Alteryx Connect Knowledge Base

Definitive answers from Connect experts.
It's the most wonderful time of the year - Santalytics 2020 is here! This year, Santa's workshop needs the help of the Alteryx Community to help get back on track, so head over to the Group Hub for all the info to get started!

How To: Add SAML IDP Signing Certificate to Connect Keystore

Alteryx
Alteryx
Created

How To: Add SAML IDP Signing Certificate to Connect Keystore

 

This article is intended to assist with inserting a certificate to be used to validate a SAML signature from a SAML Identity Provider (IDP) when used with Alteryx Connect. This article will only be needed if your IDP is signing assertions or other traffic with a specific cert that may be self-signed or not trusted by a widely trusted Certificate Authority (CA).

 

An error message may be received while attempting to validate the signature from an IDP if this is not inserted. An example is below:

 

 

 

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml
...(trimmed)
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml
...(trimmed)
Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry

 

 

 

Prerequisites

 

  • Alteryx Connect >= 2018.1
  • Remote Desktop (RDP) or other direct access to the Alteryx Connect machine
  • Windows Administrator account on the Alteryx Connect machine
  • Alteryx Connect account within the "Administrators" group
  • Certificate (.cer) or other X509 certificate file available to import
    • This certificate should be the IDP's signing certificate or part of the certificate chain
    • If you are not sure where to obtain this certificate, reach out to an administrator or support group for the CA, or your IT team for assistance

 

Procedure

 

  1. Verify that the certificate file is available on the Alteryx Connect machine's local file system
  2. You will also need the password for the SAML keystore (samlKeystore.jks in the ac_work directory). If you do not have this keystore password, follow the sub-steps to change the password
    1. Open Alteryx Connect in a web browser and login with an Administrator account
    2. Open the Administration panel by clicking on your account name in the upper-right corner and choosing Administration from the drop-down
    3. Click Connect Configuration from the Admin Menu
    4. Click Single Sign-On within the Connect Configuration panel
    5. Click Advanced settings near the bottom of the page
    6. Specify a new password in the Password field
    7. Click Save
  3. Open a Command Prompt (cmd.exe) as Administrator on the Alteryx Connect machine's desktop
  4. Change directory to the Java bin directory of your Alteryx Connect installation. Replace {InstallDir} in the command below with the root path of your Alteryx Connect installation.
  5. Press Enter

    Command Line:

 

 

cd "{InstallDir}\jre\bin"

 


Example:

 

cd "C:\Program Files\AlteryxConnect\jre\bin"

 

 



  • The keytool.exe utility will need to be used in order to insert the certificate. Replace {file} in the command below with the full path to the certificate file being used. Replace {InstallDir} with the root path of your Alteryx Connect installation. Replace {alias} with a desired identifier for the certificate you are inserting. Replace {samlKeystorePassword} with the password gathered in Step 2 above.

    Command Line:

 

 

keytool.exe -importcert -file "{cert}" -keystore "{InstallDir}\ac_work\samlKeystore.jks" -alias "{alias}" -storepass {samlKeystorePassword}

 


Example:

 

keytool.exe -importcert -file "C:\Users\username\Desktop\SAMLSigningCert.cer" -keystore "C:\Program Files\AlteryxConnect\ac_work\samlKeystore.jks" -alias "ADFS_Signing" -storepass keystorePassword22

 



 

  • Press Enter
  • Executing the command above should return information about the certificate and a prompt asking to trust the certificate. Make sure the information in the return matches the expected values, then type yes at the prompt.
  • Press Enter 
     


    image.png

     

  • Verify you receive the return Certificate was added to keystore
    1. If you receive an error, review the error message and make any corrections necessary.
  • Restart the Alteryx Connect service to apply the changes.

 

  

Additional Resources

 

Comments
Alteryx
Alteryx

Hi @MikeSp ,

 

thank you for another great article. I would humbly mention one minor comment though - the keytool.exe has been shipped with Connect since version 2019.1, so if the customer is actually on 2018.4 (as is mentioned in the prerequisites), the commands in #6 and later will probably not work unless the tools is placed there manually.