
For instructions on configuring SAML through the Admin Console, refer to the SAML for Single Sign-on.
The following troubleshooting methods are useful when researching common problems with authentication. Otherwise, contact Appian Support if you need assistance configuring or troubleshooting external authentication.
Network traffic analyzers can help diagnose problems related to communication between the user's browser and the server. Utilize your browser's built-in network capture tools for high level information. If insufficient, use other tools like WireShark and Fiddler to provide very detailed network traffic data.
