This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
Configuring SAML on Alteryx Server for Active Directory Federation Services (ADFS)
Alteryx Server has the ability to use most identity providers that support the SAML 2.0 standard, and from my testing, ADFS is no exception! The following information will assist with configuring Alteryx Server to be functional with ADFS.
Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Server 2019.2.
AD FS Server
Account with access to perform administration tasks
All users that will login must have an email address attribute
Alteryx Server >= 2018.2
Account with access to perform administration tasks
Verify that your Alteryx Server's Gallery function has been configured with SSL/TLS enabled on each Gallery node in the environment and that a proper SSL certificate is installed. Instructions are provided in the link above.
This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management)
ClickRelying Party Trusts from the console, then clickAdd Relying Party Trust...
ClickEnter data about the relying party manually and clickNext.
Type aDisplay name for the trust. I placed "Alteryx Server" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then clickNext.
ClickNext on theConfigure Certificate page.
Check the box forEnable support for the SAML 2.0 WebSSO protocol. Type the URL of the Alteryx Server's SAML endpoint in the Relying party SAML 2.0 SSO service URL box, which typically will be the base URL of Alteryx Gallery with the addition of "/aas/Saml2". Once you have added the proper URL, clickNext.
Note:this endpoint may be case sensitive depending on settings in your environment. I would recommend entering it with the capitalization as shown in the screenshot and example below.
In theRelying party trust identifier, type the same SAML endpoint as the previous step and clickAdd to add the URL to the list below. ClickNext.
SelectPermit everyone from the Access Control Policy and click Next. Note: You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Gallery, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article.
ClickNext on theReady to Add Trust page.
Check the box next toConfigure claims issuance policy for this application and clickClose.
Within the new Claim Issuance Policy window, clickAdd Rule...
Verify theClaim rule template is set toSend LDAP Attributes as Claims and clickNext.
Type a desired name for the rule within theClaim rule name box. From theAttribute store drop-down, chooseActive Directory.
Using the following table, set the appropriate options within theMapping of LDAP attributes to outgoing claim types box. ClickFinish. Note: The following outgoing values are case sensitive and will need to be typed except for "SAM-Account-Name".
Outgoing Claim Type
On the Claim Issuance Policy window, clickApply to apply the settings, then clickOK.
You will now need an administrator with access to the Alteryx Server machine(s) running the Gallery for your environment. Connect to the machine remotely via Remote Desktop.
Open theAlteryx System Settings application, then clickNext until you are at theGallery > Authentication page.
From theAuthentication Type box, click the radio button next toSAML authentication. In theSelect an option for obtaining metadata required by the IDP, click the radio button next toIDP Metadata URL.
!Warning!: It is not recommended to change the authentication type once you have established the persistence layer (e.g. MongoDB) and started using a particular authentication method in your environment. Differences in user account structure will be likely to result in errors in the Gallery if the authentication method is changed in an established environment. If you are changing authentication methods, it is recommended to create a new persistence database!
From the SAML IDP Configuration box, set theACS Base URL to the root of the Gallery URL plus "/aas".
AlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator -Turn offIE Enhanced Security Configuration on the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state.https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_... -Verify that the values in theSAML IDP Configuration are correct for your ADFS server. -Verify that the ADFS server was configured with the correct claim attributes. -Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues. -OpenEvent Viewer within Windows and look for errors that may be of use in theApplication log.
-If still stuck, reach out to our Support team. I'd suggest providing the following: 1. Values set in the Alteryx System Settings application for SAML 2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\) 3. Configuration screenshots for ADFS
AlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator-Turn offIE Enhanced Security Configuration on the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state.https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_... that the values in theSAML IDP Configuration are correct for your ADFS server.-Verify that the ADFS server was configured with the correct claim attributes.-Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues.-OpenEvent Viewer within Windows and look for errors that may be of use in theApplication log.-If still stuck, reach out to our Support team. I'd suggest providing the following: 1. Values set in the Alteryx System Settings application for SAML 2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\) 3. Configuration screenshots for ADFS