Auto-Provisioning a User With SAML When An Authentication Group Is Specified in SAML IdP

I'm setting up Appian SSO for our organization and ideally don't want my team in the business of setting up users in Appian as we onboard more and more development teams and application users.

We are going to use group membership synchronization by hooking it into our own internal security group configuration, and ideally I'd like to create also use "Create new users upon sign in" upon initial access of Appian by our employees. 

The problem that I see is that in our IdP I am also providing an Authentication Group for "SSO Users" so our platform team can access Appian with backdoor Admin Ids if possible, and those IDs will use Appian's OOTB authentication mechanism rather than the IdP.

A first-time Appian user would obviously not be 1. A member of this "SSO Users" group, and 2. Not even present as a user in Appian, so how can I take advantage of "Create new users upon sign in" functionality if I'm using an authentication group?  How do I avoid my team having to manually configure each use and adding them to the "SSO Users" group?

  Discussion posts and replies are publicly visible

Parents
  • This is the way which we used the SAML authentication. we used both the ways 1. Create use upon sign in 2. Update members upon sign in.

    In our organisation for one of the client we use their AD profile directory using ADFS and getting the Job Title and Department of the user. So it works like this

    When User doesn't have an account in Appian and using create user upon sign in: All the users who doesn't have an account will be provided the SAML url. Once you click on the link the users will be added into the SAML Authentication users group ( this is the default group which we are using in our organisation) by creating a membership rule that whose user ID's email is having @organisation.com will be into this group. So now the users will be provided an account with username attribute. Also along with that we have create the membership rules to individual groups which consists their Job title and department as the rules.

    When User has an account in Appian and using Update User upon sign in: All the users who has access to the Appian platform, first update the membership  rules for the SAML authentication users with the rule.then automatically the users will have access to SAML Url. Once the user logs in the attributes are updated and then automatically moved to respective groups becos of the membership rules.

    Hope this helps !!!

  • I'm not sure if I'm entirely following what your solution is, but let me say a few things.

    If we have a nightly LDAP synch, we could certainly populate the email address for any new users created as "[newUser]@myorganization.com".

    For our "SSO Users" group, we could have a Membership Rule that adds any users that contain "@myorganization.com" in their email address, so any users provisioned in the nightly batch will automatically be added to the authentication group we are using in our SAML IdP.  Let's say the next morning, a user that was added to the nightly batch the prior evening attempted to access Appian, they would be a member of the "SSO Users" authentication group and would be authenticated via SAML.

    Any Appian group synch will happen normally via SAML, as we will have AD wrapper groups that map to actual AD groups, and the SAML auth token will contain the AD groups we care about.  Any Appian-related AD groups this user belongs to will be propagated in Appian upon their initial login as well.

    Does this sound correct to you?

Reply
  • I'm not sure if I'm entirely following what your solution is, but let me say a few things.

    If we have a nightly LDAP synch, we could certainly populate the email address for any new users created as "[newUser]@myorganization.com".

    For our "SSO Users" group, we could have a Membership Rule that adds any users that contain "@myorganization.com" in their email address, so any users provisioned in the nightly batch will automatically be added to the authentication group we are using in our SAML IdP.  Let's say the next morning, a user that was added to the nightly batch the prior evening attempted to access Appian, they would be a member of the "SSO Users" authentication group and would be authenticated via SAML.

    Any Appian group synch will happen normally via SAML, as we will have AD wrapper groups that map to actual AD groups, and the SAML auth token will contain the AD groups we care about.  Any Appian-related AD groups this user belongs to will be propagated in Appian upon their initial login as well.

    Does this sound correct to you?

Children