SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for Okta.
SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for PingOne.
Alteryx Server provides a fully scalable architecture that allows an organization to scale Alteryx to automate data analytics, tackle bigger projects, process larger datasets and put self-service data analytics into the hands of more decision makers. From scaling Worker nodes to Gallery nodes to the MongoDB persistence layer, Alteryx Server allows organizations to efficiently manage their automated and self-service data analytics needs.
One common reason why the Alteryx Service appears stuck in the 'Stopping' state is when the service is trying to stop but the AlteryxEngineCmd.exe process is running. In other words, a workflow is running. The Alteryx Service cannot be stopped when a workflow is running due to a schedule or a Gallery run.
You will not be able to use this functionality on the Alteryx Server at this time. As of 10.6.8 and higher either the 'Allow Local Logon' or 'Logon as a Batch Job' permission is required for the Run As user and/or any Gallery Credentials.
Have you ever built an Alteryx App only to realize that some part of the process must remain in Excel? Instead of abandoning your Alteryx App all together, you may be able to use the Alteryx API and call your app from Excel. We’ve put together all the necessary VBA code so that it should be quick and easy for you to call an Alteryx App from Excel and get the results back. The following example is using an App that we’ve published to the public Alteryx gallery. If you want to create your own app on the Alteryx public gallery, you may need to reach out to Alteryx Support to set you up with an API enabled private studio. Alternatively, you can also change the URL setting to use your private gallery where the private gallery admin would manage private studios and enabling API. The Alteryx app for our sample, API Tester.yxzp, has been included in case you want to upload it to your private gallery and test out the Excel to Alteryx API using your Alteryx server instead of the Public Gallery that I'm connecting to.
SAMPLE EXCEL FILE - Input
We are going to be working with the attached “Reverse String.xlsm” to demonstrate the API. Suppose you wanted to reverse a string in excel (“Hello World” should be converted to “dlroW olleH”). You can’t quite get it in Excel, but you could quickly use the ReverseString function in Alteryx. Now the only trick is getting your data from Excel to Alteryx and back to Excel. We’ll have the user enter the string on cell E5 and then hit the Run Alteryx Button. Cell E6 will then be the results we get back from Alteryx
HOW TO SETUP THE VBA
When working with the Alteryx API, you need to setup some settings/configurations in your excel file before you can deploy it. If you open up the VBA editor (Alt + F11), there is Sub called Doer where we will have to enter a few key settings that apply to your Alteryx App. This is a one time setup for each different application that you setup.
strKey – this is your unique Alteryx Key. It is unique to all the apps in your private studio. It can be found here for the Alteryx public gallery
strSecret – this is your unique Alteryx Secret. It is unique to all the apps in your private studio. It can be found here for the Alteryx public gallery
strAppID – this is your app’s unique ID. When you look at your app in a browser, the appID is the unique ID at the end of the URL. For our sample, our AppID “589b70eceffc2a0bb0a2d530” can be found at the end of the App’s URL
AlteryxURL – this is the base URL where the app resides. For the public gallery, it is : https://gallery.alteryx.com. You would switch this your URL if you were going to use your private gallery. A private gallery would be of the format resembling: https://server.domain.com/gallery.
Data – Any data that needs to be passed from Excel to Alteryx can be saved as string variables in the VBA. For our simple app, we’re only passing one item, the string that we want reversed. In order to pass more complex data, we’ve found it easier to save the data to a .csv and then have the Alteryx App read the .csv as part of the app.
strQuery – This is the entire set of information that is being sent from Excel to the API for processing. It’s in JSON format. For each item, you need a name and value. The name corresponds to the interface tool’s name in your Alteryx App. The value corresponds to the value that want to set. From our Alteryx App, you can see that we’ve given our textbox tool the name “input_string”. For the value, we’ll be passing whatever string the user enters into excel.
To see all the questions for a given app, the API documentation is immensely helpful. After you enter your key and secret, you would go to the second GET, type in the appID, and then try it out to get a list of the name value pairs that we must send from Excel to Alteryx. Note that you only send the name and value fields from the response body.
Save – This variable is a Yes or No answer for whether or not you want to save the data coming back from Alteryx. In this case we would say Yes. For more complex apps, we may have our Alteryx workflow save the data to a network folder that our excel VBA would go grab once Alteryx is done. That post run coding would be added under the Part_Deux sub in the VBA editor. There we would have Save=”No”
Output_Name – this is the column name of the output data that we want to retrieve from Alteryx. In our sample, the column Name is “Output_String”. This only applies if Save=”Yes”
SaveLocation – this is the cell range where the output should be written. This process currently only supports writing one cell of data back to excel. Anything more complicated should be handled through custom VBA in the Part_Deux sub. This only applies if Save=”Yes”
NOTES ABOUT WHAT IS GOING ON BEHIND THE SCENES
While I won’t go through everything that is going on in the background, here are some key points:
Ensure that you have references to Microsoft XML, 6.0 if any errors pop up.
