Auto-Provisioning a User With SAML When An Authentication Group Is Specified in SAML IdP

Question

I'm setting up Appian SSO for our organization and ideally don't want my team in the business of setting up users in Appian as we onboard more and more development teams and application users. 
 We are going to use group membership synchronization by hooking it into our own internal security group configuration, and ideally I'd like to create also use " Create new users upon sign in" upon initial access of Appian by our employees. 
 The problem that I see is that in our IdP I am also providing an Authentication Group for "SSO Users" so our platform team can access Appian with backdoor Admin Ids if possible, and those IDs will use Appian's OOTB authentication mechanism rather than the IdP. 
 
 A first-time Appian user would obviously not be 1. A member of this "SSO Users" group, and 2. Not even present as a user in Appian, so how can I take advantage of " Create new users upon sign in" functionality if I'm using an authentication group? How do I avoid my team having to manually configure each use and adding them to the "SSO Users" group?

ericg329 · Accepted Answer

That context is helpful. If I am understanding your scenario correctly, I wouldn't use the Create User Upon Login functionality. 
 Since you are utilizing the platform for multiple applications, your business users need permissions before they log into the system. It also wouldn't make sense to create user accounts in Appian for business users who won't use any applications, but may find/get the URL and login with network credentials. Since you are managing app specific groups in AD, you already know what business users should have access to the apps as well who should have accounts in Appian. 
 I would suggest utilizing the LDAP Sync functionality to create new user accounts. When you pull over group configurations you can determine if any user does not have an existing Appian account and create the account prior to making their group configurations. Conversely you can deactivate user accounts that are no longer in AD groups and should be removed from Appian. This should keep your app specific groups and user accounts in sync between AD and Appian. 
 
 For Example: 
 1. AD admin/IT helpdesk adds NewUser1 to ABC roles 
 2. An Appian process is run to complete a LDAP Sync for all applications at the platform level (i.e. sync LDAP groups for apps ABC, DEF, etc). For users that already exist in Appian their group roles may change based on any modifications on the AD side. For users that do no exist in Appian, the sync will create their account and add them to the appropriate groups. 
 3. NewUser1 can login after a sync has been completed. They will be able to authenticate via SSO and will have application groups in place based on their AD assignments (e.g. access to the ABC app, but not the DEF app).

Auto-Provisioning a User With SAML When An Authentication Group Is Specified in SAML IdP

Top Replies