How To: Add SAML IDP Signing Certificate to Connect Keystore
This article is intended to assist with inserting a certificate to be used to validate a SAML signature from a SAML Identity Provider (IDP) when used with Alteryx Connect. This article will only be needed if your IDP is signing assertions or other traffic with a specific cert that may be self-signed or not trusted by a widely trusted CertificateAuthority (CA).
An error message may be received while attempting to validate the signature from an IDP if this is not inserted. An example is below:
org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml ...(trimmed) Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml ...(trimmed) Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry
Prerequisites
- Alteryx Connect >= 2018.1
- Remote Desktop (RDP) or other direct access to the Alteryx Connect machine
- Windows Administrator account on the Alteryx Connect machine
- Alteryx Connect account within the "Administrators" group
- Certificate (.cer) or other X509 certificate file available to import
- This certificate should be the IDP's signing certificate or part of the certificate chain
- If you are not sure where to obtain this certificate, reach out to an administrator or support group for the CA, or your IT team for assistance
Procedure
- Verify that the certificate file is available on the Alteryx Connect machine's local file system
- You will also need the password for the SAML keystore (samlKeystore.jks in the ac_work directory). If you do not have this keystore password, follow the sub-steps to change the password
- Open Alteryx Connect in a web browser and login with an Administrator account
- Open the Administration panel by clicking on your account name in the upper-right corner and choosingAdministration from the drop-down
- ClickConnect Configuration from the Admin Menu
- ClickSingle Sign-On within the Connect Configuration panel
- Click Advanced settings near the bottom of the page
- Specify a new password in thePassword field
- ClickSave
- Open aCommand Prompt (cmd.exe) as Administratoron the Alteryx Connect machine's desktop
- Change directory to the Java bin directory of your Alteryx Connect installation.Replace{InstallDir}in the command below with the root path of your Alteryx Connect installation.
- PressEnter
Command Line:
cd "{InstallDir}\jre\bin"
Example:
cd "C:\Program Files\AlteryxConnect\jre\bin"
- The keytool.exe utility will need to be used in order to insert the certificate. Replace{file}in the command below with the full path to the certificate file being used. Replace{InstallDir}with the root path of your Alteryx Connect installation. Replace{alias}with a desired identifier for the certificate you are inserting. Replace{samlKeystorePassword}with the password gathered in Step 2 above.
Command Line:
keytool.exe -importcert -file "{cert}" -keystore "{InstallDir}\ac_work\samlKeystore.jks" -alias "{alias}" -storepass {samlKeystorePassword}
Example:
keytool.exe -importcert -file "C:\Users\username\Desktop\SAMLSigningCert.cer" -keystore "C:\Program Files\AlteryxConnect\ac_work\samlKeystore.jks" -alias "ADFS_Signing" -storepass keystorePassword22
- PressEnter
- Executing the command above should return information about the certificate and a prompt asking to trust the certificate. Make sure the information in the return matches the expected values, then typeyesat the prompt.
- PressEnter
- Verify you receive the returnCertificate was added to keystore
- If you receive an error, review the error message and make any corrections necessary.
- RestarttheAlteryx Connectservice to apply the changes.
Additional Resources