Configuring SAML on Alteryx Server for OneLogin
Alteryx Gallery allows the use of most Identity Providers (IdP) that support the SAML 2.0 standard to be configured as an authentication method.
The following information will assist with configuring Alteryx Gallery to be functional with OneLogin.
Prerequisites
- OneLogin
- Account with access to perform administration tasks
- All users that will login must have an email address attribute
- Alteryx Server >= 2018.2
- Account with access to perform administration tasks
Procedure
- In the OneLogin Administration screen, highlight Apps in the top navigation menu and select Add Apps.
-
On the Find Applications screen, search for SAML in the box provided. One of the results should be OneLogin SAML Test (IdP). Select that application.
-
Fill in the name, description, and details for the Alteryx Gallery. Then, click Save.
- Highlight the More Options button that appears and download the SAML Metadata file. You will need a few values in this file when configuring the System Settings on the Alteryx Server side.
- Click Configuration in the navigation menu. Fill out the details with your base Gallery URL and the attached endpoints: /aas/Saml2/Acs or /aas/Saml2 appended to the end.
If you have SSL configured with the Alteryx Gallery, use https:// instead of http://.
With the ACS URL Validator, copy the SAML Consumer URL and escape and metacharacters in the address.
Note:The endpoints may be case sensitive depending on settings in your environment. I would recommend entering it with the capitalization as shown in the screenshot and example URLs below.
Base URL: http://mygallery.alteryx.com/gallery/
SAML Consumer URL: http://mygallery.alteryx.com/aas/Saml2/Acs
SAML Audience: http://mygallery.alteryx.com/aas/Saml2
SAML Recipient: http://mygallery.alteryx.com/aas/Saml2
ACS URL Validator: http:\/\/mygallery.alteryx.com\/aas\/Saml2\/Acs
When finished, click Save.
-
Under the Parameters section we need to map the Claims attributes to match between Alteryx Gallery and OneLogin. Use the below table for the appropriate values between the two. The Alteryx Gallery Attributes are case sensitive.
OneLogin Value | Alteryx Gallery Attribute |
Email | email |
First Name | firstName |
Last Name | lastName |
Note: OneLogin provides a starting Field you can modify, Email (NameID), ignore this as the email setting we need, maps to a different value.
- Select Include in SAML assertion.
-
Duplicate the above for firstName and lastName. When finished, click Save.
- In the SSO section, switch theSAML Signature Algorithm to SHA-256. When finished, click Save.
- Open the Alteryx System Settings and click Nextuntil Gallery->Authentication section. Also, open the OneLogin metadata XML file you downloaded earlier.
- Set the Select an option for obtaining metadata required by the IDP to X509 certificate and IDP SSO URL. The IDP URL can be found in the OneLogin metadata XML file at the EntityDescriptor setting, under EntityID. It should look something like: https://app.onelogin.com/saml/metadata/12345678-1234-5678-1234-123456789012.
- Use the SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST value at the bottom of the XML document for the IDP SSO URL setting.
- You will also need the value from the X509 Certificate for the corresponding setting. It is more reliable for the connection between the Gallery and the IDP if the certificate is entered as one long string rather than the text block provided in the XML document.
- Click Verify IDP in the Alteryx System Settings. This will prompt you with the OneLogin login screen. Fill out your OneLogin username and password.
If everything is set up correctly, you will see a success message and your email address filled out in the Default Gallery Administrator setting.
Common Issues
Spoiler (Highlight to read)
Access Denied error
-Verify the user account has access to the OneLogin application. You can verify this at Users->(user account)->Applications
AlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator
-Turn offIE Enhanced Security Configurationon the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state.https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_...-Verify that the values in theSAML IDP Configurationare correct for your OneLogin application.-Verify that the OneLogin application was configured with the correct claim attributes.-Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues.-OpenEvent Viewerwithin Windows and look for errors that may be of use in theApplicationlog.-If still stuck, reach out to ourSupport team. I'd suggest providing the following: 1. Values set in the Alteryx System Settings application for SAML 2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\) 3. Configuration screenshots for OneLogin Access Denied error-Verify the user account has access to the OneLogin application. You can verify this at Users->(user account)->ApplicationsAlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator-Turn offIE Enhanced Security Configurationon the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state.
https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_... that the values in theSAML IDP Configurationare correct for your OneLogin application.-Verify that the OneLogin application was configured with the correct claim attributes.-Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues.-OpenEvent Viewerwithin Windows and look for errors that may be of use in theApplicationlog.-If still stuck, reach out to ourSupport team. I'd suggest providing the following: 1. Values set in the Alteryx System Settings application for SAML 2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\) 3. Configuration screenshots for OneLogin