Configuring SAML on Alteryx Server for OneLogin

Alteryx Gallery allows the use of most Identity Providers (IdP) that support the SAML 2.0 standard to be configured as an authentication method.

The following information will assist with configuring Alteryx Gallery to be functional with OneLogin.

Prerequisites

• OneLogin
  • Account with access to perform administration tasks
  • All users that will login must have an email address attribute
• Alteryx Server >= 2018.2
  • Account with access to perform administration tasks

Procedure

1. In the OneLogin Administration screen, highlight Apps in the top navigation menu and select Add Apps.
   
   
   
   

2. On the Find Applications screen, search for SAML in the box provided. One of the results should be OneLogin SAML Test (IdP). Select that application.
   
   
   
   

3. Fill in the name, description, and details for the Alteryx Gallery. Then, click Save.
   
   
   
   

4. Highlight the More Options button that appears and download the SAML Metadata file. You will need a few values in this file when configuring the System Settings on the Alteryx Server side.
   
   
   
   
5. Click Configuration in the navigation menu. Fill out the details with your base Gallery URL and the attached endpoints: /aas/Saml2/Acs or /aas/Saml2 appended to the end.
   If you have SSL configured with the Alteryx Gallery, use https:// instead of http://.
   With the ACS URL Validator, copy the SAML Consumer URL and escape and metacharacters in the address.
   
   Note:The endpoints may be case sensitive depending on settings in your environment. I would recommend entering it with the capitalization as shown in the screenshot and example URLs below.
   
   

   Base URL: http://mygallery.alteryx.com/gallery/

   SAML Consumer URL: http://mygallery.alteryx.com/aas/Saml2/Acs

   SAML Audience: http://mygallery.alteryx.com/aas/Saml2

   SAML Recipient: http://mygallery.alteryx.com/aas/Saml2

   ACS URL Validator: http:\/\/mygallery.alteryx.com\/aas\/Saml2\/Acs
   
   
   
   When finished, click Save.

6. Under the Parameters section we need to map the Claims attributes to match between Alteryx Gallery and OneLogin. Use the below table for the appropriate values between the two. The Alteryx Gallery Attributes are case sensitive.
   
   

   OneLogin Value	Alteryx Gallery Attribute
   Email	email
   First Name	firstName
   Last Name	lastName

   Note: OneLogin provides a starting Field you can modify, Email (NameID), ignore this as the email setting we need, maps to a different value.
   
   
   
   
   
   

7. Select Include in SAML assertion.

8. Duplicate the above for firstName and lastName. When finished, click Save.

9. In the SSO section, switch theSAML Signature Algorithm to SHA-256. When finished, click Save.
   
   
   
   
10. Open the Alteryx System Settings and click Nextuntil Gallery->Authentication section. Also, open the OneLogin metadata XML file you downloaded earlier.
11. Set the Select an option for obtaining metadata required by the IDP to X509 certificate and IDP SSO URL. The IDP URL can be found in the OneLogin metadata XML file at the EntityDescriptor setting, under EntityID. It should look something like: https://app.onelogin.com/saml/metadata/12345678-1234-5678-1234-123456789012.
12. Use the SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST value at the bottom of the XML document for the IDP SSO URL setting.
13. You will also need the value from the X509 Certificate for the corresponding setting. It is more reliable for the connection between the Gallery and the IDP if the certificate is entered as one long string rather than the text block provided in the XML document.
    
    
    
    
14. Click Verify IDP in the Alteryx System Settings. This will prompt you with the OneLogin login screen. Fill out your OneLogin username and password.
    
    

If everything is set up correctly, you will see a success message and your email address filled out in the Default Gallery Administrator setting.

Common Issues