KB-2323 SAML Group Membership Sync Users unable to sign in

Maggie Deppe-Walker — Mon, 23 Sep 2024 01:54:28 GMT

Current Revision posted to Appian Knowledge Base by Maggie Deppe-Walker on 9/23/2024 1:54:28 AM

Symptoms

Existing users are unable to authenticate with SAML when Group Membership Synchronization is used to add users to the configured Authentication group.

However, SAML works for:

New users configured with create new users upon sign-in.
Users already in the configured Authentication group.

The following logging is observed for users that are unable to authenticate with Group Membership Synchronization:

<APPIAN_HOME>/logs/tomcat-access.log:

/suite/saml/AssertionConsumer - 401 0.068

<APPIAN_HOME>/logs/tomcat-stdOut.log:

INFO  com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken

<APPIAN_HOME>/logs/login-audit.csv:
```
<USERNAME>,Failed …
```

Cause

When performing SAML Authentication, Appian checks whether the unauthenticated user is in the Authentication group and uses this to decide authentication success/failure. After authentication, if the user is in an authenticated group, Appian performs the group membership sync.

When the Authentication Group depends on Group Membership Synchronization to put the user into the SAML group, authentication will fail because the user is not in the Authentication group before authentication, and will not be authenticated.

New users are able to login when new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in will be able to log in successfully and see their group membership synced as they are in the Authentication Group.

Action

Add users to the configured Authentication group prior to sign in. This can be done manually, through a nested group, or group rule.
Configure the Authentication group to be a standalone group that does not depend on Group Membership Synchronization.
Ensure the Authentication Group has a different Group Type than the group used for Group Membership Synchronization.

A product use case has been logged to the Appian Product Team for consideration to add this functionality in the product for multiple IdP's (#7032). Kindly note it is not Appian Support’s policy to disclose how or when a product use case will be implemented. Please create a support case to request addition to this product enhancement request.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2024

Tags: SAML

KB-2323 SAML Group Membership Sync Users unable to sign in

Maggie Deppe-Walker — Thu, 19 Sep 2024 04:47:16 GMT

Revision 8 posted to Appian Knowledge Base by Maggie Deppe-Walker on 9/19/2024 4:47:16 AM

Symptoms

Existing users are unable to authenticate with SAML when Group Membership Synchronization is used to add users to the configured Authentication group.

However, SAML works for:

New users configured with create new users upon sign-in.
Users already in the configured Authentication group.

The following logging is observed for users that are unable to authenticate with Group Membership Synchronization:

<APPIAN_HOME>/logs/tomcat-access.log:

/suite/saml/AssertionConsumer - 401 0.068

<APPIAN_HOME>/logs/tomcat-stdOut.log:

INFO  com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken

<APPIAN_HOME>/logs/login-audit.csv:
```
<USERNAME>,Failed …
```

Cause

New users are able to login when new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in will be able to log in successfully and see their group membership synced as they are in the Authentication Group.

Action

Add users to the configured Authentication group prior to sign in. This can be done manually, through a nested group, or group rule.
Configure the Authentication group to be a standalone group that does not depend on Group Membership Synchronization.
Ensure the Authentication Group has a different Group Type than the group used for Group Membership Synchronization.

A product use case has been logged to the Appian Product Team for consideration to add this functionality in the product (#7032). Kindly note it is not Appian Support’s policy to disclose how or when a product use case will be implemented. Please create a support case to request addition to this product enhancement request.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2024

Tags: SAML

[SUPP-311 DRAFT KB] SAML Group Membership Sync Users unable to sign in

Maggie Deppe-Walker — Mon, 12 Aug 2024 02:05:21 GMT

Revision 7 posted to Appian Knowledge Base by Maggie Deppe-Walker on 8/12/2024 2:05:21 AM

Symptoms

Existing users are unable to authenticate with SAML when Group Membership Synchronization is used to add users to the configured Authentication group.

However, SAML works for:

New users configured with create new users upon sign-in.
Users already in the configured Authentication group.

