Alteryx Connect Knowledge Base

Definitive answers from Connect experts.
It's the most wonderful time of the year - Santalytics 2020 is here! This year, Santa's workshop needs the help of the Alteryx Community to help get back on track, so head over to the Group Hub for all the info to get started!

How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)

Alteryx
Alteryx
Created

How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)

 

Alteryx Connect has the ability to interface with a number of identity providers that support the SAML 2.0 standard, and recently we stood up an ADFS test server and set it up with Alteryx Connect successfully. The following information will assist with configuring Alteryx Connect to be functional with ADFS.

 

Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Connect 2019.2.

 

Prerequisites

 

 

Procedure

 

  1. Verify that your Alteryx Connect server has been configured with SSL/TLS enabled and that a proper SSL certificate is installed. Instructions are provided in the link above
  2. Login to your Alteryx Connect website as the default administrator (admin) account.
    Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect
  3. Open the Administration Panel > Connect Configuration > Single Sign-On
  4. Click Download Metadata. This will download a XML file containing configuration information and Connect's SAML signing certificate that we will import into ADFS. You should send this resulting file to your ADFS administrator to assist with setup.
    Note: This button may only be visible to the "super-admin" account (admin) within Alteryx Connect. This option is not available to other administrator accounts in certain versions, so if you do not see the button, make sure you are signed into the default "admin" account created when you initially setup your Alteryx Connect instance.

    image.png

  5. This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management)
  6. Click Relying Party Trusts from the console, then click Add Relying Party Trust...
  7. Click Import data about the relying party from a file
  8. Use the Browse button to browse to the location of the XML file gathered in Step 4, then click Next

    image.png

  9. Type a Display name for the trust. I placed "Alteryx Connect" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then click Next.

    image.png

  10. Select Permit everyone from the Access Control Policy and click Next.

    Note:
     You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Connect, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article.

    image.png

  11. Click Next on the Ready to Add Trust page.

    image.png

  12. Check the box next to Configure claims issuance policy for this application and click Close.

    image.png

  13. Verify the Claim rule template is set to Send LDAP Attributes as Claims and click Next.

    image.png

  14. Type a desired name for the rule within the Claim rule name box. From the Attribute store drop-down, choose Active Directory.
  15. Using the following table, set the appropriate options within the Mapping of LDAP attributes to outgoing claim types box. Click Finish.
    Note: The following outgoing values are case sensitive and will need to be typed except for "E-Mail-Addresses".

    LDAP Attribute Outgoing Claim Type
    E-Mail-Addresses Name ID
    Given-Name firstName
    Surname lastName

    image.png

  16. On the Claim Issuance Policy window, click Apply to apply the settings, then click OK.

    image.png

  17. In the Relying Party Trusts window, double-click the Trust that you created earlier.
  18. Click the Advanced tab.
  19. Change the Secure hash algorithm to SHA-1. Click OK.

    image.png
  20. (Optional) The ADFS signing certificate and/or web access certificate (certificate used to serve metadata from ADFS and field requests) may be required to manually import if your certificates are not signed by a publicly recognized Certificate Authority (CA). These should be provided to your Alteryx Connect admin as Base64 encoded Certificate (typically .cer) files if possible.
  21. You will now need an administrator with access to the Alteryx Connect website as the default administrator (admin) account.
    Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect
  22. Open the Administration Panel > Connect Configuration > Single Sign-On page.

    image.png
  23. Click +ADD to open the new SAML dialog.
  24. In the Name field, type a name for the ADFS connection.
    Note: This name will appear on the Alteryx Connect login page for users of the Alteryx Connect system.
  25. Choose an Icon for the Identity Provider (IDP).
    Note: An icon picture must be provided to continue. You can use a placeholder image if you do not have an appropriate image available.
  26. In the Description field, type a description for the IDP.
  27. Under Identity provider details, select an appropriate connection option. For our guide, we'll be using Get IDP metadata from URL. Contact your ADFS administrator if you are not sure which option to use.
  28. Set the IDP Metadata URL to the location of the Federation Metadata xml file provided by the ADFS server.

    Example:
    image.png

    Note: If you are not positive on the value for this, ask your ADFS administrator.
  29. Click SAVE.

    image.png

    If you receive an error at this stage, please review the Log page in the Alteryx Connect Administration Console. Review the articles below, as one or both of the following knowledge articles may apply to your situation based on the error(s) you are receiving.

    How To: Add SAML IDP Signing Certificate to Connect Keystore
    How To: Add Web Connection Certificate to Alteryx Connect Keystore
  30. Click the X in the Active column next to the new ADFS IDP entry. Click OK within the dialog asking if you wish to turn on the IDP.

    image.png

    If you receive an error at this stage, please review the Log page in the Alteryx Connect Administration Console. Review the articles in the previous step, as one or both of the above knowledge articles may apply to your situation based on the error(s) you are receiving.

  31. Once the connection is enabled, Restart the Alteryx Connect service on the machine.
  32. Validate that the IDP is now appearing on the login page of Alteryx Connect
    Note: If you also have Windows Authentication turned on in Connect Administration, you may need to log out to see this option or browse to the login page directly.
    URL: https://{ConnectBaseURL}/login
    Example: https://trn-con-07.cs.alteryx.com/login

    image.png

 

Common Issues

 

Spoiler
If any issues are experienced during setup, reach out to Alteryx Support for additional assistance.

  

Additional Resources

 

  •  
Comments
Alteryx
Alteryx

Hi @MikeSp ,

 

thank you for the article! 

 

I would like to elaborate on step #15 - there could be also "position" and "Phone" fields used in mapping to bring this information onto user's profile page. At least that's what I see in the script, but haven't actually test it. 

 

Also I wonder if the restart of Connect in step #31 is necessary. From my previous experience, logging out was enough. But ADFS might behave in a different way. Just a though. 

 

Anyway, here is my like 🙂🙂