The VBA takes all the settings and adds the time and a random string before posting a request to the Alteryx Server to run the job in the RunAlteryx sub. It has to combine all these items, URL encode certain parts, create a base64 hash, and send this to the Alteryx server in just the right order.
It then makes a Get request to check the status. If the status is complete, then the VBA moves on to get the results; otherwise, the VBA creates another request to check the status in 1 second. Note that Excel will be operational during this time since it’s not during any work. This loop will continue until the status is either completed or error. Note that it will update the status on the bottom left of your screen to indicate that Excel is waiting on Alteryx to run the job.
Once the Alteryx app returns a completed status, the VBA will then make another get request for the output that you’ve requested (only if save=”Yes”). If Save=”Yes”, the VBA then saves the output to the specified cell.
If you want to write any of your own code that should execute when the code is done, place it in the part_Deux sub. For example, perhaps you have a private server setup where the Server will write an output file to a network folder that excel can read in from. The code in part_Deux might look something like the below:
Dim ActBook As Workbook
Dim FromAlteryx As String
FromAlteryx = "\\server\" + Environ$("username") + "_out.csv"
Set ActBook = ThisWorkbook
On Error GoTo 0
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
Workbooks(Environ$("username") + "_out.csv").Close
SAMPLE EXCEL FILE - Output
Assuming we have everything setup correctly, our app should return the reverse of the string that is input:
This is a very common error that can occur if the AlteryxService shuts down unexpectedly. Most commonly the error is caused by MongoDB not shutting down properly and the lock file does not get released. This prevents MongoDB from starting the next time you try to start the AlteryxService and returns an error message.
Now, find all your Server and Gallery questions and answers in one place! The new Gallery Admin Help Page has your Server Installation Guide, Configuration instructions, and the much-requested Administer Gallery management features - Subscriptions and Studios defined! Manage your user permissions! Edit user accounts!
As Alteryx analysts, we’re whipping up insight at blazing fast speeds. Workflow after workflow, tool after tool, we’re gleaming functional understanding from inert webs of data that empower us to make better decisions. Good insight is only as good as it is shareable, however, and to enable better sharing any Alteryx analyst can take advantage of their Workflow Dependencies to simplify input or output path dependencies in shared workflows.
One of the three database options when setting up the Alteryx Server is to connect into a User-Managed MongoDB instance. Why would you want to set up your own implementation of MongoDB? The main benefits are to take advantage of the features of MongoDB that are not included with our embedded instance.
We hope that you are as excited about this new feature as we are! The new Database Connection Share is a feature that will allow ease of access for your Alteryx users to your databases. The feature also allows the Alteryx Gallery and Database Administrators more governance over what connections are being made as well as who are making the connections.The Admin of the Gallery can create and manage their users' data connections.
Assets are an important part of your workflows in Alteryx. Assets will need to be included if you want to share, schedule, and publish your workflows to your Gallery. We run into many cases where users are able to run workflows on their Designer but they fail on Scheduler and Gallery. In a lot of cases it is due to the pieces of the workflow are not all there in the Scheduler and Server database. In this article, we will talk about when you need assets, how to package the assets, and what assets you want to make sure are a part of your workflow.
When You Need Assets:
When building and using workflows in the Alteryx Designer you don’t need to do anything with your assets as they are a part of your workflow locally, but if you want to move the workflow somewhere or to someone, you will need to package the workflow.
When sharing your workflow with another user, the workflow will need to be packaged with those assets so that the user can run the workflow without error. This would include input files as well as macros. If the workflow is connected to a database or using Alteryx Data, the user will not be able to run the workflow successfully unless they have access to those data sources on their own machine.
If you have Server or Desktop Automation, the Scheduler will be using a database separate from your Designer. If you have Server you will be using a MongoDB and if you have automation you will be using a SQLite database. This would mean that any macros that are not on the server or SQLite database would need to be added. By packaging the workflow and scheduling the package, the Scheduler will be able to access any custom macros or macros not included with Alteryx. This would include Predictive as well unless you have installed the predictive tools to your Server. If you have version 11.0 Server or later, you can send your workflows to your private gallery and schedule them on your server. When you do that, Alteryx will package the workflow the same as if you were sending an app or workflow to the Gallery as below.
The Gallery works a little different than packaging a workflow or Scheduled workflow. The difference is that the Assets will need to be on the Alteryx Server along with the workflow for the app, macro, or workflow to be used on the Gallery. Basically, the Save As option to the Gallery of your choice will start the packaging process of your workflow and Assets. The Save As a workflow window will appear with information about your workflow that you are sending to the Server Gallery. Select Workflow Option. Below the Workflow Options you will select Manage workflow Assets. This is where you can include and exclude information being sent to the Gallery.
Packaging the Assets:
Select in the tool bar Options ->Export Workflow. This will then launch a window that will show the name of your workflow, the location where the package will be stored, and the list of workflow assets.
