Appian has built in user management. It is great for simple setups or demos. For integrating Appian in an enterprise environment, we need a bit more. We require centralized management of user accounts and permissions. In a typical corporate environment, some form of Microsoft active directory (AD) is used. Other, so-called Identity Providers, exist, like Google, Facebook, Okta, and more.

In the AD, we create accounts for users and assign them to groups to define their access to applications, services, and data. The user then has to authenticate himself to get access to any of these. To make this more convenient, systems support a way a user authenticates once when logging in to his computer. Then the operating system uses this information to automate authenticating on trusted systems. This is called SSO or single-sign-on.

SAML

SAML is a XML-based standard to securely exchange information for authentication and authorization purposes. Appian supports this standard and can easily integrate with most identity providers.

When a user tries to access an Appian environment, Appian forwards the user’s browser to the identity management system. It checks the user’s credentials, creates a secure token (the SAML assertion), and forwards the browser back to Appian, including the token.

That token contains the information that the user is allowed to access Appian, but also the list of groups, that user is assigned to. Appian then creates a local user session and adds that user to alle the groups listed in the token.

Syncing groups

SAML only provides a list of names of the users groups. So we somehow need a way to map this to the respective groups in Appian. For this purpose, we create a group type in Appian. That group type specifies a field that contains the name of the corresponding group in the active directory. We then create groups of this group type for each group that should be syncronized with the active directory when a user logs in.

Find the details here: Group Membership Synchronization

The Three Systems Problem

We typically use 3-4 Appian environments to support development and operations. You would want to manage user access separately for each of these environments. Now, how do you define which group in the active directory syncronizes with which group in Appian?

There is a simple answer.

For each environment, we configure SAML separately. This means, we could tell each environment to use a separate field in the user group type to match group names. Instead of only creating a single field, as described in the documentation, create one field for each Appian environment. Like this:

• memberOfValueDev
• memberOfValueTest
• memberOfValueAcc
• memberOfValueProd

When you create a group in Appian, create 4 groups in the active directory and copy their names to the respective field in the Appian group.

An example SAML configuration could be:

Summary

You do not need to follow any specific procedure when deploying applications to the next environment. Just set up things once as outlined and enjoy future hassle-free deployments.

Low-code with Appian, can be that simple! Rock it!