You are currently reviewing an older revision of this page.

KB-XXXX SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Symptom

After configuring SAML in the Appian Administration Console, users who should be seamlessly logged in based on their Windows session are instead redirected to the ADFS login page, with the following link under the credential entry fields:

Cause

ADFS is receiving a RequestedAuthnContext value in the incoming SAML assertion and is requiring forms-based authentication because the minimum requested authentication context class reference is higher in the ADFS authentication context order than federation:authentication:windows, which is used for Integrated Windows Authentication. In the SAML request, a lines similar to the following are seen:

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>

Action

In the Appian Administration Console, change the setting for "Authentication Method" to "None". When set to None, Appian does not send a RequestedAuthnContext value from the SAML request it sends to ADFS, and ADFS can default to using Integrated Windows Authentication.

Affected Versions

This article applies to Appian versions 7.11 and newer with IIS as a web server.