KB-2043 SAML users are redirected to a Start Page instead of their destination upon first login

Rebecca Jonas — Thu, 19 Dec 2019 14:12:54 GMT

Current Revision posted to Appian Knowledge Base by Rebecca Jonas on 12/19/2019 2:12:54 PM

Symptoms

After navigating to Appian via a link to a specific page (e.g. task, news post, etc.) or through Embedded Interfaces and authenticating via SAML, the user is redirected to either the default or group-based User Start Page. When using Embedded Interfaces, the interface will not load and the following error will be seen in the browser console:

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After refreshing the page containing the Embedded Interface or re-opening the link, everything works as expected until the user's session expires or the user logs out.

Cause

The SAML response received from the Identity Provider has a missing or invalid InResponseTo attribute. Rather than using RelayStates, Appian uses the ID of the original SAML request as a caching key and once the SAML authentication flow is complete, uses the InResponseTo attribute contained in the SAML response to route the user to their target destination. If the attribute is not present or does not match the original SAML request's ID, the user will be redirected to their start page instead of the intended destination.

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

Edit your Identity Provider's settings or code to include the InResponseTo attribute in the SAML response. The SAML 2.0 specification requires that the IdP must send the ID of the incoming SAML request as the InResponseTo attribute when an ID is present in the original request:

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication

KB-XXXX SAML users are redirected to a Start Page instead of their destination upon first login

Rebecca Jonas — Tue, 17 Dec 2019 21:37:52 GMT

Revision 6 posted to Appian Knowledge Base by Rebecca Jonas on 12/17/2019 9:37:52 PM

Symptoms

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After refreshing the page containing the Embedded Interface or re-opening the link, everything works as expected until the user's session expires or the user logs out.

Cause

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication

KB-XXXX SAML users are redirected to a Start Page instead of their destination upon first login

Jussi Lundstedt — Tue, 17 Dec 2019 21:31:06 GMT

Revision 5 posted to Appian Knowledge Base by Jussi Lundstedt on 12/17/2019 9:31:06 PM

Symptoms

After navigating to Appian via a link or through Embedded Interfaces and authenticating via SAML, the user is redirected to either the default or group-based User Start Page. When using Embedded Interfaces, the interface will not load and the following error will be seen in the browser console:

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After refreshing the page containing the Embedded Interface or re-opening the link, everything works as expected until the user's session expires or the user logs out.

Cause

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication

KB-XXXX SAML users are redirected to a Start Page instead of their destination upon first login

Jussi Lundstedt — Tue, 17 Dec 2019 21:30:11 GMT

Revision 4 posted to Appian Knowledge Base by Jussi Lundstedt on 12/17/2019 9:30:11 PM

Symptoms

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After refreshing the Embedded Interface page or re-opening a link, everything works as expected until the user's session expires or the user logs out.

Cause

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication

KB-XXXX SAML users are redirected to a Start Page instead of their destination upon first login

Jussi Lundstedt — Mon, 16 Dec 2019 14:50:06 GMT

Revision 3 posted to Appian Knowledge Base by Jussi Lundstedt on 12/16/2019 2:50:06 PM

Symptoms

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After the initial authentication is performed, links and Embedded Interfaces work as expected until the user's session times out or the user logs out.

Cause

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication

KB-XXXX SAML users are redirected to a Start Page instead of their destination upon first login

Jussi Lundstedt — Mon, 16 Dec 2019 14:49:11 GMT

Revision 2 posted to Appian Knowledge Base by Jussi Lundstedt on 12/16/2019 2:49:11 PM

Symptoms

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After the initial authentication is performed, links and Embedded Interfaces work as expected until the user's session times out or the user logs out.

Cause

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

Edit your Identity Provider's settings or code to include the InResponseTo attribute in the SAML response. The SAML 2.0 specification requires that the IdP must send the ID of the incoming SAML request in the InResponseTo parameter when an ID is present in the request:

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication

KB-XXXX SAML users are redirected to a Start Page instead of their destination upon first login

Jussi Lundstedt — Mon, 16 Dec 2019 14:46:40 GMT

Revision 1 posted to Appian Knowledge Base by Jussi Lundstedt on 12/16/2019 2:46:40 PM

Symptoms

Refused to display 'https://appian.example.com/suite/sites/my-start-site' in a frame because it set 'X-Frame-Options' to 'sameorigin'

After the initial authentication is performed, links and Embedded Interfaces work as expected until the user's session times out or the user logs out.

Cause

The SAML response received from the Identity Provider does not contain the InResponseTo attribute. Rather than using RelayStates, Appian uses the ID of the original SAML request as a caching key and once the SAML authentication flow is complete, uses the InResponseTo attribute contained in the SAML response to route the user to their target destination. If the attribute is not present or does not match the original SAML request's ID, the user will be redirected to their start page instead of the intended destination.

Incorrect Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Correct Response Example

<samlp2:Response 
Destination="https://appian.example.com/suite/saml/AssertionConsumer" 
ID="ResponseId_xxx" 
InResponseTo="_64d59940-e2a7-4378-a1cf-5f4eb133ca90" 
IssueInstant="2019-11-08T20:07:31.462Z" 
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
...

Action

Edit your Identity Provider's settings or code to include the InResponseTo attribute in the SAML response. The SAML 2.0 specification requires that the IdP must send the ID of the incoming SAML request in the InResponseTo parameter when an ID is present in the request:

InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Affected Versions

This article applies to Appian 7.11 and later.

Last Reviewed: December 2019

Tags: embedded interfaces, administration, SAML, integration, authentication