After configuring SAML in the Appian Administration Console, users who should be seamlessly logged in based on their Windows session are instead redirected to the ADFS login page, with a "Sign in using your operating system account" link under the credential entry fields:
Users can click on the link to successfully log into Appian.
ADFS is receiving a RequestedAuthnContext value in the incoming SAML assertion and is requiring forms-based authentication because the minimum requested authentication context class reference is higher in the ADFS authentication context order than federation:authentication:windows, which is used for Integrated Windows Authentication. In the SAML request, a lines similar to the following are seen:
RequestedAuthnContext
federation:authentication:windows
<saml2p:RequestedAuthnContext Comparison="minimum"> <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext>
In the Appian Administration Console, change the setting for "Authentication Method" to None. When set to None, Appian does not send a RequestedAuthnContext value in the SAML request sent to ADFS. Thus, ADFS can default to using Integrated Windows Authentication.
This article applies to Appian versions 7.11 and later using IIS as a web server and ADFS as a SAML identity provider.
Last Reviewed: March 2019