This article outlines the process to configure SAML with Appian 7.11 and later using the Administration Console.
Please make sure you have the following prerequisites satisfied before configuring SAML:
Once the above prerequisites are satisfied, please follow these steps to configure SAML in Appian 7.11 and later:
SAML authentication FAQs have moved to KB-1153.
Error: The user tested with was invalid.Reason: Username attribute did not contain a valid Appian user. The attribute was correctly configured, but its value did not match any username inside Appian. Please note that usernames are case sensitive. Try using the SAML Tracer extension for Firefox to troubleshoot what is being passed in the SAML assertions.
Error: Unexpected error occurred during SAML authentication test.Application server logs: SAML Assertion contained no valid UsernameReason: The username attribute was not found in the SAML assertion. Please make sure you have the correct attribute name being sent from the IDP. Remove any trailing spaces in the end of the attribute field, as this can cause issues.Application server logs: java.lang.IllegalArgumentException: Given URL is not well formedReason: The SAML response URL is empty or invalid. Check your IDP settings and make sure the correct URL or SAML endpoints have been configured.Application server log: "java.lang.IndexOutOfBoundsException: Index: 0"Reason: The SAML assertion did not return with a subject that Appian was expecting.
SAML Assertion contained no valid Username
java.lang.IllegalArgumentException: Given URL is not well formed
Error: Assertion failed security policy check.Reason: The date-time of the Service Provider and Identity Providers do not match. Please check the server times on both the servers and make sure they are synchronized. Appian will check timestamps in SAML assertions to make sure they are not stale.
Error: You must test as your current Appian user.Reason: IDP username and Appian username does not match. The user testing the SAML configurations must have an account on the IDP site, and the username attribute values from SAML assertions must match the Appian username for the test to succeed.
Error: Failed to decode assertion.Application server logs: SAML message intended destination endpoint 'https://xxxx.appiancloud.com/SSO/SAML2/POST' did not match the recipient endpoint 'https://xxxx.appiancloud.com/suite/saml/AssertionConsumer'Reason: Appian receives SAML responses only on the URL - "/suite/saml/AssertionConsumer". Your IDP may be using an older version of the SP metadata. It is recommended that you create a new SP connection on your IDP site if you have not configured SAML prior to Appian 7.11
SAML message intended destination endpoint 'https://xxxx.appiancloud.com/SSO/SAML2/POST' did not match the recipient endpoint 'https://xxxx.appiancloud.com/suite/saml/AssertionConsumer'
Issue: SAML Test redirects to Appian.com (Appian Cloud sites only)Reason: Response URL was not not resolved correctly by IDP, please make sure the URLs on the IDP site are valid.
This article applies to Appian 7.11 and later.
Last Reviewed: May 2020
© 2020 Appian. All rights reserved.