Auto-Provisioning a User With SAML When An Authentication Group Is Specified in SAML IdP

I'm setting up Appian SSO for our organization and ideally don't want my team in the business of setting up users in Appian as we onboard more and more development teams and application users.

We are going to use group membership synchronization by hooking it into our own internal security group configuration, and ideally I'd like to create also use "Create new users upon sign in" upon initial access of Appian by our employees. 

The problem that I see is that in our IdP I am also providing an Authentication Group for "SSO Users" so our platform team can access Appian with backdoor Admin Ids if possible, and those IDs will use Appian's OOTB authentication mechanism rather than the IdP.

A first-time Appian user would obviously not be 1. A member of this "SSO Users" group, and 2. Not even present as a user in Appian, so how can I take advantage of "Create new users upon sign in" functionality if I'm using an authentication group?  How do I avoid my team having to manually configure each use and adding them to the "SSO Users" group?

  Discussion posts and replies are publicly visible

Parents
  • 0
    Certified Lead Developer

    Is there a reason you wouldn't create user accounts based on your group membership synchronization? If you are creating new users upon initial login are you assigning them to groups to be able to utilize functionality in the system?

    You should be able to use the group membership rules to add all "SSO Users", but exclude the platform team users. If you are already adding new users to some application specific groups during initial account creation it would be pretty similar.

    https://docs.appian.com/suite/help/19.4/Group_Management.html#view-or-modify-group-membership-rules

  • Let me give you some more details.  I'm still in the proof-of-concept stage, so please bear with me. My team has all of the Appian admins, and is responsible for the platform.

    Let's say a development team at my organization comes to our team and says "we want to build application ABC on Appian".  We would create the basic shell of the application "ABC" - some basic folders, and an "ABC Admins" and "ABC Developers" group.  We would manually add the ABC Admin and their development team initially. These ABC groups would have admin/edit rights on that application only, and maybe some read-only rights on some common applications that all app developers would potentially use.

    Admin/Development team ABC would be responsible for provisioning Active Directory (AD) groups that would any include "Business" end-user roles ABC would need.  This team would be responsible creating the Business groups within their ABC application and then linking Appian groups to the externally-defined AD groups. 

    For the ABC application's end users,upon authentication, any ABC AD roles for that user would have the Group User Synch add them to the Appian ABC groups.  No users are going to be manually added to groups -- it's all a result of their being added to AD groups in a provisioning system outside of Appian.

    The problem arises if these users don't already exist in Appian.  I have no plan to add hundreds of our employees to Appian -- they should only be present if they are going to use an Appian application. If I have 50 "Business" end-users for ABC and they have never used Appian at my organization, I don't want to have to add those users manually.  I'm not sure how to do this if I want to use an authentication group in my IdP.

    If you are saying, use Membership Rules to add to "SSO Users" any member of "ABC End User Role", that's not going to work, because my users won't get synched to that group membership until they use the SSO SAML IdP, and they won't use the SAML IdP until they are in "SSO Users".

    If I've completely missed your point, please let me know, and thanks for replying to my original question! :)

  • +1
    Certified Lead Developer
    in reply to michaelr0003

    That context is helpful. If I am understanding your scenario correctly, I wouldn't use the Create User Upon Login functionality.

    Since you are utilizing the platform for multiple applications, your business users need permissions before they log into the system. It also wouldn't make sense to create user accounts in Appian for business users who won't use any applications, but may find/get the URL and login with network credentials. Since you are managing app specific groups in AD, you already know what business users should have access to the apps as well who should have accounts in Appian. 

    I would suggest utilizing the LDAP Sync functionality to create new user accounts. When you pull over group configurations you can determine if any user does not have an existing Appian account and create the account prior to making their group configurations. Conversely you can deactivate user accounts that are no longer in AD groups and should be removed from Appian. This should keep your app specific groups and user accounts in sync between AD and Appian.

    For Example:

    1. AD admin/IT helpdesk adds NewUser1 to ABC roles

    2. An Appian process is run to complete a LDAP Sync for all applications at the platform level (i.e. sync LDAP groups for apps ABC, DEF, etc). For users that already exist in Appian their group roles may change based on any modifications on the AD side. For users that do no exist in Appian, the sync will create their account and add them to the appropriate groups.

    3. NewUser1 can login after a sync has been completed. They will be able to authenticate via SSO and will have application groups in place based on their AD assignments (e.g. access to the ABC app, but not the DEF app).

Reply
  • +1
    Certified Lead Developer
    in reply to michaelr0003

    That context is helpful. If I am understanding your scenario correctly, I wouldn't use the Create User Upon Login functionality.

    Since you are utilizing the platform for multiple applications, your business users need permissions before they log into the system. It also wouldn't make sense to create user accounts in Appian for business users who won't use any applications, but may find/get the URL and login with network credentials. Since you are managing app specific groups in AD, you already know what business users should have access to the apps as well who should have accounts in Appian. 

    I would suggest utilizing the LDAP Sync functionality to create new user accounts. When you pull over group configurations you can determine if any user does not have an existing Appian account and create the account prior to making their group configurations. Conversely you can deactivate user accounts that are no longer in AD groups and should be removed from Appian. This should keep your app specific groups and user accounts in sync between AD and Appian.

    For Example:

    1. AD admin/IT helpdesk adds NewUser1 to ABC roles

    2. An Appian process is run to complete a LDAP Sync for all applications at the platform level (i.e. sync LDAP groups for apps ABC, DEF, etc). For users that already exist in Appian their group roles may change based on any modifications on the AD side. For users that do no exist in Appian, the sync will create their account and add them to the appropriate groups.

    3. NewUser1 can login after a sync has been completed. They will be able to authenticate via SSO and will have application groups in place based on their AD assignments (e.g. access to the ABC app, but not the DEF app).

Children
  • This seems like the best likeliest solution for us.  So, the nightly batch synch would create users not already in Appian.  

    As far as the "SSO Users" overarching authentication group for the SAML IdP, I'm wondering if I just make the "SSO Users" group the parent group of all the individual groups that are added via the nightly batch process. I think that would suit my needs.

    Thank you so much for your help!!!