SAML Single SIgn On with ADFS , mobile app auth doesn't work

Are you using form-based authentication?

Also, you should review docs.appian.com/.../Appian_for_Mobile_Devices.html if you haven't already.

I don't know if it can be helpful but if we try to connect to Appian homepage by safari or other mobile browsers
First we ave to insert credential than we are redirected to the URL <server-name>/saml/AssertionConsumer
This page reports "Object not found" message ..

The ADFS error log is
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

What we discovered is mobile app doesn't support IP-Initiated SAML Authentication
So we should SP-Initiate Authentication
How we can do that ?
Should we modify ADFS2 cofiguration ? What parameter ?

What login page , of Appian or of ADFS ?

Thanks

Depending on your ADFS settings, there may be additional configurations required on that end. But from an Appian perspective, all you need to do to switch from IdP-initiated to SP-initiated login is check the "Use Identity Provider's login page" checkbox in the Admin Console under Authentication -> SAML . You can find more information about configuring SAML in Appian here docs.appian.com/.../SAML_for_Single_Sign-On.html .

Hi Eliot,

I have the same question as Eliav and i have tried the solution you suggested.
But when I choose SP-initiate (by unchecking the "User Identity Provider's login page field), the ADFS-set users are unable to login.

Do you have any clues?

We solved by usign the authentication method "none".
Now we see the ADFS authentication page in mobile side
It' not so good because the user has to fill credential fields each time, but ... better then nothing ..

Dear eliav,

thank you for your reply. I have set the authentication method to "none" but seems it is still not working.

Did I set the things right?

The configuration in the picture is actually the reverse of what you want. "Use Identity Provider's login page" should be checked.

When you tell Appian to use the IdP login page, that's actually "SP-initiated login". Appian is the Service Provider in this case, and when you go to your Appian site, Appian initiates the authentication process by redirecting you to your IdP's login page.

If the box is unchecked, the process would be IdP-initiated. Your ADFS users would first go to through ADFS to get authenticated. When they then go to your Appian site, they're signed in automatically using their existing ADFS session and don't see a login page. A user that had not already been authenticated would see Appian's native login page.

So, if the box is checked, when the mobile app is opened, Appian will show your Identity Provider's login page (in this case, ADFS), and your ADFS users will be able to enter their credentials and log in.

Hi Eliot,
We have this confusion with SAML Authentication as well. So just to make sure we get this right:

1) The diagram in Appian documentation is showing SP-initiated login process as stated.
a) User enters Appian URL on browser, if not authenticated, it will redirect user to idP login page to authenticate.
b) Non-SAML authenticated users can only sign in via Appian's native authentication login page (../portal/login.jsp).

2) SP-initiated login means that the "Use Identity Provider’s login page" checkbox is checked.

3) If the checkbox is unchecked, it is IdP-initiated login. And if the "Web Address Identifier" is blank, by default - Appian will redirect users to the Appian login page (although it is IdP-initiated login). I assumed there must be additional configuration required at the IdP side since we never able to get this to work (regardless SSO or entering the username & password). It is okay because mobile app doesn't support IdP-initiated login and we need every users to be able to use the mobile app so it is out of context.

4) Mobile app requires an IdP login page to work properly. Without a physical login page (like the browser credential pop-up), mobile app will not work.

Did I understand the SAML Authentication concept above correctly??