cancel
Showing results for 
Search instead for 
Did you mean: 

alteryx server Knowledge Base

Definitive answers from Server experts.

Configuring SAML on Alteryx Server for Okta

Community Content Engineer
Community Content Engineer

SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for Okta.

 

Part 1: Add Alteryx to Okta

 

This entire process starts with configuration on the Single Sign On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in Okta.

 

Note: These instructions are for the Classic UI. The Developer's Console will look different. You can toggle views in the top left corner of the Admin view.

 

1. In the Admin view in Okta, navigate to Applications, and click on the Add Application button.

 

OktaAddApp2.png

2. Select Create a New App.

 

OktaCreateNewApp.png

 

3. Select SAML 2.0 as the Sign on method.

 

OktaCreateNewAppPopUp.png

 

4. Enter an App Name and Logo (Optional) and click next.

 

OktaCreateAppGeneralSettings.png

 5. In the Configure SAML Screen, enter the Single Sign on as URL as: http://YOURGALLERYNAMEHERE/aas/Saml2/Acs

 

     Enter the Audience URI (SP Entity ID) as: http://YOURGALLERYNAMEHERE/aas/Saml2 and scroll down.

 

OktaConfigureSAMLPt1.png

 

6. Map the attributes email, firstName and lastName to the values user.email, user.firstName and user.lastName respectively, then click Next on this page and Finish on the next page.

 

OktaConfigureSAMLPt2.png

 

7. Assign the App to yourself and any other necessary users. This option is user Assignments in the App view.

 

OktaAssign.png

 

 

Part 2: Configure the Alteryx System Settings

 

Once Alteryx has been added to Okta, you can configure SAML in the Alteryx Server’s System Settings.

 

1. In Alteryx System Settings, click next until you navigate to Gallery > Authentication, and select SAML authentication as your Authentication Type. The ACS Base URL field should auto-populate with your Gallery's URL.

 

SystemSettingsSAML.png

 

2. In Select an option for obtaining metadata required by the IDP, select either IDP Metadata URL or x509 certificate and IDP SSO URL. Either option will work for Okta, so we suggest using the IDP Metadata URL option, because it simplifies set up. If you are interested in the X509 certificate and IDP SSO URL set up, please see the PingOne article

 

For the  IDP Metadata URL:

 

1. In Okta, click the Identity Provider Metadata link, which is located just below the View Setup Instructions Option in the Application Page > Sign On > Settings.

 

2018-06-12_16-48-59.png

 

2.  This link will take you to an XML file that contains the SAML metadata. Copy the URL that is populated in the browser tab after clicking on this link.

 

OktaMetadataURL.png

 

3.  Paste the copied URL link into the IDP Metadata URL field in Alteryx System Settings.

 

OktaIDPMetadata.png

 

4. View the Okta Setup Instructions in the App View under Sign On > View Setup Instructions, and copy the Identity Provider Issuer URL, and paste this into the IDP URL field in the Alteryx System Settings.

 

OktaViewSetupInstructions.png

 

 

OktaIdentityProviderIssuer.png

 

OktaIDPURL.png

 

5. Click on the button to Verify IDP!

 

    You may see a pop-up warning about running scripts from the pop-up window. This is a know issue, and you should be able to get around it by clicking yes – you may have to repeat this a few times.

 

6. An Okta login screen should appear. Provide your Okta Credentials, and select Sign In.

 

OktaSignIn.png

 

7. If your Verification is successful, you will see a message pop up in the bottom right side of the System Settings Screen. Note: The first user successfully signed in to the IDP via verification becomes the default Gallery administrator (curator).

 

OktaSuccess.png

 

Now you can complete the Alteryx Systems Settings configuration by clicking Next through the remaining configuration options, and then Finish.

 

When you navigate to your Gallery, and click Sign In, you should now be signed in with your Okta Credentials. Hooray!

 

 

Comments
Meteor

I follow the article but am getting stuck at the following screen. If i click on the 'Alteryx Authentication Service' it goes to a webpage not found screen. 

If i get out of it it sets the 'Default Gallery Administrator' to undefined ( which is greyed out) and does not let me proceed to next screen.

 

Also SAML doesnt work if i enable SSL

 

okta alteryx saml error.jpg

Community Content Engineer
Community Content Engineer

Hi @ashkhan,

 

We have tested enabling SSL with SAML authentication (Specifically with Okta), and have found that it works without issue in our test environment, so long as SSL and SAML are both configured correctly. It is important that the URL you use in your browser to access your Gallery matches what you are using to configure SAML, otherwise the authentication will fail. This may be something worth checking. If you continue to have trouble with configuring SAML, please reach out to us at support@alteryx.com, and we would be happy to review your current settings and configuration with you.

 

 

Thank you!

 

Sydney

Meteor

Thanks for the prompt response Sydney. 

 

We did validate that the settings were entered correctly - (we did try with incorrect settings and noticed a different error)

I also assume that the settings are correct since it tries to get to the auth page which just appears blank. 

 

i have sent an email to support for further investigation. 

Meteor

We had issues using the IDP Metadata URL option, so went ahead with the X509 Certificate. A quick note on how to enter the certificate in the box is to eliminate the header (-----BEGIN CERTIFICATE-----) and footer (-----END CERTIFICATE-----) and remove the new lines (LF, CRLF codes), so all the characters are in one line.

 

Thanks Dan/Michael from support for the tip on this.

 

Also, backup the MongoDB before switching to SAML Authentication as there is no way back to Integrated Authentication from what I am told.

Contributors