When sending your workflow to the Gallery, you will do a Save As to and the Company’s Gallery. A window will open and you will see Workflow Options at the bottom of the page.
Select Workflow Options
You will then reach the Assets window which is similar to the packaged Assets window above.
You also have a second option when sending workflow to the gallery. In the Workflow Configuration window, select the Events tab, Select Add, Run Command. You will see a tab called Assets where you can add assets to the workflow. This is especially helpful when you are adding a chained app to the gallery. Check out Jordan’s article for the step by step: Adding-Files-to-the-Gallery.
What Assets Do I Need:
Great! I found the assets, but why are some missing, some checked, some not checked and which ones do I really need and what don’t I need?
You may see that you have Input and Output assets. When you are packaging a workflow to send to a user, you can include those assets if the user does not have those files to run the workflow. If the user does have the files or they are going to update the Input files or Output files, then you would not include them. The Input and Output assets will never include database connections only files.
The .yxmc files can be an important part of your workflow. Many of the Alteryx tools are .yxmc files and if these macros are a part of the Designer package, you won’t need to include them in the package as Alteryx knows that these tools will be in the workflow (example Report Header Tool is a macro). If macros are downloaded from the Alteryx Gallery, custom created, or sent from another user, these macros will need to be included as Assets.
When you publish an application to the Alteryx Gallery it packages this workflow up into a yxzp and creates folders called 'Externals'. In these folders it might contain macros within your workflow or more commonly input and output file locations.
The Designer does this is to ensure your application has the read and write capabilities when published to the server. However, you may be confident that the server has access to a mapped drive or database. Therefore, you can do the following to keep your macros, input & output file paths absolute (C:\Users\etc.) rather than relative (.\etc):
1. Within the Alteryx Designer go to File>>Save As>>Gallery
2. Before Saving go to 'Workflow Options' >>> 'Manage workflow assets'
3. Make sure all macros, input and output files you want to keep absolute are unchecked
4. When you publish to the Alteryx Gallery now these macros, input and output file will keep the same path and not kept in external folders.
Consideration: When uploading to the Gallery the location of the macros needs to be accessible from the server. Hence, it is best practice to have these on a mapped drive or on the server itself so the workflow does not error.
Question The below question was originally asked in the Discussion boards and comes up somewhat frequently from Server users:
Where I'm left scratching my head is how to best set up Gallery, manage permissions, and manage schedules. In an ideal world, I guess I'd see it going like this:
Developers create workflows & upload to private gallery
Admin (me) updates connection strings and performs cursory review before moving it into a shared area. Developers should be prevented from doing this.
QA team reviews and gives signoff.
Admin (me) moves to a shared area (a collection?) and schedules the workflow as needed. Developers sho uld be prevented from doing this.
Is this approach feasible given the functionality of Gallery? For now, it seems somewhat all-or-nothing to me. If I make somebody an Artisan, it seems like they can publish things to the gallery, schedule workflows, etc. But I may be completely missing something here.
Also, I'm using Windows authentication and I don't see any way to add users to a Subscription. There's literally no button below the Artisans & Members boxes. How do I do this?
Answer The below answer was provided KoryC:
What you're wanting to do is very similar to what we see other customers looking to accomplish - essentially, better and more granular control over what users can do within given projects, and a promotion process of workflows. Today, our Gallery does indeed, as you mention, provide the artisan access as a sort of all or nothing type of deployment. So unfortunately, the level of access control you're looking for today is not yet available, but it is on our roadmap and something we are actively looking at for a future release - this is one of our top priorities.
So today, the best approach is indeed to make those developers artisans. Yes, this will enable them to make things public or share them even if they shouldn't, but there are still administrative capabilities, such as removal of workflows, that can help in case such accidents or activities occur.
And as for the user-to-studio management in Windows Auth mode - we're looking to get that button added for an upcoming release, and on top of that, taking a good look and building out some better and easier ways of managing users in Windows Auth mode in general, much in alignment with how we want to make user and gallery management easier in the future.
Let me know if this helps. I know it's not the ideal answer you'd want today, but we are looking to make some significant improvements here. I'd also greatly appreciate any time you may have to go over features like this and to get more direct feedback in the future too!
As far as your question regarding Windows Auth vs. Built-in - no, it's not required to use built-in for subscription artisans (though members don't make much sense in a Windows Auth environment). It is, however, trickier to manage, as you've discovered. The facilities for managing studios-to-users in Windows Auth are lacking at the moment, and it's an area we're looking to improve. Copying and editing the subscription key is indeed the only way. And yes, only one subscription per user - though this is another area we are looking at expanding upon in the future.
There is a button in v10.5 to add artisans to a studio, but not for members, which will likely ultimately go away, at least with Windows Authentication deployments.
For more information about Gallery Administration and setup, take a look at the following article. The link goes to the first of a four part article series:
Alteryx Gallery Administration