alteryx connect Knowledge Base

Definitive answers from Connect experts.
How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)   Alteryx Connect has the ability to interface with a number of identity providers that support the SAML 2.0 standard, and recently we stood up an ADFS test server and set it up with Alteryx Connect successfully. The following information will assist with configuring Alteryx Connect to be functional with ADFS.   Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Connect 2019.2.   Prerequisites   Alteryx Connect >= 2018.1 Account with access to perform administration tasks AD FS Server Account with access to perform administration tasks All users that will login must have an email address attribute SSL/TLS certificate installed on Alteryx Connect (Self-Signed certificate is not recommended) How To: Configure SSL (Issued SSL Certificate) on Connect How To: Enable SSL in the Connect Installer   Procedure   Verify that your Alteryx Connect server has been configured with SSL/TLS enabled and that a proper SSL certificate is installed. Instructions are provided in the link above Login to your Alteryx Connect website as the default administrator (admin) account. Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect Open the Administration Panel > Connect Configuration > Single Sign-On Click Download Metadata. This will download a XML file containing configuration information and Connect's SAML signing certificate that we will import into ADFS. You should send this resulting file to your ADFS administrator to assist with setup. Note: This button may only be visible to the "super-admin" account (admin) within Alteryx Connect. This option is not available to other administrator accounts in certain versions, so if you do not see the button, make sure you are signed into the default "admin" account created when you initially setup your Alteryx Connect instance. This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management) Click Relying Party Trusts   from the console, then click Add Relying Party Trust... Click Import data about the relying party from a file Use the Browse button to browse to the location of the XML file gathered in Step 4, then click Next Type a  Display name  for the trust. I placed "Alteryx Connect" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then click  Next . Select Permit everyone from the Access Control Policy and click Next. Note: You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Connect, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article. Click Next on the Ready to Add Trust page. Check the box next to Configure claims issuance policy for this application and click Close. Verify the  Claim rule template  is set to  Send LDAP Attributes as Claims  and click  Next . Type a desired name for the rule within the Claim rule name box. From the Attribute store drop-down, choose Active Directory. Using the following table, set the appropriate options within the Mapping of LDAP attributes to outgoing claim types box. Click Finish. Note: The following outgoing values are case sensitive and will need to be typed except for "E-Mail-Addresses". LDAP Attribute Outgoing Claim Type E-Mail-Addresses Name ID Given-Name firstName Surname lastName On the Claim Issuance Policy window, click  Apply  to apply the settings, then click  OK . In the Relying Party Trusts window, double-click the Trust that you created earlier. Click the Advanced tab. Change the Secure hash algorithm to SHA-1. Click OK. (Optional) The ADFS signing certificate and/or web access certificate (certificate used to serve metadata from ADFS and field requests) may be required to manually import if your certificates are not signed by a publicly recognized Certificate Authority (CA). These should be provided to your Alteryx Connect admin as Base64 encoded Certificate (typically .cer) files if possible. You will now need an administrator with access to the Alteryx Connect website as the default administrator (admin) account. Note: Other administrator accounts may not be able to see the required options in certain versions of Alteryx Connect Open the Administration Panel > Connect Configuration > Single Sign-On page. Click +ADD to open the new SAML dialog. In the Name field, type a name for the ADFS connection. Note: This name will appear on the Alteryx Connect login page for users of the Alteryx Connect system. Choose an Icon for the Identity Provider (IDP). Note: An icon picture must be provided to continue. You can use a placeholder image if you do not have an appropriate image available. In the Description field, type a description for the IDP. Under Identity provider details, select an appropriate connection option. For our guide, we'll be using Get IDP metadata from URL. Contact your ADFS administrator if you are not sure which option to use. Set the  IDP Metadata URL  to the location of the  Federation Metadata  xml file provided by the ADFS server. Example: Note : If you are not positive on the value for this, ask your ADFS administrator. Click SAVE. If you receive an error at this stage, please review the Log page in the Alteryx Connect Administration Console. Review the articles below, as one or both of the following knowledge articles may apply to your situation based on the error(s) you are receiving. How To: Add SAML IDP Signing Certificate to Connect Keystore How To: Add Web Connection Certificate to Alteryx Connect Keystore Click the X in the Active column next to the new ADFS IDP entry. Click OK within the dialog asking if you wish to turn on the IDP. If you receive an error at this stage, please review the Log page in the Alteryx Connect Administration Console. Review the articles in the previous step, as one or both of the above knowledge articles may apply to your situation based on the error(s) you are receiving. Once the connection is enabled, Restart the Alteryx Connect service on the machine. Validate that the IDP is now appearing on the login page of Alteryx Connect Note: If you also have Windows Authentication turned on in Connect Administration, you may need to log out to see this option or browse to the login page directly. URL: https://{ConnectBaseURL}/login Example: https://trn-con-07.cs.alteryx.com/login   Common Issues   If any issues are experienced during setup, reach out to Alteryx Support for additional assistance.    Additional Resources    
View full article
