Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Knowledge Base

Definitive answers from Server experts.

Configuring SAML on Alteryx Server for Okta

SydneyF
Alteryx Alumni (Retired)
Created

How to Configure Okta SAML Authentication with Alteryx Server


In this article, we will review how to configure SAML on your Alteryx Server for Okta. To learn more about SAML authentication with Alteryx, please review the following article: Alteryx Architectures - SAML SSO Authentication.


Prerequisites

  • Alteryx Server 
    • Version(s) 2018.2+
  • Okta Developer Console (Admin) 

 

Add Alteryx to Okta

 

This entire process starts with the configuration on the Single Sign-On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in Okta. Note: These instructions are for the Developer's Console UI. See below for Classic UI instructions.
 

1. In the Developer view of Okta, navigate to Applications and select "Create App Integration".

image.pngimage.png


2. Select SAML 2.0 as the Sign on method.

image.pngimage.png


3. Click "Next". 

4. Add an app title. If desired, an app icon can be added.

image.pngimage.png


5. In the Configure SAML Screen, enter the Single Sign-on as URL as:
Your base Gallery URL (found in Alteryx System Settings > Gallery > General) with /aas/Saml2/Acs appended to the end (no /gallery). (example: http://gallery.alteryxtest.com/aas/Saml2/Acs or https://gallery.alteryxtest.com/aas/Saml2/Acs if SSL is enabled).

6. In the Audience URI textbox, input your Gallery base URL with /aas/Saml2 appended to the end (no /gallery).

image.pngimage.png

7. Scroll down to the "Attribute Statements" portion. Map the following attributes (case-sensitive):

Attribute Name: email               Value: user.email
Attribute Name: firstName        Value: user.firstName 
Attribute Name: lastName        Value: user.lastName

image.pngimage.png

8. Click "Next" on this page. On the next page, select either "Customer" or "Partner", depending on the Okta relationship. The other survey fields are optional.

9. Then, click "Finish".

10. Once the application has been created, select the "Assignments" tab.

11. Click the "Assign" button, then choose either "Assign to People" or "Assign to Groups". 

image.pngimage.png


12. Add administrators (including the user that created the application) and any other necessary users by selecting "Assign". Click "Done" when finished. 

13a. IDP Metadata URL option: Click the "Sign On" tab. In the "SAML Signing Certificates" section, select "Actions" > "View IdP Metadata" on the active certificate (SHA-2). This information will help to connect Okta to Alteryx Server. 

image.pngimage.png


13b. X509 Certificate option: On the right-hand side of the "Sign On" page, select the "View SAML setup instructions" button. This will bring up a page called "How to Configure SAML 2.0 for [applicationName] Application". This information will help to connect Okta to Alteryx Server. 

image.pngimage.png

 

Configure Alteryx Server for Okta SAML Authentication

 
1. Open the Alteryx System Settings and press "Next" until the Gallery > Authentication page is reached. 

2. Add an email address for the "Default Gallery Administrator".

3. Switch the authentication type to SAML.

4. The ACS Base URL should populate with the Gallery base address, with /aas appended. Note: If SSL is enabled in Gallery > General, the ACS Base URL should have "https" rather than "http".

5. Navigate back to the Okta SAML page from either step 13a or 13b of the previous section (metadata option or X509 certificate options).

6. Copy the "entityID" URL in the first line of XML code (example: http://www.okta.com/exk1lbtng37fxZhpT0h8).

7. Paste this value into the "IDP URL" textbox of the Alteryx System Settings. 

The following steps will depend on which configuration was option chosen in step 13. If using the metadata option, continue to step 8. If using the X509 certificate, please proceed to step 12.

Metadata Option:
8. Copy the URL of the Okta page, ending in /sso/saml/metadata. This is the link to the metadata information.

9. Paste the value in the "IDP Metadata URL" textbox of the Alteryx System Settings. 
image.pngimage.png
10. Click "Verify IDP" and sign in. 

11. Proceed all the way through the Alteryx System Settings. 

X509 Option:
12. In the Alteryx System Settings, change the radio button from "IDP Metadata URL" to "X509 certificate and IDP SSO URL".

13. Navigate to the Okta "How to Configure SAML 2.0" page. These values can also be obtained from the metadata XML (this view is more readable). 

14. Copy the "Identity Provider Single Sign-On URL" (ends in sso/saml). 

15. Paste this value into the "IDP SSO URL" textbox of the Alteryx System Settings. 

16. Copy the X509 certificate.

17. Paste the X509 certificate into the "X509 certificate" textbox of the Alteryx System Settings. 
image.pngimage.png

18. Click "Verify IDP" and sign in. 

19. Proceed all the way through the Alteryx System Settings. 


​​​​​​AAS (Alteryx Authentication Service) or SSO logs show detailed information on how the assertion is being sent. These logs may have more verbose messaging should an issue arise. Location: %ProgramData%\Alteryx\Logs (ProgramData is a hidden folder. Enable it by selecting "View" > check "Hidden Items" in File Explorer).
Comments
ashkhan
7 - Meteor

I follow the article but am getting stuck at the following screen. If i click on the 'Alteryx Authentication Service' it goes to a webpage not found screen. 

