Clarification on Group Syncing Between Entra ID and Appian via SAML Assertions

Question

Could someone clarify how group syncing works between Active Directory/Entra ID groups and Appian? Specifically, I&rsquo;m looking for examples of how this integration is structured and what needs to be included in the SAML Assertion/Claims to enable proper group mapping and access control within Appian.

Harsha Sharma · Answer

You can refer this Documentation docs.appian.com/.../SAML_for_Single_Sign-On.html

Shubham Aware · Answer

To sync groups between Active Directory/Entra ID and Appian using SAML, first create a custom group type in Appian with an attribute field (e.g., "memberOfValue") that will store the AD group identifier. Create Appian groups using this custom type and set their attribute values to match your AD group names or Object IDs. In your IdP (Azure AD), configure the SAML assertion to include a group claim (such as groups, memberOf, or the default ObjectId). In Appian's SAML configuration, enable Group Membership Synchronization by specifying the custom group type, the attribute name, and the SAML claim name. When users log in via SSO, Appian automatically matches the SAML group values against the attribute values in your Appian groups, adding or removing users from matching groups of that type. https://docs.appian.com/suite/help/25.2/SAML_for_Single_Sign-On.html#group-membership-synchronization https://appian.rocks/2024/03/25/saml-group-sync/ (Stefan Created Simple Explanation too)

Clarification on Group Syncing Between Entra ID and Appian via SAML Assertions

Top Replies