Existing users are unable to authenticate with SAML when Group Membership Synchronization is used to add users to the configured Authentication group.
However, SAML works for:
The following logging is observed for users that are unable to authenticate with Group Membership Synchronization:
/suite/saml/AssertionConsumer - 401 0.068
INFO com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthTokenorg.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
<USERNAME>,Failed …
When performing SAML Authentication, Appian checks whether the unauthenticated user is in the Authentication group and uses this to decide authentication success/failure. After authentication, if the user is in an authenticated group, Appian performs the group membership sync.
When the Authentication Group depends on Group Membership Synchronization to put the user into the SAML group, authentication will fail because the user is not in the Authentication group before authentication, and will not be authenticated.
New users are able to login when new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.
Additionally, users in the Authentication Group prior to sign in will be able to log in successfully and see their group membership synced as they are in the Authentication Group.
A product use case has been logged to the Appian Product Team for consideration to add this functionality in the product for multiple IdP's (#7032). Kindly note it is not Appian Support’s policy to disclose how or when a product use case will be implemented. Please create a support case to request addition to this product enhancement request.
This article applies to all versions of Appian.
Last Reviewed: August 2024