Walkthrough — MS Entra ID OpenID connection with Appian 23.1+
The purpose of this article is to walk through the steps in setting up the new OpenID Connection Authentication with Appian 23.1
Steps are as follows:
- Log into Azure environment and navigate to /Active Directory / App Registrations and then create a new registration
2. Give the registration a name
3. The registered application will be as follows:
4. Based on the above application, the following details will be required:
5. Click on Redirect URIs : Add a Redirect URI
Select “Web”
Note: The call back URL will always be:
https://<appianHost>/suite/oidc/callback
6. Click “Configure”
Now, generate the Client credentials
7. Click on “Client credentials : Add a certificate or secret”
8. Identify the Discovery Endpoint as this will also be required when configurating appian authentication.
9. Set the API Permissions
Configure Appian
10. Open the Admin Console / Authentication / OpenID Connect
Client ID is the Azure ‘Application (client) ID’
Client Secret
OpenID Connect Discovery Endpoint:
https://login.microsoftonline.com/<TenantID>/v2.0/.well-known/openid-configuration
Scope: openid profile
Username Claim : preferred_username
Group: Specific for Authenticated Users
10. Enable Attribute Mapping to create new users on sign in and add the following 3 required claims (attributes):
11. To ensure that all authenticated users are added to the Authentication Group ‘OIDC’, create a rule
12. Click on “NEW RULE” and select “All Users” and then “CREATE”
This rule will apply when users authenticating via OpenID which has the authentication group ‘OIDC’ set as the default.
Troubleshooting Section
Logging
The following logger is available to trace the authentication: <appianHome>/deployment/web.war/WEB-INF/resources/appian_log4j.properties
log4j.logger.com.appiancorp.security.auth.oidc=INFO | DEBUG
NB: No need to restart the applicationServer once the logging level is changed as changes are “hot deployed” and all details are captured in the tomcat-stdOut.log file.
Additional log information
Existing /logs/data-metric/users.csv would now include an additiona column “Active OIDC Users” which captured the # of users authenticated per day.
https://docs.appian.com/suite/help/22.1/Logging.html#user-metrics-logs
Generate Token outside of Appian
The following is an initial troubleshooting exercise to verify that tokens are issued successfully outside of Appian.
- Obtain an authorization code by pasting the following in a browser session:
2. Grab the code string code=’<string>’
3. Construct the following curl command:
curl -X POST -d “code=<code string>&client_id=<taken from console>&client_secret=<secret>&redirect_uri=https://openid.appian-sites.net/suite/oidc/callback&grant_type=authorization_code” https://login.microsoftonline.com/6b3ec521-c99e-4cc2-bd63-e79e654151da/oauth2/token
4. What is returned is the access_token, refresh_token and id_token
5. Grab the id_token and decode it using something like https://jwt.io/
{
"aud": "8eeb3501-df4f-4d2c-be3c-259e3311298a",
"iss": "https://sts.windows.net/6b3ec521-c99e-4cc2-bd63-e79e654151da/",
"iat": 1680777365,
"nbf": 1680777365,
"exp": 1680781265,
"aio": "AVQAq/8TAAAAXVO1cRtNyMwTMKzdldmsC7GQj9LJDT32rFmgVTghVRQjFO/UvigECNs86vB819O5VyrYu7CT/X+9bCaWWPmTBpzhRraaDgZXoP7BXofdz8A=",
"amr": [
"pwd",
"mfa"
],
"family_name": "Marziano",
"given_name": "Tony",
"ipaddr": "x.x.x.x",
"name": "Tony",
"oid": "966e7af5-5a92-431e-b410-fe1dc5ddd247",
"rh": "0.ATEAIcU-a57Jwky9Y-eeZUFR2gE1645P3yxNvjwlnjMRKYoxAKA.",
"sub": "OqO6UefSEdoc-xChw3ERorengDzAmb6_5saFLVPXSrA",
"tid": "6b3ec521-c99e-4cc2-bd63-e79e654151da",
"unique_name": "oidc@azurecognoslab.onmicrosoft.com",
"upn": "oidc@azurecognoslab.onmicrosoft.com",
"uti": "sDPTjLTE50m-_GxkEVJzAA",
"ver": "1.0"
}Additional Information
OpenID Connect User Authentication
Walkthrough — Google OpenID connection with Appian 23.1
https://tony-marziano.medium.com/walkthrough-google-openid-connection-with-appian-23-1-a397b67611e4
Disclaimer:
The content of this article is purely my work and efforts and is not endorsed nor regarded as official documentation by Appian.
