How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)

Alteryx Connect has the ability to interface with a number of identity providers that support the SAML 2.0 standard, and recently we stood up an ADFS test server and set it up with Alteryx Connect successfully. The following information will assist with configuring Alteryx Connect to be functional with ADFS.

Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Connect 2019.2.

Prerequisites

• Alteryx Connect >= 2018.1
  • Account with access to perform administration tasks
• AD FS Server
  • Account with access to perform administration tasks
  • All users that will login must have an email address attribute
• SSL/TLS certificate installed on Alteryx Connect (Self-Signed certificate is not recommended)
  • How To: Configure SSL (Issued SSL Certificate) on Connect
  • How To: Enable SSL in the Connect Installer

Procedure

1. Verify that your Alteryx Connect server has been configured with SSL/TLS enabled and that a proper SSL certificate is installed. Instructions are provided in the link above
2. Login to your Alteryx Connect website as the default administrator (admin) account.
   Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect
3. Open the Administration Panel > Connect Configuration > Single Sign-On
4. ClickDownload Metadata. This will download a XML file containing configuration information and Connect's SAML signing certificate that we will import into ADFS. You should send this resulting file to your ADFS administrator to assist with setup.
   Note: This button may only be visible to the "super-admin" account (admin) within Alteryx Connect. This option is not available to other administrator accounts in certain versions, so if you do not see the button, make sure you are signed into the default "admin" account created when you initially setup your Alteryx Connect instance.
   
   
    
5. This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management)
6. ClickRelying Party Trustsfrom the console, then clickAdd Relying Party Trust...
7. ClickImport data about the relying party from a file
8. Use theBrowse button to browse to the location of the XML file gathered in Step 4, then clickNext
   
   
    
9. Type aDisplay namefor the trust. I placed "Alteryx Connect" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then clickNext.
   
   
    
10. SelectPermit everyonefrom the Access Control Policy and clickNext.
    
    Note:You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Connect, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article.
    
    
     
11. ClickNexton theReady to Add Trustpage.
    
    
     
12. Check the box next toConfigure claims issuance policy for this applicationand clickClose.
    
    
     
13. Verify theClaim rule templateis set toSend LDAP Attributes as Claimsand clickNext.
    
    
     
14. Type a desired name for the rule within theClaim rule namebox. From theAttribute storedrop-down, chooseActive Directory.
15. Using the following table, set the appropriate options within theMapping of LDAP attributes to outgoing claim typesbox. ClickFinish.
    Note:The following outgoing values are case sensitive and will need to be typed except for "E-Mail-Addresses".
     

    LDAP Attribute	Outgoing Claim Type
    E-Mail-Addresses	Name ID
    Given-Name	firstName
    Surname	lastName

    
    
     
16. On the Claim Issuance Policy window, clickApplyto apply the settings, then clickOK.
    
    
     
17. In the Relying Party Trustswindow, double-click the Trust that you created earlier.
18. Click theAdvanced tab.
19. Change theSecure hash algorithm toSHA-1. ClickOK.
    
    
20. (Optional) The ADFS signing certificate and/or web access certificate (certificate used to serve metadata from ADFS and field requests) may be required to manually import if your certificates are not signed by a publicly recognized Certificate Authority (CA). These should be provided to your Alteryx Connect admin as Base64 encoded Certificate (typically .cer) files if possible.
21. You will now need an administrator with access to the Alteryx Connect website as thedefault administrator (admin) account.
    Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect
22. Open the Administration Panel > Connect Configuration > Single Sign-On page.
    
    
23. Click+ADD to open the new SAML dialog.
24. In the Name field, type a name for the ADFS connection.
    Note:This name will appear on the Alteryx Connect login page for users of the Alteryx Connect system.
25. Choose anIcon for the Identity Provider (IDP).
    Note: An icon picture must be provided to continue. You can use a placeholder image if you do not have an appropriate image available.
26. In theDescription field, type a description for the IDP.
27. UnderIdentity provider details, select an appropriate connection option. For our guide, we'll be usingGet IDP metadata from URL. Contact your ADFS administrator if you are not sure which option to use.
28. SettheIDP Metadata URLto the location of theFederation Metadataxml file provided by the ADFS server.
    
    Example:
    
    
    Note: If you are not positive on the value for this, ask your ADFS administrator.
29. ClickSAVE.
    
    
    
    If you receive an error at this stage, please review theLog page in the Alteryx Connect Administration Console. Review the articles below, as one or both of the following knowledge articles may apply to your situation based on the error(s) you are receiving.
    
    How To: Add SAML IDP Signing Certificate to Connect Keystore
    How To: Add Web Connection Certificate to Alteryx Connect Keystore
30. Click theX in theActive column next to the new ADFS IDP entry. ClickOK within the dialog asking if you wish to turn on the IDP.
    
    
    
    If you receive an error at this stage, please review theLog page in the Alteryx Connect Administration Console. Review the articles in the previous step, as one or both of the above knowledge articles may apply to your situation based on the error(s) you are receiving.
     
31. Once the connection is enabled,Restart the Alteryx Connectservice on the machine.
32. Validate that the IDP is now appearing on the login page of Alteryx Connect
    Note: If you also have Windows Authentication turned on in Connect Administration, you may need to log out to see this option or browse to the login page directly.
    URL: https://{ConnectBaseURL}/login
    Example:https://trn-con-07.cs.alteryx.com/login
    
    

Common Issues

Additional Resources