The following logging is observed for users that are unable to authenticate with Group Membership Synchronization:

<APPIAN_HOME>/logs/tomcat-access.log:

/suite/saml/AssertionConsumer - 401 0.068

<APPIAN_HOME>/logs/tomcat-stdOut.log:

INFO  com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken

<APPIAN_HOME>/logs/login-audit.csv:
```
<USERNAME>,Failed …
```

Cause

New users are able to login when new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in will be able to log in successfully and see their group membership synced as they are in the Authentication Group.

Action

Add users to the configured Authentication group prior to sign in. This can be done manually, through a nested group, or group rule.
Configure the Authentication group to be a standalone group that does not depend on Group Membership Synchronization.
Ensure the Authentication Group has a different Group Type than the group used for Group Membership Synchronization.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: August 2024

Tags: SAML

[SUPP-311 DRAFT KB] SAML Group Membership Sync Users unable to sign in

camille.savagehansen — Mon, 29 Jul 2024 23:40:15 GMT

Revision 6 posted to Appian Knowledge Base by camille.savagehansen on 7/29/2024 11:40:15 PM

Users are unable to authenticate through SAML when adding users to the SAML Authentication group through SAML Group Membership Sync.

Symptom

SAML works for new users configured with “Create New User on Sign In”, and users already in the SAML Authentication group, but for users being added to the SAML group through the “Group Membership Sync” feature, SAML authentication fails and the user is not signed in.

User is not signed in as confirmed in logging:

Tomcat-access.log:
/suite/saml/AssertionConsumer - 401 0.068
Tomcat-stdOut.log:
INFO com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
Login-audit.log
<USERNAME>,Failed …

Cause

When performing SAML Authentication, Appian checks whether the unauthenticated user is in the SAML Authentication group, and uses this to decide authentication success/failure. After authentication, if the user is in an authenticated group, Appian performs the group membership sync.

In design scenarios, where the Authentication Group depends on the group membership sync to put the user into the SAML group, authentication will fail. This is because the user will not be in the Authentication SAML Group before authentication, and will not be authenticated.

New users are able to login as new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in, will be able to login and see their group membership synced as they are in the SAML Authentication Group.

Action

Adding Users to the SAML Authentication Group will allow the users to sign in. This can be done manually, through a nested group, or group rule.
The SAML Authentication Group should be a standalone group that does not depend on the group membership sync.
The SAML Authentication Group should have a Different Group Type then the one used for membership sync.

If you are impacted by this behaviour, and wish to record your desire for this feature to be enhanced in further released of Appian, please work with Appian Support, or your Account Executive, to share your product use case through Product Enhancement Request: #7032 - Group membership sync for multiple IdP providers.

If you have further questions, please reach out to Appian Support through a Support Case.

Tags: SAML

[DRAFT SUPP-311] SAML Group Membership Sync Users unable to sign in

camille.savagehansen — Mon, 29 Jul 2024 23:24:27 GMT

Revision 5 posted to Appian Knowledge Base by camille.savagehansen on 7/29/2024 11:24:27 PM

Users are unable to authenticate through SAML when adding users to the SAML Authentication group through SAML Group Membership Sync.

Symptom

User is not signed in as confirmed in logging:

Tomcat-access.log:
/suite/saml/AssertionConsumer - 401 0.068
Tomcat-stdOut.log:
INFO com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
Login-audit.log
<USERNAME>,Failed …

Cause

New users are able to login as new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in, will be able to login and see their group membership synced as they are in the SAML Authentication Group.

Action

Adding Users to the SAML Authentication Group will allow the users to sign in. This can be done manually, through a nested group, or group rule.
The SAML Authentication Group should be a standalone group that does not depend on the group membership sync.
The SAML Authentication Group should have a Different Group Type then the one used for membership sync.

If you have further questions, please reach out to Appian Support through a Support Case.

