We are currently experiencing an issue with Email verification at this time and working towards a solution. Should you encounter this issue, please click on the "Send Verification Button" a second time and the request should go through. If the issue still persists for you, please email support@alteryx.com for assistance.

Alteryx Connect Knowledge Base

Definitive answers from Connect experts.

How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)

MikeSp
Alteryx
Alteryx
Created

How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)

 

Alteryx Connect has the ability to interface with a number of identity providers that support the SAML 2.0 standard, and recently we stood up an ADFS test server and set it up with Alteryx Connect successfully. The following information will assist with configuring Alteryx Connect to be functional with ADFS.

 

Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Connect 2019.2.

 

Prerequisites

 

 

Procedure

 

  1. Verify that your Alteryx Connect server has been configured with SSL/TLS enabled and that a proper SSL certificate is installed. Instructions are provided in the link above
  2. Login to your Alteryx Connect website as the default administrator (admin) account.
    Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect
  3. Open the Administration Panel > Connect Configuration > Single Sign-On
  4. ClickDownload Metadata. This will download a XML file containing configuration information and Connect's SAML signing certificate that we will import into ADFS. You should send this resulting file to your ADFS administrator to assist with setup.
    Note: This button may only be visible to the "super-admin" account (admin) within Alteryx Connect. This option is not available to other administrator accounts in certain versions, so if you do not see the button, make sure you are signed into the default "admin" account created when you initially setup your Alteryx Connect instance.

    image.png

     
  5. This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management)
  6. ClickRelying Party Trustsfrom the console, then clickAdd Relying Party Trust...
  7. ClickImport data about the relying party from a file
  8. Use theBrowse button to browse to the location of the XML file gathered in Step 4, then clickNext

    image.png

     
  9. Type aDisplay namefor the trust. I placed "Alteryx Connect" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then clickNext.

    image.png

     
  10. SelectPermit everyonefrom the Access Control Policy and clickNext.

    Note:You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Connect, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article.

    image.png

     
  11. ClickNexton theReady to Add Trustpage.

    image.png

     
  12. Check the box next toConfigure claims issuance policy for this applicationand clickClose.

    image.png

     
  13. Verify theClaim rule templateis set toSend LDAP Attributes as Claimsand clickNext.

    image.png

     
  14. Type a desired name for the rule within theClaim rule namebox. From theAttribute storedrop-down, chooseActive Directory.
  15. Using the following table, set the appropriate options within theMapping of LDAP attributes to outgoing claim typesbox. ClickFinish.
    Note:The following outgoing values are case sensitive and will need to be typed except for "E-Mail-Addresses".

     
    LDAP AttributeOutgoing Claim Type
    E-Mail-AddressesName ID
    Given-NamefirstName
    SurnamelastName

    image.png
     
  16. On the Claim Issuance Policy window, clickApplyto apply the settings, then clickOK.

    image.png

     
  17. In the Relying Party Trustswindow, double-click the Trust that you created earlier.
  18. Click theAdvanced tab.
  19. Change theSecure hash algorithm toSHA-1. ClickOK.

    image.png
  20. (Optional) The ADFS signing certificate and/or web access certificate (certificate used to serve metadata from ADFS and field requests) may be required to manually import if your certificates are not signed by a publicly recognized Certificate Authority (CA). These should be provided to your Alteryx Connect admin as Base64 encoded Certificate (typically .cer) files if possible.
  21. You will now need an administrator with access to the Alteryx Connect website as thedefault administrator (admin) account.
    Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect
  22. Open the Administration Panel > Connect Configuration > Single Sign-On page.

    image.png
  23. Click+ADD to open the new SAML dialog.
  24. In the Name field, type a name for the ADFS connection.
    Note:This name will appear on the Alteryx Connect login page for users of the Alteryx Connect system.
  25. Choose anIcon for the Identity Provider (IDP).
    Note: An icon picture must be provided to continue. You can use a placeholder image if you do not have an appropriate image available.
  26. In theDescription field, type a description for the IDP.
  27. UnderIdentity provider details, select an appropriate connection option. For our guide, we'll be usingGet IDP metadata from URL. Contact your ADFS administrator if you are not sure which option to use.
  28. SettheIDP Metadata URLto the location of theFederation Metadataxml file provided by the ADFS server.

    Example:
    image.png

    Note: If you are not positive on the value for this, ask your ADFS administrator.
  29. ClickSAVE.

    image.png

    If you receive an error at this stage, please review theLog page in the Alteryx Connect Administration Console. Review the articles below, as one or both of the following knowledge articles may apply to your situation based on the error(s) you are receiving.

    How To: Add SAML IDP Signing Certificate to Connect Keystore
    How To: Add Web Connection Certificate to Alteryx Connect Keystore
  30. Click theX in theActive column next to the new ADFS IDP entry. ClickOK within the dialog asking if you wish to turn on the IDP.

    image.png

    If you receive an error at this stage, please review theLog page in the Alteryx Connect Administration Console. Review the articles in the previous step, as one or both of the above knowledge articles may apply to your situation based on the error(s) you are receiving.

     
  31. Once the connection is enabled,Restart the Alteryx Connectservice on the machine.
  32. Validate that the IDP is now appearing on the login page of Alteryx Connect
    Note: If you also have Windows Authentication turned on in Connect Administration, you may need to log out to see this option or browse to the login page directly.
    URL: https://{ConnectBaseURL}/login
    Example:https://trn-con-07.cs.alteryx.com/login

    image.png

 

Common Issues

 

Spoiler (Highlight to read)
If any issues are experienced during setup, reach out to Alteryx Support for additional assistance.
If any issues are experienced during setup, reach out to Alteryx Support for additional assistance.

 

Additional Resources

 

  •  
No ratings
Comments
VojtechT
Alteryx
Alteryx

Hi @MikeSp ,

 

thank you for the article! 

 

I would like to elaborate on step #15 - there could be also "position" and "Phone" fields used in mapping to bring this information onto user's profile page. At least that's what I see in the script, but haven't actually test it. 

 

Also I wonder if the restart of Connect in step #31 is necessary. From my previous experience, logging out was enough. But ADFS might behave in a different way. Just a though. 

 

Anyway, here is my like 🙂🙂