Auto-Provisioning and Group Syncing for Multiple Applications in Appian

Question

We have multiple applications within the Appian platform. Could someone provide guidance on how to implement auto-provisioning and group syncing in a way that maintains separation between these individual applications?

Harsha Sharma · Answer

Appian has the ability to inspect a SAML login response and synchronize a user's group memberships based on an assertion in the response. 
 In application you need to have group types for the groups you want to sync. The sync happens when user signs in based on the group type and SAML assertion value. 
 
 the assertion value in SAML should match the value in the memberOfValue attribute of the group type. So different groups will have different values in this memberOfValue attribute. During sign in based on users group membership in the identity provider the SAML attributes are matched with memberOfValue of group types. Users are added or removed based on that. For more details you can refer this documentation 
 docs.appian.com/.../SAML_for_Single_Sign-On.html

Shubham Aware · Answer

You can enable auto-provisioning through SAML or LDAP sync in Admin Console. For application separation, create prefixed groups (APP1_Users, APP2_Users) and map external identity provider groups to these groups during sync. Apply security at the application level using these dedicated groups, ensuring users only access their authorized applications. This provides automated user management while maintaining strict application boundaries. For more detailed information, you can check out existing community discussion https://community.appian.com/discussions/f/administration/18470/auto-provisioning-a-user-with-saml-when-an-authentication-group-is-specified-in-saml-idp

Stefan Helzle · Answer

Find some tips and tricks in my blog post 
 https://appian.rocks/2024/03/25/saml-group-sync/

Shubham Aware · Answer

Custom Group Types are used to add extra metadata fields (like externalGroupId) to groups. Groups are the actual security objects that get assigned these types and field values. For SAML/Entra ID integration, values like "Appian-Finance" and "Appian-HR" in the SAML assertion should exactly match the externalGroupId of your Appian groups. This allows users to be auto-assigned to the correct Appian groups based on their Entra ID group membership. So, Custom Group Types define structure, Groups use that structure, and the attribute values must match what&rsquo;s sent from Entra ID for syncing to work. https://docs.appian.com/suite/help/25.2/Group_Management.html

Shubham Aware · Answer

No, you should not use different group types per application if using the same IdP in Appian - only one group type can be synced per IdP connection. If you create multiple group types, you&rsquo;ll need a separate IdP for each, which adds complexity. 
 The best practice is to use a single group type and create application-specific groups within it for flexible access.

Auto-Provisioning and Group Syncing for Multiple Applications in Appian

Top Replies