We are currently experiencing an issue with Email verification at this time and working towards a solution. Should you encounter this issue, please click on the "Send Verification Button" a second time and the request should go through. If the issue still persists for you, please email support@alteryx.com for assistance.

Alteryx Connect Knowledge Base

Definitive answers from Connect experts.

How To: Add SAML IDP Signing Certificate to Connect Keystore

MikeSp
Alteryx
Alteryx
Created

How To: Add SAML IDP Signing Certificate to Connect Keystore

This article is intended to assist with inserting a certificate to be used to validate a SAML signature from a SAML Identity Provider (IDP) when used with Alteryx Connect. This article will only be needed if your IDP is signing assertions or other traffic with a specific cert that may be self-signed or not trusted by a widely trusted CertificateAuthority (CA).

An error message may be received while attempting to validate the signature from an IDP if this is not inserted. An example is below:

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml ...(trimmed) Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml ...(trimmed) Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

Prerequisites

  • Alteryx Connect >= 2018.1
  • Remote Desktop (RDP) or other direct access to the Alteryx Connect machine
  • Windows Administrator account on the Alteryx Connect machine
  • Alteryx Connect account within the "Administrators" group
  • Certificate (.cer) or other X509 certificate file available to import
    • This certificate should be the IDP's signing certificate or part of the certificate chain
    • If you are not sure where to obtain this certificate, reach out to an administrator or support group for the CA, or your IT team for assistance

Procedure

  1. Verify that the certificate file is available on the Alteryx Connect machine's local file system
  2. You will also need the password for the SAML keystore (samlKeystore.jks in the ac_work directory). If you do not have this keystore password, follow the sub-steps to change the password
    1. Open Alteryx Connect in a web browser and login with an Administrator account
    2. Open the Administration panel by clicking on your account name in the upper-right corner and choosingAdministration from the drop-down
    3. ClickConnect Configuration from the Admin Menu
    4. ClickSingle Sign-On within the Connect Configuration panel
    5. Click Advanced settings near the bottom of the page
    6. Specify a new password in thePassword field
    7. ClickSave
  3. Open aCommand Prompt (cmd.exe) as Administratoron the Alteryx Connect machine's desktop
  4. Change directory to the Java bin directory of your Alteryx Connect installation.Replace{InstallDir}in the command below with the root path of your Alteryx Connect installation.
  5. PressEnter

    Command Line:

cd "{InstallDir}\jre\bin"


Example:

cd "C:\Program Files\AlteryxConnect\jre\bin"



  • The keytool.exe utility will need to be used in order to insert the certificate. Replace{file}in the command below with the full path to the certificate file being used. Replace{InstallDir}with the root path of your Alteryx Connect installation. Replace{alias}with a desired identifier for the certificate you are inserting. Replace{samlKeystorePassword}with the password gathered in Step 2 above.

    Command Line:

keytool.exe -importcert -file "{cert}" -keystore "{InstallDir}\ac_work\samlKeystore.jks" -alias "{alias}" -storepass {samlKeystorePassword}


Example:

keytool.exe -importcert -file "C:\Users\username\Desktop\SAMLSigningCert.cer" -keystore "C:\Program Files\AlteryxConnect\ac_work\samlKeystore.jks" -alias "ADFS_Signing" -storepass keystorePassword22



  • PressEnter
  • Executing the command above should return information about the certificate and a prompt asking to trust the certificate. Make sure the information in the return matches the expected values, then typeyesat the prompt.
  • PressEnter


    image.png

  • Verify you receive the returnCertificate was added to keystore
    1. If you receive an error, review the error message and make any corrections necessary.
  • RestarttheAlteryx Connectservice to apply the changes.

Additional Resources

No ratings
Comments
VojtechT
Alteryx
Alteryx

Hi @MikeSp ,

 

thank you for another great article. I would humbly mention one minor comment though - the keytool.exe has been shipped with Connect since version 2019.1, so if the customer is actually on 2018.4 (as is mentioned in the prerequisites), the commands in #6 and later will probably not work unless the tools is placed there manually.