Our organization would like to have users authenticate against a different syste

You can create users via process model using builtin smart service nodes, so irrespective of the SSO integration method, if you register the user in an external system you should be able to kick off a process to create the matching user in Appian (via WebService).

Now that's an interesting thought, we were thinking that we'd either a) trigger a lookup as part of the authorization process, or b) batch load users, I'm not sure we can make an entry point in our HR onboarding, but it's worth investigating.

Hi Richard,
Another (potentially non-supported) option is to customize base product authentication files. Take a look at this post for an example of an individual doing this: forum.appian.com/.../e-99647
and this documentation page for more info:
forum.appian.com/.../Authentication.html
This user was able to set up SSO through OpenSSO (which can be configured to use SAML v2). Rather than setting up a redirect to a failure page when a user doesn't exist in Appian as mentioned in the post, you could potentially utilize Appian's API (forum.appian.com/.../) to create a user, then authenticate that new user.
This is a non-trivial solution so I'd recommend carefully considering this option.

Alternatively, you could integrate with LDAP and use that as your login, and then create a process in Appian that syncs with LDAP at a given interval to pull in all new users.

In theory, the appian suite.ear uses Spring Security under the covers. Spring Security is very mature and has a full set of extensions and ability to bring in custom modules. A more intrusive option would be to contain the option A as a custom java module plugged into the Appian configuration. Again, while this appears to be theoretical possible have not done this exact scenario. Just thought I would bring this up for discussion purposes.

That's one of the directions that Appian pointed us in as well. Cheers!

Hi Richard,

This is something that my organisation also has an interest in, with very similar high-level requirements to yours. Have you managed to make much headway so far?
Also, are you using cloud hosted or on-premise environments?

Thanks!

Limited progress, we're on-premise. We've abandoned create-on-authenticate and update-on-authenticate in favour of a separate user update process. We've been able to effectively authenticate with SAML, except we're now having browser issues (it works in IE/Firefox not Chrome).

OK, so your separate user update is something like an overnight sync of users from your internal database?
There is the LDAP Tools smart service that handles some elements of the user synchronisation, that could be of use to you.