KB-1903 SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Symptom

After configuring SAML in the Appian Administration Console, users who should be seamlessly logged in based on their Windows session are instead redirected to the ADFS login page, with a "Sign in using your operating system account" link under the credential entry fields:

Users can click on the link to successfully log into Appian.

Cause

ADFS is receiving a RequestedAuthnContext value in the incoming SAML assertion and is requiring forms-based authentication because the minimum requested authentication context class reference is higher in the ADFS authentication context order than federation:authentication:windows, which is used for Integrated Windows Authentication. In the SAML request, a lines similar to the following are seen:

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>

Action

In the Appian Administration Console, change the setting for "Authentication Method" to None. When set to None, Appian does not send a RequestedAuthnContext value in the SAML request sent to ADFS. Thus, ADFS can default to using Integrated Windows Authentication.

Affected Versions

This article applies to Appian versions 7.11 and later using IIS as a web server and ADFS as a SAML identity provider.

Last Reviewed: March 2019

Related
Recommended