cancel
Showing results for 
Search instead for 
Did you mean: 

alteryx server Knowledge Base

Definitive answers from Server experts.
Online Help Survey

Help shape the future of Alteryx Technical Documentation by sharing your feedback!

LEARN MORE
Announcement | Looking to expand your Alteryx skillset?! Check out the latest set of interactive lessons in Alteryx Academy: Creating Analytic Apps

Configuring SAML on Alteryx Server for PingOne

Alteryx
Alteryx

SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for PingOne.

 

Part 1: Add Alteryx to PingOne

 

This entire process starts with configuration on the Single Sign On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in PingOne.

 

  1. In the PingOne configuration window, under Applications > My Applications, click on Add Application and select New SAML Application.

 

PingAddApp.png

 

2. Fill in the name, description, and details for Alteryx. Then, click Continue to Next Step.

 

PingAppDetails.png

 

3. In the next screen, download the SAML metadata file, and hold on to it. You will need it during while configuring the System Settings on the Alteryx Server side.

   

    Fill in the Assertion Consumer Service field with: https://YOURGALLERYURLHERE/aas/Saml2/Acs

   

    Fill in the Entity ID field with: https://YOURGALLERYURLHERE/aas/Saml2

 

PingAppConfig.png

 Click Continue to Next Step.

 

4. In SSO Attribute Mapping, add the Application Attributes email, firstName, and lastName, and set the Identify Bridge Attribute or Literal Value for each to Email, First Name, and Last Name respectively. Set all three SSO mapped attributes as required.

 

PingAttributeMapping.png

 

Select Save & Publish.

 

 

Part 2: Configure the Alteryx System Settings

 

Once Alteryx has been added to PingOne, you can configure SAML in the Alteryx Server’s System Settings.

 

  1. In Alteryx System Settings, click next until you navigate to Gallery > Authentication, and select SAML authentication as your Authentication Type.

PingSystemSettingsSAML.png

 

2.  There are two options for obtaining metadata required by the IDP (Identity Provider), however, currently PingOne is only configured to allow X509 certificate and IDP SSO URL, so this is the option you will need to select.

 

PingSystemSettingsOption.png

 

3. Leave the ACE Base URL field as the auto-populated value.

 

    The IDP URL will be the entityID listed in the SAML metadata exported from PingOne (Part 1, Step 3)

 

PingEntityID.png

 

The IDP SSO URL will be the SingleSignOnService Binding Location attribute in the same metadata document.

 

PingIDPSSO.png

 

The x509 certificate can be copied and pasted from the SAML metadata document.

 

Ping509Cert.png

 

Please Note: there is currently a known issue that if the copy/paste contains carriage returns this will cause the authentication service to crash.  Try copying/pasting the cert into something like notepad first to strip out the formatting.

 

4. When each of these fields have been filled out, click on the button to Verify IDP!

 

PingSystemSettingFull.png

 

5. A Ping One login should appear. Provide your PingOne Credentials, and select Sign On.

 

PingOneSignOn.png

 

6. If your Verification was successful, you will see a message pop up in the bottom right side of the System Settings Screen. Note: The first user successfully signed in to the IDP via verification becomes the default Gallery administrator (curator).

 

PingOneSuccess.png

 

Now you can complete the Alteryx Systems Settings configuration by clicking Next through the remaining configuration options, and then Finish.

When you navigate to your Gallery, and click Sign In, you should now be signed in with your PingOne Credentials. Hooray!

 

Contributors