Tags: SAML

[DRAFT SUPP-311] SAML Group Membership Sync Users unable to sign in

camille.savagehansen — Mon, 29 Jul 2024 23:24:07 GMT

Revision 4 posted to Appian Knowledge Base by camille.savagehansen on 7/29/2024 11:24:07 PM

Users are unable to authenticate through SAML when adding users to the SAML Authentication group through SAML Group Membership Sync.

Symptom

User is not signed in as confirmed in logging:

Tomcat-access.log:
/suite/saml/AssertionConsumer - 401 0.068
Tomcat-stdOut.log:
INFO com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
Login-audit.log
<USERNAME>,Failed …

Cause

New users are able to login as new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in, will be able to login and see their group membership synced as they are in the SAML Authentication Group.

Action

Adding Users to the SAML Authentication Group will allow the users to sign in. This can be done manually, through a nested group, or group rule.
The SAML Authentication Group should be a standalone group that does not depend on the group membership sync.
The SAML Authentication Group should have a Different Group Type then the one used for membership sync.

If you are impacted by this behaviour, and wish to record your desire for this feature to be enhanced in further released of Appiah, please work with Appian Support, or your Account Executive, to share your product use case through Product Enhancement Request: #7032 - Group membership sync for multiple IdP providers.

If you have further questions, please reach out to Appian Support through a Support Case.

Tags: SAML

[DRAFT SUPP-311] SAML Group Membership Sync Users unable to sign in

camille.savagehansen — Mon, 29 Jul 2024 23:09:55 GMT

Revision 3 posted to Appian Knowledge Base by camille.savagehansen on 7/29/2024 11:09:55 PM

Users are unable to authenticate through SAML when adding users to the SAML Authentication group through SAML Group Membership Sync.

Symptom

User is not signed in as confirmed in logging:

Tomcat-access.log:

/suite/saml/AssertionConsumer - 401 0.068

Tomcat-stdOut.log:

INFO  com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken

Cause

New users are able to login as new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in, will be able to login and see their group membership synced as they are in the SAML Authentication Group.

Action

Adding Users to the SAML Authentication Group will allow the users to sign in. This can be done manually, through a nested group, or group rule.
The SAML Authentication Group should be a standalone group that does not depend on the group membership sync.
The SAML Authentication Group should have a Different Group Type then the one used for membership sync.

If you have further questions, please reach out to Appian Support through a Support Case.

Tags: SAML

[DRAFT SUPP-311] SAML Group Membership Sync Users unable to sign in

Appian Community — Mon, 29 Jul 2024 06:09:03 GMT

Revision 2 posted to Appian Knowledge Base by Appian Community on 7/29/2024 6:09:03 AM

Users are unable to authenticate through SAML when adding users to the SAML Authentication group through SAML Group Membership Sync.

Symptom

User is not signed in as confirmed in logging:

Tomcat-access.log:

/suite/saml/AssertionConsumer - 401 0.068

Tomcat-stdOut.log:

INFO  com.appiancorp.security.auth.saml.SamlFilter - Authentication Error: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken
org.springframework.security.authentication.BadCredentialsException: Invalid Saml settings for com.appiancorp.security.auth.saml.SamlAuthToken

Cause

New users are able to login as new users are added to the SAML Authentication group through the “Create Users Upon Sign In” feature.

Additionally, users in the Authentication Group prior to sign in, will be able to login and see their group membership synced as they are in the SAML Authentication Group.

Action

Adding Users to the SAML Authentication Group will allow the users to sign in. This can be done manually, through a nested group, or group rule.
The SAML Authentication Group should be a standalone group that does not depend on the group membership sync.
The SAML Authentication Group should have a Different Group Type then the one used for membership sync.

If you are impacted by this behaviour, and wish to record your desire for this feature to be enhanced in further released of Appiah, please work with Appian Support, or your Account Executive, to share your product use case through Product Enhancement Request: #7032 - Group membership sync for multiple IdP providers.

If you have further questions, please reach out to Appian Support through a Support Case.