Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Alteryx Server Knowledge Base

Definitive answers from Server experts.

Configuring SAML on Alteryx Server for PingOne

SydneyF
Alteryx Alumni (Retired)
Created

SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for PingOne.

Part 1: Add Alteryx to PingOne

This entire process starts with configuration on the Single Sign On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in PingOne.

  1. In the PingOne configuration window, under Applications > My Applications, click on Add Application and select New SAML Application.

PingAddApp.png

2.Fill in the name, description, and details for Alteryx. Then, click Continue to Next Step.

PingAppDetails.png

3.In the next screen, download the SAML metadata file, and hold on to it. You will need it during while configuring the System Settings on the Alteryx Server side.

Fill in the Assertion Consumer Service field with: your base Gallery URL with/aas/Saml2/Acsappended to the end. (e.g.,http://gallery.alteryxtest.com/aas/Saml2orhttps://gallery.alteryxtest.com/aas/Saml2if SSL is enabled).

Fill in the Entity ID field with: your base Gallery URL/aas/Saml2(e.g.,http://gallery.alteryxtest.com/aas/Saml2)

PingAppConfig.png

Click Continue to Next Step.

4. In SSO Attribute Mapping, add the Application Attributes email, firstName, and lastName, and set the Identify Bridge Attribute or Literal Value for each to Email, First Name, and Last Name respectively. Set all three SSO mapped attributes as required.

PingAttributeMapping.png

Select Save & Publish.

Part 2: Configure the Alteryx System Settings

Once Alteryx has been added to PingOne, you can configure SAML in the Alteryx Server’s System Settings.

  1. In Alteryx System Settings, click next until you navigate to Gallery > Authentication, and select SAML authentication as your Authentication Type.

PingSystemSettingsSAML.png

2.There are two options for obtaining metadata required by the IDP (Identity Provider), however, currently PingOne is only configured to allow X509 certificate and IDP SSO URL, so this is the option you will need to select.

PingSystemSettingsOption.png

3.Leave the ACS Base URL field as the auto-populated value (notethat if you have SSL enabled it should be reflected in the Gallery's address as https instead of http).

TheIDP URL will be the entityID listed in the SAML metadata exported from PingOne (Part 1, Step 3)

PingEntityID.png

The IDP SSO URL will be the SingleSignOnService Binding Location attribute in the same metadata document.

PingIDPSSO.png

The x509 certificate can be copied and pasted from the SAML metadata document.

Ping509Cert.png

Please Note: there is currently a known issue that if the copy/paste contains carriage returns this will cause the authentication service to crash. Try copying/pasting the cert into something like notepad first to strip out the formatting.

4.When each of these fields have been filled out, click on the button to Verify IDP!

PingSystemSettingFull.png

5.A Ping One login should appear. Provide your PingOne Credentials, and select Sign On.

PingOneSignOn.png

6.If your Verification was successful, you will see a message pop up in the bottom right side of the System Settings Screen. Note: The first user successfully signed in to the IDP via verification becomes the default Gallery administrator (curator).

PingOneSuccess.png

Now you can complete the Alteryx Systems Settings configuration by clicking Next through the remaining configuration options, and then Finish.

When you navigate to your Gallery, and click Sign In, you should now be signed in with your PingOne Credentials. Hooray!

Comments
RobertF
7 - Meteor

Can someone verify that the highlighted sections of the metadata (which include tag names) should be included in the Alteryx Server Configuration locations?

 

For example above for the IDP URL it shows the whole line for entity ID highlighted

 

entityID="https://pingone.com/idp/cd-1717498366.gmail">

 

Do I place that entire string in the SAML IDP Configurfation ->IDP URL?

 

or do I just put the URL:   https://pingone.com/idp/cd-1717498366.gmail   

(no quotes, no entityid=)?

rkong
Alteryx
Alteryx

Hello Sydney

 

Thank you very much.

 

Now, pingone supports IDP METADATA URL. So the configuration should be easier than before.

 

But, my verification is just hanging on the login window, an empty window.