Auto-Provisioning a User With SAML When An Authentication Group Is Specified in SAML IdP

I'm setting up Appian SSO for our organization and ideally don't want my team in the business of setting up users in Appian as we onboard more and more development teams and application users.

We are going to use group membership synchronization by hooking it into our own internal security group configuration, and ideally I'd like to create also use "Create new users upon sign in" upon initial access of Appian by our employees. 

The problem that I see is that in our IdP I am also providing an Authentication Group for "SSO Users" so our platform team can access Appian with backdoor Admin Ids if possible, and those IDs will use Appian's OOTB authentication mechanism rather than the IdP.

A first-time Appian user would obviously not be 1. A member of this "SSO Users" group, and 2. Not even present as a user in Appian, so how can I take advantage of "Create new users upon sign in" functionality if I'm using an authentication group?  How do I avoid my team having to manually configure each use and adding them to the "SSO Users" group?

  Discussion posts and replies are publicly visible

  • 0
    Certified Lead Developer

    Is there a reason you wouldn't create user accounts based on your group membership synchronization? If you are creating new users upon initial login are you assigning them to groups to be able to utilize functionality in the system?

    You should be able to use the group membership rules to add all "SSO Users", but exclude the platform team users. If you are already adding new users to some application specific groups during initial account creation it would be pretty similar.

    https://docs.appian.com/suite/help/19.4/Group_Management.html#view-or-modify-group-membership-rules

  • Let me give you some more details.  I'm still in the proof-of-concept stage, so please bear with me. My team has all of the Appian admins, and is responsible for the platform.

    Let's say a development team at my organization comes to our team and says "we want to build application ABC on Appian".  We would create the basic shell of the application "ABC" - some basic folders, and an "ABC Admins" and "ABC Developers" group.  We would manually add the ABC Admin and their development team initially. These ABC groups would have admin/edit rights on that application only, and maybe some read-only rights on some common applications that all app developers would potentially use.

    Admin/Development team ABC would be responsible for provisioning Active Directory (AD) groups that would any include "Business" end-user roles ABC would need.  This team would be responsible creating the Business groups within their ABC application and then linking Appian groups to the externally-defined AD groups. 

    For the ABC application's end users,upon authentication, any ABC AD roles for that user would have the Group User Synch add them to the Appian ABC groups.  No users are going to be manually added to groups -- it's all a result of their being added to AD groups in a provisioning system outside of Appian.

    The problem arises if these users don't already exist in Appian.  I have no plan to add hundreds of our employees to Appian -- they should only be present if they are going to use an Appian application. If I have 50 "Business" end-users for ABC and they have never used Appian at my organization, I don't want to have to add those users manually.  I'm not sure how to do this if I want to use an authentication group in my IdP.

    If you are saying, use Membership Rules to add to "SSO Users" any member of "ABC End User Role", that's not going to work, because my users won't get synched to that group membership until they use the SSO SAML IdP, and they won't use the SAML IdP until they are in "SSO Users".

    If I've completely missed your point, please let me know, and thanks for replying to my original question! :)

  • +1
    Certified Lead Developer
    in reply to michaelr0003

    That context is helpful. If I am understanding your scenario correctly, I wouldn't use the Create User Upon Login functionality.

    Since you are utilizing the platform for multiple applications, your business users need permissions before they log into the system. It also wouldn't make sense to create user accounts in Appian for business users who won't use any applications, but may find/get the URL and login with network credentials. Since you are managing app specific groups in AD, you already know what business users should have access to the apps as well who should have accounts in Appian. 

    I would suggest utilizing the LDAP Sync functionality to create new user accounts. When you pull over group configurations you can determine if any user does not have an existing Appian account and create the account prior to making their group configurations. Conversely you can deactivate user accounts that are no longer in AD groups and should be removed from Appian. This should keep your app specific groups and user accounts in sync between AD and Appian.

    For Example:

    1. AD admin/IT helpdesk adds NewUser1 to ABC roles

    2. An Appian process is run to complete a LDAP Sync for all applications at the platform level (i.e. sync LDAP groups for apps ABC, DEF, etc). For users that already exist in Appian their group roles may change based on any modifications on the AD side. For users that do no exist in Appian, the sync will create their account and add them to the appropriate groups.

    3. NewUser1 can login after a sync has been completed. They will be able to authenticate via SSO and will have application groups in place based on their AD assignments (e.g. access to the ABC app, but not the DEF app).

  • This is the way which we used the SAML authentication. we used both the ways 1. Create use upon sign in 2. Update members upon sign in.

    In our organisation for one of the client we use their AD profile directory using ADFS and getting the Job Title and Department of the user. So it works like this

    When User doesn't have an account in Appian and using create user upon sign in: All the users who doesn't have an account will be provided the SAML url. Once you click on the link the users will be added into the SAML Authentication users group ( this is the default group which we are using in our organisation) by creating a membership rule that whose user ID's email is having @organisation.com will be into this group. So now the users will be provided an account with username attribute. Also along with that we have create the membership rules to individual groups which consists their Job title and department as the rules.

    When User has an account in Appian and using Update User upon sign in: All the users who has access to the Appian platform, first update the membership  rules for the SAML authentication users with the rule.then automatically the users will have access to SAML Url. Once the user logs in the attributes are updated and then automatically moved to respective groups becos of the membership rules.

    Hope this helps !!!

  • This seems like the best likeliest solution for us.  So, the nightly batch synch would create users not already in Appian.  

    As far as the "SSO Users" overarching authentication group for the SAML IdP, I'm wondering if I just make the "SSO Users" group the parent group of all the individual groups that are added via the nightly batch process. I think that would suit my needs.

    Thank you so much for your help!!!

  • I'm not sure if I'm entirely following what your solution is, but let me say a few things.

    If we have a nightly LDAP synch, we could certainly populate the email address for any new users created as "[newUser]@myorganization.com".

    For our "SSO Users" group, we could have a Membership Rule that adds any users that contain "@myorganization.com" in their email address, so any users provisioned in the nightly batch will automatically be added to the authentication group we are using in our SAML IdP.  Let's say the next morning, a user that was added to the nightly batch the prior evening attempted to access Appian, they would be a member of the "SSO Users" authentication group and would be authenticated via SAML.

    Any Appian group synch will happen normally via SAML, as we will have AD wrapper groups that map to actual AD groups, and the SAML auth token will contain the AD groups we care about.  Any Appian-related AD groups this user belongs to will be propagated in Appian upon their initial login as well.

    Does this sound correct to you?

  • Well, upon further reflection, guess we wouldn't need to do the group synch upon login option either, seeing as the LDAP synch would have taken care of that for us as well.