If i get out of it it sets the 'Default Gallery Administrator' to undefined ( which is greyed out) and does not let me proceed to next screen.

 

Also SAML doesnt work if i enable SSL

 

okta alteryx saml error.jpg

SydneyF
Alteryx Alumni (Retired)

Hi @ashkhan,

 

We have tested enabling SSL with SAML authentication (Specifically with Okta), and have found that it works without issue in our test environment, so long as SSL and SAML are both configured correctly. It is important that the URL you use in your browser to access your Gallery matches what you are using to configure SAML, otherwise the authentication will fail. This may be something worth checking. If you continue to have trouble with configuring SAML, please reach out to us at support@alteryx.com, and we would be happy to review your current settings and configuration with you.

 

 

Thank you!

 

Sydney

ashkhan
7 - Meteor

Thanks for the prompt response Sydney. 

 

We did validate that the settings were entered correctly - (we did try with incorrect settings and noticed a different error)

I also assume that the settings are correct since it tries to get to the auth page which just appears blank. 

 

i have sent an email to support for further investigation. 

jyeh
7 - Meteor

We had issues using the IDP Metadata URL option, so went ahead with the X509 Certificate. A quick note on how to enter the certificate in the box is to eliminate the header (-----BEGIN CERTIFICATE-----) and footer (-----END CERTIFICATE-----) and remove the new lines (LF, CRLF codes), so all the characters are in one line.

 

Thanks Dan/Michael from support for the tip on this.

 

Also, backup the MongoDB before switching to SAML Authentication as there is no way back to Integrated Authentication from what I am told.

mariorami
5 - Atom

We have configured SAML using ADFS for our Gallery and now the "permissions" tab in the Admin gallery is missing, leaving us with no option to add AD Groups to configure access to the Gallery.

 

I was wondering if anyone of you has noticed that limitation and what have you done to circumvent that issue. It appears that is only a feature when using AD authentication.

 

Thank you,

 

naleti
6 - Meteoroid

We integrated OKTA with AD Groups, and when users in these AD Groups log into Gallery for the first time they will be provided default viewer access. Admin will individually assign roles for each user that is logged in via OKTA.

 

Even though AD Group information is sent in SAML assertion there is no way we could map the Groups to Roles in the Gallery. The Group option is just not available.

 

I am assuming this is only available when using Integrated Windows Authentication.

yuriy
8 - Asteroid

Alteryx team, do you have any comments regarding the latest comment from @naleti? Is this still the behavior in the most recent release? 

Thank you

DNigam
5 - Atom

Hi Team, Where i need to put the metadata file in Alteryx server? I have created a EC2 instance and installing Alteryx server on it, I also added this Alteryx to okta. I am unable to see xml content when entering metadata url in browser. Its shows me 404 error.

nathan_love
Alteryx
Alteryx

The OKTA UI has changed so these images are not current.

nyshex-devops
5 - Atom

URLs are totally outdated. I'm trying to setup SSO with Okta on an Alteryx Server 2023.1.1.200.

No path /aas/Saml2/Acs exists, nor /aas/Saml2, nor /aas.

 

Please help!

nyshex-devops
5 - Atom

Finally, I've been able to make it work (with some help of Cesar from DataMeaning.com).

 

Our current setup is:

Private network traffic -> App Load Balancer -> SSL termination -> EC2 Instance port 80 

No public facing endpoint. No SSL cert installed on the server side.

 

Pay special attention to protocols in bold text.

  • SSO config
    • Okta side
      • Single sign-on URL: https://alteryx.xxxxx.xxx/aas/Saml2/Acs
      • Audience URI (SP Entity ID): https://alteryx.xxxxx.xxx/aas/Saml2
    • Alteryx Server side
      • Server UI configuration
        • Always keep SSL turned off
        • All the URL Configuration (Base Address, Base Web API Address, Canonical Base Address, Base Web API Address, etc.) for the service just keep http://alteryx.xxxxx.xxx as prefix
      • Gallery Authentication
        • SAML IDP Configuration
          • ACS Base URL: https://alteryx.xxxxx.xxx/aas
          • IDP URL: <provided by Okta>
          • IDP SSO URL: <provided by Okta>
          • X509 certificate: Remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from certificate body provided by Okta and paste here
        • Default Gallery Administrator: xxxxx@xxxxx.xxx (user has to be assigned to the app in Okta)

 

Screenshots

alteryx-sso-setup-1.jpgalteryx-sso-setup-2.jpg

lepome
Alteryx Alumni (Retired)

@nyshex-devops 
Thank you for sharing what worked!!!