Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.

Alteryx server SAML on Azure server

Esko
6 - Meteoroid

Hello,

 

I'm currently attempting to enable SAML-authentication for my Alteryx server running on an Azure server. I have managed to enable SSL successfully, but am currently running into problems with configuring SAML in the system settings. I will post a screenshot below that shows the information required by the authentication:

 

Esko_0-1605255162580.png

 

 

As you know, SAML authentication in Alteryx Server has two possible options for acquiring the metadata required by the IDP. The first one is the metadata URL option and the second one is the X509 certificate and IDP SSO URL.

 

I have currently been provided with the following information/urls by my company, I will list them below and make my own educated guess to which they correspond in the information required by the SAML configuration in the settings:

 

1: App EntityID (may correspond to ACS Base URL, I base this on the fact that the default setting is localhost, and the App EntityID is the url to the the gallery from outside)

2: IDP Metadata URL (corresponds to IDP Metadata URL)

3:  IDP Logout URL (No corresponding URL in Alteryx server settings

4: IDP Initiated SSO URL (may correspond to IDP SSO URL)

 

As I have the metadata URL, I believe that I'm supposed to use the the first option of the two that I mentioned earlier. I have tried to use the information that I have been provided with this option, but I can't seem to get the authentication to work.

 

One very clear problem is that I don't appear to have the IDP URL that is needed by the settings, can anyone help me with this? What I mean is that can anyone help me by explaining what the IDP URL is used for in this case, I have been able to google the uses for the metadata and SSO urls, but can't seem to find out what information this url is supposed to have. Also would it be possible to confirm if my assumptions sound correct with regards to the urls I have been provided and their corresponding counterpart in the settings?

7 REPLIES 7
ianwhite
Alteryx Alumni (Retired)

We have a knowledge article on this. Please review it and if you've already done so, open up a ticket with us via support.alteryx.com 

 

https://community.alteryx.com/t5/Alteryx-Server-Knowledge-Base/Configuring-SAML-2-0-on-Alteryx-Serve...

Esko
6 - Meteoroid

Hi ianwhite,

 

Thanks for the reply! The link was very useful, and I think I should be able to move forward with this. Regarding my problem there is also an another issue I'd like to confirm.

 

When I try to use the links that I've been provided I get the error: Failed to start authentication service. I googled a bit and came up with several threads on these forums about problems, if the server has been already set up with built-in windows authentication. I'm unsure what to make of the many different posts, but I get the feeling that you'd need to start over with the server or at the very do something about the already set up MongoDB. Link below.

 

https://community.alteryx.com/t5/Alteryx-Server-Ideas/Allow-changing-of-Gallery-Authentication-witho....

 

Unfortunately, following the instructions in this link did not help me. Can you confirm, if it's necessary to start over with the server if you've already configured it with windows authentication or if there's some straightforward way to change the authentication type? Is this even an issue at this time, like it seems to have been at some point? 

ianwhite
Alteryx Alumni (Retired)

When you change auth types, it can cause conflicts within the database. For each auth type a user is created with specific fields in the mongodb, when you change over to a new auth type it then looks for fields that weren't created and causes an error. You can manually correct this but it's tedious, time consuming, and honestly isn't guaranteed to work. We've seen mixed success with it. 

 

Do to this, we advise users not to change auth types once it's set up. You can always swap back to the original one without issue as no changes to the database for the users are made.

Esko
6 - Meteoroid

Alright, that clarified this a lot! So if I understood correctly, currently my best option would be to uninstall the server and then reinstall it? 

 

I actually did that in the meantime, but for some reason when I go to the system configuration again, the settings seem to be the same as before. Also, when I try to enter my SAML urls and information to the authentication tab, I get the same error as before when I try to verify the IDP. I also discussed the instructions in the article you provided with my superior, and it's seems that they are not applicable in this situation. This seems to bring us back to my original question about the url's provided. Of course if removing alteryx server doesn't affect the mongodb fields etc and it's necessary to do some extra work in this case, then this might also be an issue. Nevertheless, it seems that I still need assistance in this.

 

To summarize: I uninstalled the Alteryx server software and reinstalled it, it seems that after this the configurations were the same as what I had applied before. After trying to select SAML and inserting my urls, I get the same error message. Is there some step that I would need to do between uninstalling and installing, such as manually deleting folders or something similar? If not, can you provide further guidance to my earlier question? The article that was provided earlier is unfortunately not useful in this case. If you wish me to create a support ticket as you mentioned earlier in your reply, I can of course do that as well.

Esko
6 - Meteoroid

Regarding my earlier question: I have noticed that the Programdata folders seems to remain unchanged even after the installation. Should this for example be deleted?

ianwhite
Alteryx Alumni (Retired)

In the System Settings for Alteryx Server, you'd just change the location of the database to a new folder. It's the section under Controller -> Persistence -> Data Folder. That points to the database, so if you uninstall/reinstall and point to the same place you're just using the same database.

 

Generally it's pointing to a sub-folder in C:\ProgramData\Alteryx\Service\Persistence. Usually you'll have a MongoDB folder in there that it's pointing to or the name may be different. You can just create a new folder inside persistence and point the data folder there, it'll create a new mongodb for you when you restart the service if you do.

Esko
6 - Meteoroid

Hi, 


This was very helpful, thank you! I changed the datafolder and the new one was created after I applied the settings, this side of the problem should be OK now, as long as there aren't any other folders that should be changed, can you please confirm this in the reply as well? 


Unfortunately, it seems that this did not fix the actual issue. I'm convinced now that the problem is in the urls provided to me, which brings us back to the original question of the topic again. Would it be possible for you to explain the difference between the IDP URL and the IDP SSO URL that the SAML authentication in the configuration requires? For some reason I'm unable to find the difference on my own, despite searching quite extensively. I have some understanding on the purpose of the SSO url, but the plain IDP url still confuses me. How is it used in the sign in and what's the difference to the SSO url? Understanding this would help me to also direct my requests more efficiently to our identity provider.