SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for PingOne.
Part 1: Add Alteryx to PingOne
This entire process starts with configuration on the Single Sign On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in PingOne.
In the PingOne configuration window, under Applications > My Applications, click on Add Application and select New SAML Application.
2. Fill in the name, description, and details for Alteryx. Then, click Continue to Next Step.
3. In the next screen, download the SAML metadata file, and hold on to it. You will need it during while configuring the System Settings on the Alteryx Server side.
4. In SSO Attribute Mapping, add the Application Attributes email, firstName, and lastName, and set the Identify Bridge Attribute or Literal Value for each to Email, First Name, and Last Name respectively. Set all three SSO mapped attributes as required.
Select Save & Publish.
Part 2: Configure the Alteryx System Settings
Once Alteryx has been added to PingOne, you can configure SAML in the Alteryx Server’s System Settings.
In Alteryx System Settings, click next until you navigate to Gallery > Authentication, and select SAML authentication as your Authentication Type.
2. There are two options for obtaining metadata required by the IDP (Identity Provider), however, currently PingOne is only configured to allow X509 certificate and IDP SSO URL, so this is the option you will need to select.
3. Leave the ACE Base URL field as the auto-populated value.
The IDP URL will be the entityID listed in the SAML metadata exported from PingOne (Part 1, Step 3)
The IDP SSO URL will be the SingleSignOnService Binding Location attribute in the same metadata document.
The x509 certificate can be copied and pasted from the SAML metadata document.
Please Note: there is currently a known issue that if the copy/paste contains carriage returns this will cause the authentication service to crash. Try copying/pasting the cert into something like notepad first to strip out the formatting.
4. When each of these fields have been filled out, click on the button to Verify IDP!
5. A Ping One login should appear. Provide your PingOne Credentials, and select Sign On.
6. If your Verification was successful, you will see a message pop up in the bottom right side of the System Settings Screen. Note: The first user successfully signed in to the IDP via verification becomes the default Gallery administrator (curator).
Now you can complete the Alteryx Systems Settings configuration by clicking Next through the remaining configuration options, and then Finish.
When you navigate to your Gallery, and click Sign In, you should now be signed in with your PingOne Credentials. Hooray!