KB-1903 SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Jordan Horwat — Thu, 28 Mar 2019 19:12:13 GMT

Current Revision posted to Appian Knowledge Base by Jordan Horwat on 3/28/2019 7:12:13 PM

Symptom

After configuring SAML in the Appian Administration Console, users who should be seamlessly logged in based on their Windows session are instead redirected to the ADFS login page, with a "Sign in using your operating system account" link under the credential entry fields:

Users can click on the link to successfully log into Appian.

Cause

ADFS is receiving a RequestedAuthnContext value in the incoming SAML assertion and is requiring forms-based authentication because the minimum requested authentication context class reference is higher in the ADFS authentication context order than federation:authentication:windows, which is used for Integrated Windows Authentication. In the SAML request, a lines similar to the following are seen:

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
</saml2p:RequestedAuthnContext>

Action

In the Appian Administration Console, change the setting for "Authentication Method" to None. When set to None, Appian does not send a RequestedAuthnContext value in the SAML request sent to ADFS. Thus, ADFS can default to using Integrated Windows Authentication.

Affected Versions

This article applies to Appian versions 7.11 and later using IIS as a web server and ADFS as a SAML identity provider.

Last Reviewed: March 2019

Tags: administration, IIS, web server, Security, SAML, admin console, authentication, ADFS

KB-1903 SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Jordan Horwat — Thu, 28 Mar 2019 19:12:13 GMT

Revision 5 posted to Appian Knowledge Base by Jordan Horwat on 3/28/2019 7:12:13 PM

Symptom

Users can click on the link to successfully log into Appian.

Cause

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
</saml2p:RequestedAuthnContext>

Action

Affected Versions

This article applies to Appian versions 7.11 and later using IIS as a web server and ADFS as a SAML identity provider.

Last Reviewed: March 2019

Tags: administration, IIS, web server, Security, SAML, admin console, authentication, ADFS

KB-XXXX SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Jordan Horwat — Thu, 28 Mar 2019 15:33:44 GMT

Revision 4 posted to Appian Knowledge Base by Jordan Horwat on 3/28/2019 3:33:44 PM

Symptom

Users can click on the link to successfully log into Appian.

Cause

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
</saml2p:RequestedAuthnContext>

Action

Affected Versions

This article applies to Appian versions 7.11 and later using IIS as a web server and ADFS as a SAML identity provider.

Last Reviewed: March 2019

Tags: administration, IIS, web server, Security, SAML, admin console, authentication, ADFS

KB-XXXX SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Jussi Lundstedt — Thu, 28 Mar 2019 15:16:35 GMT

Revision 3 posted to Appian Knowledge Base by Jussi Lundstedt on 3/28/2019 3:16:35 PM

Symptom

Users can click on the link to successfully log into Appian.

Cause

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
</saml2p:RequestedAuthnContext>

Action

In the Appian Administration Console, change the setting for "Authentication Method" to "None". When set to None, Appian does not send a RequestedAuthnContext value in the SAML request it sends to ADFS. Thus, ADFS can default to using Integrated Windows Authentication.

Affected Versions

This article applies to Appian versions 7.11 and newer with IIS as a web server and ADFS as a SAML identity provider.

Tags: administration, IIS, web server, Security, SAML, admin console, authentication, ADFS

KB-XXXX SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Jussi Lundstedt — Thu, 28 Mar 2019 15:16:03 GMT

Revision 2 posted to Appian Knowledge Base by Jussi Lundstedt on 3/28/2019 3:16:03 PM

Symptom

Users can click on the link to successfully log into Appian.

Cause

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
</saml2p:RequestedAuthnContext>

Action

Affected Versions

This article applies to Appian versions 7.11 and newer with IIS as a web server.

Tags: administration, IIS, web server, Security, SAML, admin console, authentication, ADFS

KB-XXXX SAML redirecting to ADFS login page instead of using Integrated Windows Authentication

Jussi Lundstedt — Thu, 28 Mar 2019 15:13:32 GMT

Revision 1 posted to Appian Knowledge Base by Jussi Lundstedt on 3/28/2019 3:13:32 PM

Symptom

After configuring SAML in the Appian Administration Console, users who should be seamlessly logged in based on their Windows session are instead redirected to the ADFS login page, with the following link under the credential entry fields:

Cause

ADFS is receiving a RequestedAuthnContext value in the incoming SAML assertion and is requiring forms-based authentication because the minimum requested authentication context class reference is higher in the ADFS authentication context order than federation:authentication:windows, which is used for Integrated Windows Authentication. In the SAML request, a lines similar to the following are seen:

<saml2p:RequestedAuthnContext Comparison="minimum"> 
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> 
</saml2p:RequestedAuthnContext>

Action

In the Appian Administration Console, change the setting for "Authentication Method" to "None". When set to None, Appian does not send a RequestedAuthnContext value from the SAML request it sends to ADFS, and ADFS can default to using Integrated Windows Authentication.

Affected Versions

This article applies to Appian versions 7.11 and newer with IIS as a web server.

Tags: administration, IIS, web server, Security, SAML, admin console, authentication, ADFS