on 06-19-2018 03:45 PM - edited on 05-10-2023 08:19 AM by csalgado5
In this article, we will review how to configure SAML on your Alteryx Server for Okta. To learn more about SAML authentication with Alteryx, please review the following article: Alteryx Architectures - SAML SSO Authentication.
This entire process starts with the configuration on the Single Sign-On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in Okta. Note: These instructions are for the Developer's Console UI. See below for Classic UI instructions.
1. In the Developer view of Okta, navigate to Applications and select "Create App Integration".
2. Select SAML 2.0 as the Sign on method.
3. Click "Next".
4. Add an app title. If desired, an app icon can be added.
5. In the Configure SAML Screen, enter the Single Sign-on as URL as:
Your base Gallery URL (found in Alteryx System Settings > Gallery > General) with /aas/Saml2/Acs appended to the end (no /gallery). (example: http://gallery.alteryxtest.com/aas/Saml2/Acs or https://gallery.alteryxtest.com/aas/Saml2/Acs if SSL is enabled).
6. In the Audience URI textbox, input your Gallery base URL with /aas/Saml2 appended to the end (no /gallery).
7. Scroll down to the "Attribute Statements" portion. Map the following attributes (case-sensitive):
Attribute Name: email Value: user.email
Attribute Name: firstName Value: user.firstName
Attribute Name: lastName Value: user.lastName
8. Click "Next" on this page. On the next page, select either "Customer" or "Partner", depending on the Okta relationship. The other survey fields are optional.
9. Then, click "Finish".
10. Once the application has been created, select the "Assignments" tab.
11. Click the "Assign" button, then choose either "Assign to People" or "Assign to Groups".
12. Add administrators (including the user that created the application) and any other necessary users by selecting "Assign". Click "Done" when finished.
13a. IDP Metadata URL option: Click the "Sign On" tab. In the "SAML Signing Certificates" section, select "Actions" > "View IdP Metadata" on the active certificate (SHA-2). This information will help to connect Okta to Alteryx Server.
13b. X509 Certificate option: On the right-hand side of the "Sign On" page, select the "View SAML setup instructions" button. This will bring up a page called "How to Configure SAML 2.0 for [applicationName] Application". This information will help to connect Okta to Alteryx Server.
I follow the article but am getting stuck at the following screen. If i click on the 'Alteryx Authentication Service' it goes to a webpage not found screen.
If i get out of it it sets the 'Default Gallery Administrator' to undefined ( which is greyed out) and does not let me proceed to next screen.
Also SAML doesnt work if i enable SSL
Hi @ashkhan,
We have tested enabling SSL with SAML authentication (Specifically with Okta), and have found that it works without issue in our test environment, so long as SSL and SAML are both configured correctly. It is important that the URL you use in your browser to access your Gallery matches what you are using to configure SAML, otherwise the authentication will fail. This may be something worth checking. If you continue to have trouble with configuring SAML, please reach out to us at support@alteryx.com, and we would be happy to review your current settings and configuration with you.
Thank you!
Sydney
Thanks for the prompt response Sydney.
We did validate that the settings were entered correctly - (we did try with incorrect settings and noticed a different error)
I also assume that the settings are correct since it tries to get to the auth page which just appears blank.
i have sent an email to support for further investigation.
We had issues using the IDP Metadata URL option, so went ahead with the X509 Certificate. A quick note on how to enter the certificate in the box is to eliminate the header (-----BEGIN CERTIFICATE-----) and footer (-----END CERTIFICATE-----) and remove the new lines (LF, CRLF codes), so all the characters are in one line.
Thanks Dan/Michael from support for the tip on this.
Also, backup the MongoDB before switching to SAML Authentication as there is no way back to Integrated Authentication from what I am told.
We have configured SAML using ADFS for our Gallery and now the "permissions" tab in the Admin gallery is missing, leaving us with no option to add AD Groups to configure access to the Gallery.
I was wondering if anyone of you has noticed that limitation and what have you done to circumvent that issue. It appears that is only a feature when using AD authentication.
Thank you,
We integrated OKTA with AD Groups, and when users in these AD Groups log into Gallery for the first time they will be provided default viewer access. Admin will individually assign roles for each user that is logged in via OKTA.
Even though AD Group information is sent in SAML assertion there is no way we could map the Groups to Roles in the Gallery. The Group option is just not available.
I am assuming this is only available when using Integrated Windows Authentication.
Alteryx team, do you have any comments regarding the latest comment from @naleti? Is this still the behavior in the most recent release?
Thank you
Hi Team, Where i need to put the metadata file in Alteryx server? I have created a EC2 instance and installing Alteryx server on it, I also added this Alteryx to okta. I am unable to see xml content when entering metadata url in browser. Its shows me 404 error.
The OKTA UI has changed so these images are not current.
URLs are totally outdated. I'm trying to setup SSO with Okta on an Alteryx Server 2023.1.1.200.
No path /aas/Saml2/Acs exists, nor /aas/Saml2, nor /aas.
Please help!
Finally, I've been able to make it work (with some help of Cesar from DataMeaning.com).
Our current setup is:
Private network traffic -> App Load Balancer -> SSL termination -> EC2 Instance port 80
No public facing endpoint. No SSL cert installed on the server side.
Pay special attention to protocols in bold text.
Screenshots
@nyshex-devops
Thank you for sharing what worked!!!