SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for Okta.
Part 1: Add Alteryx to Okta
This entire process starts with configuration on the Single Sign On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in Okta.
Note: These instructions are for the Classic UI. The Developer's Console will look different. You can toggle views in the top left corner of the Admin view.
1. In the Admin view in Okta, navigate to Applications, and click on the Add Application button.
2. Select Create a New App.
3. Select SAML 2.0 as the Sign on method.
4. Enter an App Name and Logo (Optional) and click next.
6. Map the attributes email, firstName and lastName to the values user.email, user.firstName and user.lastName respectively, then click Next on this page and Finish on the next page.
7. Assign the App to yourself and any other necessary users. This option is user Assignments in the App view.
Part 2: Configure the Alteryx System Settings
Once Alteryx has been added to Okta, you can configure SAML in the Alteryx Server’s System Settings.
1. In Alteryx System Settings, click next until you navigate to Gallery > Authentication, and select SAML authentication as your Authentication Type. The ACS Base URL field should auto-populate with your Gallery's URL.
2. In Select an option for obtaining metadata required by the IDP, select either IDP Metadata URL or x509 certificate and IDP SSO URL. Either option will work for Okta, so we suggest using the IDP Metadata URL option, because it simplifies set up. If you are interested in the X509 certificate and IDP SSO URL set up, please see the PingOne article.
For the IDP Metadata URL:
1. In Okta, click the Identity Provider Metadata link, which is located just below the View Setup Instructions Option in the Application Page > Sign On > Settings.
2. This link will take you to an XML file that contains the SAML metadata. Copy the URL that is populated in the browser tab after clicking on this link.
3. Paste the copied URL link into the IDP Metadata URL field in Alteryx System Settings.
4. View the Okta Setup Instructions in the App View under Sign On > View Setup Instructions, and copy the Identity Provider Issuer URL, and paste this into the IDP URL field in the Alteryx System Settings.
5. Click on the button to Verify IDP!
You may see a pop-up warning about running scripts from the pop-up window. This is a know issue, and you should be able to get around it by clicking yes – you may have to repeat this a few times.
6. An Okta login screen should appear. Provide your Okta Credentials, and select Sign In.
7. If your Verification is successful, you will see a message pop up in the bottom right side of the System Settings Screen. Note: The first user successfully signed in to the IDP via verification becomes the default Gallery administrator (curator).
Now you can complete the Alteryx Systems Settings configuration by clicking Next through the remaining configuration options, and then Finish.
When you navigate to your Gallery, and click Sign In, you should now be signed in with your Okta Credentials. Hooray!