Alteryx Server Knowledge Base

Definitive answers from Server experts.

Configuring SAML on Alteryx Server for ADFS

MikeSp
Alteryx
Alteryx
Created

Configuring SAML on Alteryx Server for Active Directory Federation Services (ADFS)

Alteryx Server has the ability to use most identity providers that support the SAML 2.0 standard, and from my testing, ADFS is no exception! The following information will assist with configuring Alteryx Server to be functional with ADFS.

Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Server 2019.2.

Prerequisites

  • AD FS Server
    • Account with access to perform administration tasks
    • All users that will login must have an email address attribute
  • Alteryx Server >= 2018.2
    • Account with access to perform administration tasks
  • SSL/TLS Certificate Installed on Alteryx Server (Self-Signed certificate is not recommended)

Procedure

  1. Verify that your Alteryx Server's Gallery function has been configured with SSL/TLS enabled on each Gallery node in the environment and that a proper SSL certificate is installed. Instructions are provided in the link above.
  2. This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management)
  3. ClickRelying Party Trusts from the console, then clickAdd Relying Party Trust...
  4. ClickEnter data about the relying party manually and clickNext.

    clipboard_image_0.png

  5. Type aDisplay name for the trust. I placed "Alteryx Server" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then clickNext.

    clipboard_image_1.png

  6. ClickNext on theConfigure Certificate page.

    clipboard_image_2.png

  7. Check the box forEnable support for the SAML 2.0 WebSSO protocol. Type the URL of the Alteryx Server's SAML endpoint in the Relying party SAML 2.0 SSO service URL box, which typically will be the base URL of Alteryx Gallery with the addition of "/aas/Saml2". Once you have added the proper URL, clickNext.

    Note:this endpoint may be case sensitive depending on settings in your environment. I would recommend entering it with the capitalization as shown in the screenshot and example below.

    Example:
    Gallery URL: https://trn-srv-07.cs.alteryx.com/gallery
    SAML Endpoint: https://trn-srv-07.cs.alteryx.com/aas/Saml2

    clipboard_image_3.png

  8. In theRelying party trust identifier, type the same SAML endpoint as the previous step and clickAdd to add the URL to the list below. ClickNext.

    clipboard_image_4.png

  9. SelectPermit everyone from the Access Control Policy and click Next.

    Note:
    You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Gallery, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article.

    clipboard_image_5.png

  10. ClickNext on theReady to Add Trust page.

    clipboard_image_0.png

  11. Check the box next toConfigure claims issuance policy for this application and clickClose.

    clipboard_image_2.png

  12. Within the new Claim Issuance Policy window, clickAdd Rule...

    clipboard_image_4.png

  13. Verify theClaim rule template is set toSend LDAP Attributes as Claims and clickNext.

    clipboard_image_5.png

  14. Type a desired name for the rule within theClaim rule name box. From theAttribute store drop-down, chooseActive Directory.
  15. Using the following table, set the appropriate options within theMapping of LDAP attributes to outgoing claim types box. ClickFinish.
    Note: The following outgoing values are case sensitive and will need to be typed except for "SAM-Account-Name".

    LDAP AttributeOutgoing Claim Type
    E-Mail-Addressesemail
    Given-NamefirstName
    SurnamelastName
    SAM-Account-NameName ID

    clipboard_image_6.png

  16. On the Claim Issuance Policy window, clickApply to apply the settings, then clickOK.

    clipboard_image_7.png

  17. You will now need an administrator with access to the Alteryx Server machine(s) running the Gallery for your environment. Connect to the machine remotely via Remote Desktop.
  18. Open theAlteryx System Settings application, then clickNext until you are at theGallery > Authentication page.
  19. From theAuthentication Type box, click the radio button next toSAML authentication. In theSelect an option for obtaining metadata required by the IDP, click the radio button next toIDP Metadata URL.

    !Warning!: It is not recommended to change the authentication type once you have established the persistence layer (e.g. MongoDB) and started using a particular authentication method in your environment. Differences in user account structure will be likely to result in errors in the Gallery if the authentication method is changed in an established environment. If you are changing authentication methods, it is recommended to create a new persistence database!
  20. From the SAML IDP Configuration box, set theACS Base URL to the root of the Gallery URL plus "/aas".

    Example:
    Gallery URL: https://trn-srv-07.cs.alteryx.com/gallery
    ACS Base URL: https://trn-srv-07.cs.alteryx.com/aas
  21. Set theIDP URL(also known as Entity ID)to theFederation Service identifiervalue from ADFS.

    Example: https://sts1.cs.alteryx.com/adfs/services/trust

    Note: If you are not positive on the value for this, ask your ADFS administrator or download the metadata XML with the link you are using in the next step and look for the "entityID".

    clipboard_image_0.png
  22. SettheIDP Metadata URL to the location of the Federation Metadataxml file provided by the ADFS server.

    Example:https://sts1.cs.alteryx.com/FederationMetadata/2007-06/FederationMetadata.xml

    Note: If you are not positive on the value for this, ask your ADFS administrator.

    clipboard_image_0.png
  23. ClickVerify IDP. If all goes well, you should receive a message similar to the following:

    clipboard_image_2.png

    Note: See theCommon Issues section below for tips on troubleshooting!
  24. ClickNext through the remainder of the System Settings dialogs, then clickFinish.
  25. (Optional) Return to Step 17 if you have additional Gallery node(s) to configure.
  26. Once all Gallery node(s) are configured, attempt to access your private Alteryx Gallery and log in with your fresh new SAML configuration!

Common Issues

Spoiler (Highlight to read)
AlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator
-Turn offIE Enhanced Security Configuration on the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state.https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_...
-Verify that the values in theSAML IDP Configuration are correct for your ADFS server.
-Verify that the ADFS server was configured with the correct claim attributes.
-Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues.
-OpenEvent Viewer within Windows and look for errors that may be of use in theApplication log.

-If still stuck, reach out to our Support team. I'd suggest providing the following:
1. Values set in the Alteryx System Settings application for SAML
2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\)
3. Configuration screenshots for ADFS
AlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator-Turn offIE Enhanced Security Configuration on the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state.https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_... that the values in theSAML IDP Configuration are correct for your ADFS server.-Verify that the ADFS server was configured with the correct claim attributes.-Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues.-OpenEvent Viewer within Windows and look for errors that may be of use in theApplication log.-If still stuck, reach out to our Support team. I'd suggest providing the following: 1. Values set in the Alteryx System Settings application for SAML 2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\) 3. Configuration screenshots for ADFS

Additional Resources

No ratings
Comments
Treyson
12 - Quasar
12 - Quasar

@MikeSp at it again... being the smartest guy I know.

TimothyL
Alteryx Alumni (Retired)

Just in time! Mike