Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Knowledge Base

Definitive answers from Server experts.

Configuring SAML 2.0 on Alteryx Server for Azure AD

Sethmb
Alteryx Alumni (Retired)
Created
Starting in 2018.2, Alteryx Server supports a majority of identity provider (IdP) connections that adhere to the SAML 2.0 Standard and allows for single sign on to the Alteryx Gallery. This article covers the configuration and setup for both Azure AD and Alteryx Server.
 

Prerequisites

  • Alteryx Server
    • Version 2018.2+
  • Alteryx Server access with permissions to configure Alteryx System Settings
  • SSL Enabled for Gallery URL (HTTPS)
  • Azure Portal
    • Access (typically Admin) to create and edit enterprise applications within Azure Active Directory
 

Procedure - Part 1 - Azure Configuration
 

  1. In the Azure portal > Select Azure Active Directory > Enterprise Applications and then select + New Application or select one that was already created for Alteryx Gallery. Here is the Microsoft page for more information on creating applications. 
idea Skyscrapers
  1. Select the application that will be used for the SAML configuration and then click on Single Sign-On. This will bring up the configuration page for the SAML information. The fields that are required are below:
 
Basic SAML Configuration 
Identifier (Entity ID) = https://YOUR_GALLERY_URL.com/aas/Saml2
Reply URL (Assertion Consumer Service URL) = https://YOUR_GALLERY_URL.com/aas/Saml2/Acs
**Note** These fields will not accept an HTTP URL

User Attributes & Claims
Required claim
Unique User Identifier(Name ID) = set to Email Address and Source Attribute set to user.userprincipalname
Additional claims
firstName = user.givenname
lastName = user.surname
email       = user.userprincipalname
**Note** Remove the Namespaces that auto populate for all addtional Claims only and make sure firstName and lastName are in camel case. 




   Required Claim
idea Skyscrapers
Additional claims - email
idea Skyscrapers
SAML Signing Certificate
App Federation Metadata URL = You will need this URL for the Alteryx Server Settings.
**Note** This is where you can manually download the x.509 certificate 

Set up Alteryx Gallery (Application Name)
Azure AD Identifier = You will need this URL for the Alteryx Server Settings
 
idea Skyscrapers
 

Part 2 - Alteryx System Settings

 
  1. In the server System Settings you will need to make sure SSL is enabled under Gallery > General. You will need to have a certificate installed on the server; more information can be found here
idea Skyscrapers
  1. Next, Select SAML Authentication > IDP Metadata URL > and enter the three URLs.

ACS Base URL = This field will auto-populate and will be configured with HTTPS. This is the Gallery URL with "/aas" at the end.
IDP URL = This is the Azure AD Identifier URL from the Azure SSO page
IDP Metadata URL = This is the App Federation Metadata URL from the Azure SSO Page
 
 
idea Skyscrapers
 
  1. Finally, once these are all entered, hit Verify IDP to test the connection. There is also a way to test the connection from the Azure portal as well. Then select Next through the rest of the settings to save the configuration. Once everything is saved, navigate to the Gallery in a browser and hit Log In where you will be prompted with a Microsoft Azure sign-in page. 
 
 idea Skyscrapers
 
Comments
Karam
8 - Asteroid

Hi @Sethmb,

 

Great post - many thanks. I'd like to ask whether this approach allows for managing the authorisation aspect as well? i.e. if this method was selected, can user groups be setup on the gallery to map user roles to their AD user groups (for seamless permission assignment/management)? or is managing user groups only supported with Integrated Windows Authentication?

 

Many Thanks,

Karam

JohnPelletier
Alteryx Alumni (Retired)

@Karam To answer your question...this only works for authentication, not management of user groups. We know there is currently a challenge to manage roles, sharing and permissions based on AD when using SAML authentication. In 21.4 (coming soon) we've implemented a new API that at least empowers users to automate a sync between AD and Server custom user groups to keep user group management in the hands of your AD admin. Some of our top SAs have also put together some macros to help with the sync'ing process and will make those available to the public free of charge. It may need minor tweaking to fit it into your Server configuration, but then it can just run automatically to keep Server user groups mirroring the AD groups, and it can be hands-off for you after that.

Karam
8 - Asteroid

That's great. Thanks for the update @JohnPelletier! It'd definitely help to have an API integration or macros in place to automate the sync process.

 

Many Thanks,

Karam

adarsh2707
8 - Asteroid

Hi,

 

I have a question. So I am an admin of a workspace and I want to give access to multiple users to prioritize jobs in an AD group. Is this feature possible ?