We are trying to configure Google SAML as our Appian authentication provider. However, Google does not provide the private key of the certificate (It only provides the public key). Also it does not let us to upload our own Certificate public and private key. On the other hand, Appian only accepts certificates that have both private and public keys.
As a result we are stock. I was wondering if anyone in community has setup Google SAML as their authentication service.
Discussion posts and replies are publicly visible
Hey michelg - the SAML authentication certificate needs to be generated by you, it is not Google's IdP certificate. Google documents using OpenSSL here. We also have a Knowledge Base article KB-1108 that outlines options. From Google itself, you will only need the IdP metadata which needs to be uploaded into Appian. You will have to upload your SP metadata into Google. For more information, see the documentation.
Why does Appian need a cert with the private key as a mandatory requirement? If the cert is only used by Appian for SAML assertion then it should accept cert signed by SSO provider without the private key.
Ankur V Appian uses the private key to decrypt the SAML response from IDP to assert the user is valid.
The certificate uploaded into Appian is used for signing SAML requests from Appian that are sent to the IdP. It represents to the IdP that the request genuinely came from Appian and not some other party. Without a private key known to Appian, this cannot be done. That being said, it is true that SAML requests do not technically have to be signed according to the specification, Appian requires this for an added layer of security.The IdP's public key is contained in the IdP metadata that is uploaded into the Admin Console separately from the certificate.
Thanks, is there any document that we can refer to for this explanation? The SAML document does not specify this.
Hi Jussi, I've the same issue AWS SSO as authentication provider. AWS does not allow / provide the option to import / upload SAML signing certificate that we generated for Appian. Is there any workaround available to resolve this? Thanks.
© 2021 Appian. All rights reserved.