How To: Add SAML IDP Signing Certificate to Connect Keystore   This article is intended to assist with inserting a certificate to be used to validate a SAML signature from a SAML Identity Provider (IDP) when used with Alteryx Connect. This article will only be needed if your IDP is signing assertions or other traffic with a specific cert that may be self-signed or not trusted by a widely trusted Certificate Authority (CA).   An error message may be received while attempting to validate the signature from an IDP if this is not inserted. An example is below:     org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml ...(trimmed) Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error filtering metadata from {metadataURL}.xml ...(trimmed) Caused by: org.opensaml.saml2.metadata.provider.FilterException: Signature trust establishment failed for metadata entry     Prerequisites   Alteryx Connect >= 2018.1 Remote Desktop (RDP) or other direct access to the Alteryx Connect machine Windows Administrator account on the Alteryx Connect machine Alteryx Connect account within the "Administrators" group Certificate (.cer) or other X509 certificate file available to import This certificate should be the IDP's signing certificate or part of the certificate chain If you are not sure where to obtain this certificate, reach out to an administrator or support group for the CA, or your IT team for assistance   Procedure   Verify that the certificate file is available on the Alteryx Connect machine's local file system You will also need the password for the SAML keystore (samlKeystore.jks in the ac_work directory). If you do not have this keystore password, follow the sub-steps to change the password Open Alteryx Connect in a web browser and login with an Administrator account Open the Administration panel by clicking on your account name in the upper-right corner and choosing Administration from the drop-down Click Connect Configuration from the Admin Menu Click Single Sign-On within the Connect Configuration panel Click Advanced settings near the bottom of the page Specify a new password in the Password field Click Save Open a   Command Prompt (cmd.exe) as Administrator   on the Alteryx Connect machine's desktop Change directory to the Java bin directory of your Alteryx Connect installation. Replace   {InstallDir} in the command below with the root path of your Alteryx Connect installation. Press Enter Command Line:   cd "{InstallDir}\jre\bin" Example: cd "C:\Program Files\AlteryxConnect\jre\bin"   The keytool.exe utility will need to be used in order to insert the certificate. Replace   {file} in the command below with the full path to the certificate file being used. Replace   {InstallDir} with the root path of your Alteryx Connect installation. Replace   {alias}   with a desired identifier for the certificate you are inserting. Replace {samlKeystorePassword} with the password gathered in Step 2 above. Command Line:   keytool.exe -importcert -file "{cert}" -keystore "{InstallDir}\ac_work\samlKeystore.jks" -alias "{alias}" -storepass {samlKeystorePassword} Example: keytool.exe -importcert -file "C:\Users\username\Desktop\SAMLSigningCert.cer" -keystore "C:\Program Files\AlteryxConnect\ac_work\samlKeystore.jks" -alias "ADFS_Signing" -storepass keystorePassword22   Press   Enter Executing the command above should return information about the certificate and a prompt asking to trust the certificate. Make sure the information in the return matches the expected values, then type yes   at the prompt. Press Enter       Verify you receive the return Certificate was added to keystore If you receive an error, review the error message and make any corrections necessary. Restart   the Alteryx Connect   service to apply the changes.      Additional Resources   How To: Configure SAML on Alteryx Connect for Active Directory Federation Services (ADFS)
View full article
How To: Add Web Connection Certificate to Alteryx Connect Keystore   This article is intended to instruct on the operation of adding a certificate to Alteryx Connect's Java Keystore (cacerts). This process is useful if you need to add a certificate for a direct SSL-based web connection from the Alteryx Connect service, e.g. to retrieve a metadata XML file from an internal SAML provider with a self-signed or internally signed SSL/HTTPS certificate that may not be trusted by a globally trusted CA or similar. This process is not intended to resolve SSL connection issues with Metadata Loader processes. Typically, this process would only be necessary when attempting to configure SAML-based authentication with an on-premises SAML identity provider. An error message also may be displayed that may require you insert a certificate to this store, similar to the following: org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from {metadataURL}.xml ...(trimmed) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ...(trimmed) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ...(trimmed) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target     Prerequisites   Alteryx Connect >= 2018.1 Remote Desktop (RDP) or other direct access to the Alteryx Connect machine Windows Administrator account on the Alteryx Connect machine Certificate (.cer) or other X509 certificate file available to import This certificate should ideally be the Certificate Authority (CA)'s root signing certificate, but can also be the certificate used for the remote machine itself If you are not sure where to obtain this certificate, reach out to an administrator or support group for the CA, or your IT team for assistance   Procedure   Verify that the certificate file is available on the Alteryx Connect machine's local file system Open a Command Prompt (cmd.exe) as Administrator on the Alteryx Connect machine's desktop Change directory to the Java bin directory of your Alteryx Connect installation. Replace {InstallDir} in the command below with the root path of your Alteryx Connect installation. Press Enter Command Line: cd "{InstallDir}\jre\bin" Example: cd "C:\Program Files\AlteryxConnect\jre\bin" The keytool.exe utility will need to be used in order to insert the certificate. Replace {file} in the command below with the full path to the certificate file being used. Replace {InstallDir} with the root path of your Alteryx Connect installation. Replace {alias} with a desired identifier for the certificate you are inserting. Command Line: keytool.exe -importcert -file "{cert}" -keystore "{InstallDir}\jre\lib\security\cacerts" -alias "{alias}" -storepass changeit Example: keytool.exe -importcert -file "C:\Users\username\Desktop\CACert.cer" -keystore "C:\Program Files\AlteryxConnect\jre\lib\security\cacerts" -alias "ADFS_Web" -storepass changeit Press Enter Executing the command above should return information about the certificate and a prompt asking to trust the certificate. Make sure the information in the return matches the expected values, then type yes at the prompt. Press Enter   Verify you receive the return Certificate was added to keystore If you receive an error, review the error message and make any corrections necessary. Restart the Alteryx Connect service to apply the changes.    Additional Resources   {Note to self - Add resources to SAML setup article once completed}
View full article