SAML Single SIgn On with ADFS , mobile app auth doesn't work

What we discovered is mobile app doesn't support IP-Initiated SAML Authentication
So we should SP-Initiate Authentication
How we can do that ?
Should we modify ADFS2 cofiguration ? What parameter ?

What login page , of Appian or of ADFS ?

Thanks

Depending on your ADFS settings, there may be additional configurations required on that end. But from an Appian perspective, all you need to do to switch from IdP-initiated to SP-initiated login is check the "Use Identity Provider's login page" checkbox in the Admin Console under Authentication -> SAML . You can find more information about configuring SAML in Appian here docs.appian.com/.../SAML_for_Single_Sign-On.html .

Hi Eliot,

I have the same question as Eliav and i have tried the solution you suggested.
But when I choose SP-initiate (by unchecking the "User Identity Provider's login page field), the ADFS-set users are unable to login.

Do you have any clues?

We solved by usign the authentication method "none".
Now we see the ADFS authentication page in mobile side
It' not so good because the user has to fill credential fields each time, but ... better then nothing ..

Dear eliav,

thank you for your reply. I have set the authentication method to "none" but seems it is still not working.

Did I set the things right?

Did I set the things right?

The configuration in the picture is actually the reverse of what you want. "Use Identity Provider's login page" should be checked.

When you tell Appian to use the IdP login page, that's actually "SP-initiated login". Appian is the Service Provider in this case, and when you go to your Appian site, Appian initiates the authentication process by redirecting you to your IdP's login page.

If the box is unchecked, the process would be IdP-initiated. Your ADFS users would first go to through ADFS to get authenticated. When they then go to your Appian site, they're signed in automatically using their existing ADFS session and don't see a login page. A user that had not already been authenticated would see Appian's native login page.

So, if the box is checked, when the mobile app is opened, Appian will show your Identity Provider's login page (in this case, ADFS), and your ADFS users will be able to enter their credentials and log in.

Hi Eliot,
We have this confusion with SAML Authentication as well. So just to make sure we get this right:

1) The diagram in Appian documentation is showing SP-initiated login process as stated.
a) User enters Appian URL on browser, if not authenticated, it will redirect user to idP login page to authenticate.
b) Non-SAML authenticated users can only sign in via Appian's native authentication login page (../portal/login.jsp).

2) SP-initiated login means that the "Use Identity Provider’s login page" checkbox is checked.

3) If the checkbox is unchecked, it is IdP-initiated login. And if the "Web Address Identifier" is blank, by default - Appian will redirect users to the Appian login page (although it is IdP-initiated login). I assumed there must be additional configuration required at the IdP side since we never able to get this to work (regardless SSO or entering the username & password). It is okay because mobile app doesn't support IdP-initiated login and we need every users to be able to use the mobile app so it is out of context.

4) Mobile app requires an IdP login page to work properly. Without a physical login page (like the browser credential pop-up), mobile app will not work.

Did I understand the SAML Authentication concept above correctly??

5) SAML Authenticated Users are not able to sign in using Appian native login page.

Yes, it sounds like you have the correct understanding.

Dear Will Teoh,

Thanks for sharing, indeed point 4 is very critical to my case!!!

Would you please show me how should I set up to make "IdP login page to work properly" on mobile?

Because in my case, the "like the browser credential pop-up" work fine on PC browser but I can't find it on mobile.

Hi joanneh, I believe this you will check with your idP administrator. I have no idea too since our company has this credential pop-up that works fine on browser (and also Android app) but having problem with iOS. On the iOS app, it only shows a blank page.

This is how I set up my SAML Authentication now :

 

 

But this is how I get 

(You may ignore the red line, it is just indicating that the authentication is not protected as http instead of https is used)

Yes. It looks like iOS. I can't get iOS to work. As I said, need to speak to our ADFS administrators to see if we can get them to create a custom login page for us since the browser popup credential box will not work on iOS.

Indeed, I cant even get it right on Android,

 

 

May I ask:

1) Do you have any clues about why even Android fails in connection?

2) How could we customize the pop-up screen (e.g. use javaScript or any other way)?

Hi Joanneh, from your screenshot, you don't seem to be on version 17.x. Are you on 16.x?

I was just being told that Appian only started to support "pop-up based authentication" from 17.1 and above and you should be able to see an additional "Identity Provider uses NTLM Authentication" checkbox in the SAML authentication page in Appian Administrator Console.

After checking the checkbox, I am able to get my iOS app to work now.

 

Hope this helps.