You are currently reviewing an older revision of this page.
After enabling SSO based authentication, a subset of users experiences issues logging in, while others are able to log in without issues.
The most common cause for SSO login issues experienced by only some users is a mis-broadcasting of the username. Appian usernames are always case sensitive, whereas some Identity Providers (IdPs) may be case agnostic in their treatment of usernames.
The below steps provide a framework for troubleshooting SSO issues impacting only some users. If no users are able to log in, please double check the SSO configurations and ensure that SSO is correctly configured by using the Administration Console to test prior to attempting to follow these steps.
Examine the login-audit.csv files
In order to determine which users are impacted, check the login-audit.csv files located in the <APPIAN_HOME>/logs/audit directory. As login issues for some SSO users are typically caused by mistakenly broadcast usernames, look for the following properties in login attempts with a Status of Failed and a Source of Portal:
login-audit.csv
<APPIAN_HOME>/logs/audit
John.Doe@Acme.com
john.doe@acme.com
john.doe
u12345
To determine if this is the cause, you may compare these to the list of users found in the Administration Console to cross reference and determine if the username is correctly broadcast. Misbroadcast usernames can be corrected in four ways depending on the nature of the issue:
Check user membership in SAML Users group and activation
It is a best practice to restrict SAML authentication to a particular group of users to prevent total lockout in the case of an IdP-originated issue or an erroneous configuration change. Appian does not allow the same user multiple methods of authentication with the exception of allowing multiple SAML IdPs per user in Appian 17.4 and later. If the login-audit.csv files do not indicate any of the errors above, check that the users impacted by the issue are members of the SAML Users group configured in the Admin Console. While checking this, also check that the users experiencing the issue haven't been deactivated on the Users tab of the Admin Console.
Check IdP side settings for affected users
Ensure that the users affected have not been deactivated on the IdP side, locked out due to an expired password or otherwise prevented from successfully authenticating. The easiest way to check this is if the user is able to authenticate with the IdP itself. If this does not work, the issue is most likely with the IdP rather than Appian
Gather a SAML trace
If none of the steps above lead to a solution, you may use a third-party tool such as SAML Tracer for Firefox or SAML Message Decoder for Chrome. If the user is unable to authenticate with the IdP, contact your IdP's technical support staff. If the issue only impacts the user in Appian but not the IdP, submit a new case to Appian Technical Support and include SAML Traces (request and response) for a user that is able to authenticate and one that is experiencing issues for further analysis. Submitting both allows Technical Support staff to cross-check for differences between successful and failed logins, and helps find an expedient resolution to the issue.
This article applies to all Appian versions that support configuring SAML authentication via the Admin Console. Some of the troubleshooting tips above may also apply to earlier Appian versions with SSO configured via custom Spring Security files.