Login into Appian while on SSO

RE: Login into Appian while on SSO

sanjeevc0001 — Tue, 20 Mar 2018 15:03:00 GMT

True as I had indicated in the approach above but thanks for adding the extra pointers !

-------------

For the record this can also be done by adding the rules on the second group Customer_G1.

RE: Login into Appian while on SSO

Ankur V — Tue, 20 Mar 2018 14:58:57 GMT

This can also be achieved by editing Group Membership rule for Customer_G1 and 2.Customer_G2 by adding attributes such as Name, email , city etc.The same attribute cannot be used more than once in a rule (e.g. “username like a* AND username like *b”).

RE: Login into Appian while on SSO

sanjeevc0001 — Tue, 20 Mar 2018 14:43:02 GMT

So lets assume you have external link for user sign-up. Upon sign-up users will initially get the basic user profile of Customer_G2. Now you can have an internal process to approve the users and once approved user will be assigned to elavted group Customer_G1.
For the record this can also be done by adding the rules on the second group Customer_G1.
Also if you want the SSO to create the new user if not found in the system then you may have to initate the new user creation process in LDAP/SAML behind the seen.

RE: Login into Appian while on SSO

harshav — Tue, 20 Mar 2018 14:30:57 GMT

I completely agree on what is been specified in the above comments but my question is

Imagine he is an customer who is logging in for the first time into apian system.
Now there are 2 groups 1.Customer_G1 and 2.Customer_G2, now based on these groups some of the data is shown on the screen.
Now I am thinking to add this user in to first group which is Customer_G1, how is this handled if the user is logging in with SSO and we are creating the user upon login.?

Thank you for the above post :)

RE: Login into Appian while on SSO

sanjeevc0001 — Tue, 20 Mar 2018 14:21:31 GMT

From Appian Release 17.2 onward you can display multiple sign-on links with different IDP's for the users on the main sigo-on page and allow them to login by selecting approporiate link. For example:-
1. I am a customer
2. I am an Employee

For first link (external users) you can have default Appian autnetication and for 2nd you can use SSO/SAML.
Based on their selection the authentication will be routed.
Hope this will help.

RE: Login into Appian while on SSO

harshav — Tue, 20 Mar 2018 14:11:02 GMT

it would be really great to know what are the approaches, and ways you have done handling the permissions.

thanks :)

RE: Login into Appian while on SSO

Justin Watts — Tue, 20 Mar 2018 12:33:14 GMT

If I have internal (SSO) and external users, I typically set Appian login as the default login, and leverage web-address identifiers (docs.appian.com/.../SAML_for_Single_Sign-On.html to route my SSO users to the IDP.

Once these internal users are authenticated at the IDP and forwarded into Appian, User Start Pages can be used to drive that user to an appropriate location. Again, permissions are either manually managed, or handled through automated processes talking to either RDBMS or AD.

RE: Login into Appian while on SSO

harshav — Tue, 20 Mar 2018 09:16:22 GMT

Thanks sanjeev for the details,

But how did you manage for Internal users, did you route the users to SSO page and then, directed to Appian applications based on their security levels.

also how did you manage the permissions or how did you set the group level access to the users , did you manually added them or any automated process is available.

Please suggest.

RE: Login into Appian while on SSO

sanjeevc0001 — Mon, 19 Mar 2018 19:03:36 GMT

You can display both SAML and Appian login on the same sign-on page if needed. SAML will be integrated and used for the single sign-on and external user can login via Appian authentication. We have used this for internal and external users. Once login the Appian access permission will be managed via Appian defined security using groups assignments.

RE: Login into Appian while on SSO

Justin Watts — Mon, 19 Mar 2018 15:59:21 GMT

If SAML is implemented, then no, a user would not also have to login on the Appian sign-in screen. The user may have to login at their IdP, but generally teams implement Kerberos or something similar to its totally seamless. The documentation provides a decent workflow diagram of how this works: docs.appian.com/.../SAML_for_Single_Sign-On.html

Appian has the option to create users on login if they do not exist, but permissions would need to be updated outside of that process. My implementations I've worked with implement an sync with Active Directory to create/deactivate users, and synchronize permissions. See: forum.appian.com/.../summary