We are trying to configure Google SAML as our Appian authentication provider. However, Google does not provide the private key of the certificate (It only provides the public key). Also it does not let us to upload our own Certificate public and private key. On the other hand, Appian only accepts certificates that have both private and public keys.
As a result we are stock. I was wondering if anyone in community has setup Google SAML as their authentication service.
Discussion posts and replies are publicly visible
Are you using a single sign-on (SSO)?
Thanks for the response.
Yes, we are trying to setup single sign-on using G-Suite SAML service.
Hey michelg - the SAML authentication certificate needs to be generated by you, it is not Google's IdP certificate. Google documents using OpenSSL here. We also have a Knowledge Base article KB-1108 that outlines options. From Google itself, you will only need the IdP metadata which needs to be uploaded into Appian. You will have to upload your SP metadata into Google. For more information, see the documentation.
Hello Jussi Lundstedt
The issue is that Google only provides the public key and does not provide any functionality to upload SP metadata, so when the authentication is completed, Appian can not verify that the response is actually signed by google. On the other hand, when I try to add Google's public key to Appian, it rejects it obviously because Appian expects private key as well. Unfortunately, you answer and the documentation that you provided covers the general approach not the situation that I am experiencing.
We are trying to use g suite as iDP, which we can get google's iDP metadata with google's public key inside.
Then appian SAML side asked for public/private key pair and it is required field, it is used to sign the saml request. But there is no place in G Suite to accept this public key we generated when we tried to configure Appian as a SP inside G Suite interface.
Looks like G Suite assumed SAML request is not signed by SP, SAML response can be signed using iDP key ( there is a checkbox for it)
But appian side want both signed saml request and signed saml response.
Per SAML 2.0 specification , the SAML request signing is optional.
We want to know anyone successfully configured SAML with G Suite before ?
Why does Appian need a cert with the private key as a mandatory requirement? If the cert is only used by Appian for SAML assertion then it should accept cert signed by SSO provider without the private key.
Ankur V Appian uses the private key to decrypt the SAML response from IDP to assert the user is valid.
The certificate uploaded into Appian is used for signing SAML requests from Appian that are sent to the IdP. It represents to the IdP that the request genuinely came from Appian and not some other party. Without a private key known to Appian, this cannot be done. That being said, it is true that SAML requests do not technically have to be signed according to the specification, Appian requires this for an added layer of security.The IdP's public key is contained in the IdP metadata that is uploaded into the Admin Console separately from the certificate.
Thanks, is there any document that we can refer to for this explanation? The SAML document does not specify this.
Hi Jussi, I've the same issue AWS SSO as authentication provider. AWS does not allow / provide the option to import / upload SAML signing certificate that we generated for Appian. Is there any workaround available to resolve this? Thanks.
© 2021 Appian. All rights reserved.