KB-2043 SAML users are redirected to a Start Page instead of their destination upon first login

Symptoms

After navigating to Appian via a link to a specific page (e.g. task, news post, etc.) or through Embedded Interfaces and authenticating via SAML, the user is redirected to either the default or group-based User Start Page. When using Embedded Interfaces, the interface will not load and the following error will be seen in the browser console:

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After refreshing the page containing the Embedded Interface or re-opening the link, everything works as expected until the user's session expires or the user logs out.

Cause

The SAML response received from the Identity Provider has a missing or invalid InResponseTo attribute. Rather than using RelayStates, Appian uses the ID of the original SAML request as a caching key and once the SAML authentication flow is complete, uses the InResponseTo attribute contained in the SAML response to route the user to their target destination. If the attribute is not present or does not match the original SAML request's ID, the user will be redirected to their start page instead of the intended destination.

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer"
ID="ResponseId_xxx"
IssueInstant="2019-11-08T20:07:31.462Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer"
ID="ResponseId_xxx"
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90"
IssueInstant="2019-11-08T20:07:31.462Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

Edit your Identity Provider's settings or code to include the InResponseTo attribute in the SAML response. The SAML 2.0 specification requires that the IdP must send the ID of the incoming SAML request as the InResponseTo attribute when an ID is present in the original request:

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Related
Recommended