Auto-Provisioning a User With SAML When An Authentication Group Is Specified in SAML IdP

I'm setting up Appian SSO for our organization and ideally don't want my team in the business of setting up users in Appian as we onboard more and more development teams and application users.

We are going to use group membership synchronization by hooking it into our own internal security group configuration, and ideally I'd like to create also use "Create new users upon sign in" upon initial access of Appian by our employees. 

The problem that I see is that in our IdP I am also providing an Authentication Group for "SSO Users" so our platform team can access Appian with backdoor Admin Ids if possible, and those IDs will use Appian's OOTB authentication mechanism rather than the IdP.

A first-time Appian user would obviously not be 1. A member of this "SSO Users" group, and 2. Not even present as a user in Appian, so how can I take advantage of "Create new users upon sign in" functionality if I'm using an authentication group?  How do I avoid my team having to manually configure each use and adding them to the "SSO Users" group?

Parents
  • This is the way which we used the SAML authentication. we used both the ways 1. Create use upon sign in 2. Update members upon sign in.

    In our organisation for one of the client we use their AD profile directory using ADFS and getting the Job Title and Department of the user. So it works like this

    When User doesn't have an account in Appian and using create user upon sign in: All the users who doesn't have an account will be provided the SAML url. Once you click on the link the users will be added into the SAML Authentication users group ( this is the default group which we are using in our organisation) by creating a membership rule that whose user ID's email is having @organisation.com will be into this group. So now the users will be provided an account with username attribute. Also along with that we have create the membership rules to individual groups which consists their Job title and department as the rules.

    When User has an account in Appian and using Update User upon sign in: All the users who has access to the Appian platform, first update the membership  rules for the SAML authentication users with the rule.then automatically the users will have access to SAML Url. Once the user logs in the attributes are updated and then automatically moved to respective groups becos of the membership rules.

    Hope this helps !!!

Reply
  • This is the way which we used the SAML authentication. we used both the ways 1. Create use upon sign in 2. Update members upon sign in.

    In our organisation for one of the client we use their AD profile directory using ADFS and getting the Job Title and Department of the user. So it works like this

    When User doesn't have an account in Appian and using create user upon sign in: All the users who doesn't have an account will be provided the SAML url. Once you click on the link the users will be added into the SAML Authentication users group ( this is the default group which we are using in our organisation) by creating a membership rule that whose user ID's email is having @organisation.com will be into this group. So now the users will be provided an account with username attribute. Also along with that we have create the membership rules to individual groups which consists their Job title and department as the rules.

    When User has an account in Appian and using Update User upon sign in: All the users who has access to the Appian platform, first update the membership  rules for the SAML authentication users with the rule.then automatically the users will have access to SAML Url. Once the user logs in the attributes are updated and then automatically moved to respective groups becos of the membership rules.

    Hope this helps !!!

Children

 Discussion posts and replies are publicly visible