This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
Configuring SAML on Alteryx Server for Active Directory Federation Services (ADFS)
Alteryx Server has the ability to use most identity providers that support the SAML 2.0 standard, and from my testing, ADFS is no exception! The following information will assist with configuring Alteryx Server to be functional with ADFS.
Please note the following information is based on third-party software and processes may be slightly different on older or newer versions of the software. The following was created against ADFS v4.0 running on Windows Server 2016 and Alteryx Server 2019.2.
AD FS Server
Account with access to perform administration tasks
All users that will login must have an email address attribute
Alteryx Server >= 2018.2
Account with access to perform administration tasks
SSL/TLS Certificate Installed on Alteryx Server (Self-Signed certificate is not recommended)
Verify that your Alteryx Server's Gallery function has been configured with SSL/TLS enabled on each Gallery node in the environment and that a proper SSL certificate is installed. Instructions are provided in the link above.
This and following steps will require an ADFS administrator. Open the AD FD Management utility (Start > Windows Administrative Tools > AD FS Management)
Click Relying Party Trusts from the console, then click Add Relying Party Trust...
Click Enter data about the relying party manually and click Next.
Type a Display name for the trust. I placed "Alteryx Server" here, but you can use a name that best identifies the connection for you, such as a server name or other easily identifiable name. Then click Next.
Click Next on the Configure Certificate page.
Check the box for Enable support for the SAML 2.0 WebSSO protocol. Type the URL of the Alteryx Server's SAML endpoint in the Relying party SAML 2.0 SSO service URL box, which typically will be the base URL of Alteryx Gallery with the addition of "/aas/Saml2". Once you have added the proper URL, click Next. Note: this endpoint may be case sensitive depending on settings in your environment. I would recommend entering it with the capitalization as shown in the screenshot and example below. Example: Gallery URL: https://trn-srv-07.cs.alteryx.com/gallery SAML Endpoint: https://trn-srv-07.cs.alteryx.com/aas/Saml2
In the Relying party trust identifier, type the same SAML endpoint as the previous step and click Add to add the URL to the list below. Click Next.
Select Permit everyone from the Access Control Policy and click Next. Note: You may wish to configure this option differently depending on the environment and whom you wish to be able to authenticate with Alteryx Gallery, or you may wish to setup Multi-Factor Authentication (MFA). Specific access permissions and these types of setup are outside the scope of this article.
Click Next on the Ready to Add Trust page.
Check the box next to Configure claims issuance policy for this application and click Close.
Within the new Claim Issuance Policy window, click Add Rule...
Verify the Claim rule template is set to Send LDAP Attributes as Claims and click Next.
Type a desired name for the rule within the Claim rule name box. From the Attribute store drop-down, choose Active Directory.
Using the following table, set the appropriate options within the Mapping of LDAP attributes to outgoing claim types box. Click Finish. Note: The following outgoing values are case sensitive and will need to be typed except for "SAM-Account-Name".
Outgoing Claim Type
On the Claim Issuance Policy window, click Apply to apply the settings, then click OK.
You will now need an administrator with access to the Alteryx Server machine(s) running the Gallery for your environment. Connect to the machine remotely via Remote Desktop.
Open the Alteryx System Settings application, then click Next until you are at the Gallery > Authentication page.
From the Authentication Type box, click the radio button next to SAML authentication. In the Select an option for obtaining metadata required by the IDP, click the radio button next to IDP Metadata URL. !Warning!: It is not recommended to change the authentication type once you have established the persistence layer (e.g. MongoDB) and started using a particular authentication method in your environment. Differences in user account structure will be likely to result in errors in the Gallery if the authentication method is changed in an established environment. If you are changing authentication methods, it is recommended to create a new persistence database!
From the SAML IDP Configuration box, set the ACS Base URL to the root of the Gallery URL plus "/aas". Example: Gallery URL: https://trn-srv-07.cs.alteryx.com/gallery ACS Base URL: https://trn-srv-07.cs.alteryx.com/aas
Set the IDP URL (also known as Entity ID) to the Federation Service identifier value from ADFS. Example: https://sts1.cs.alteryx.com/adfs/services/trust Note: If you are not positive on the value for this, ask your ADFS administrator or download the metadata XML with the link you are using in the next step and look for the "entityID".
Set the IDP Metadata URL to the location of the Federation Metadata xml file provided by the ADFS server. Example: https://sts1.cs.alteryx.com/FederationMetadata/2007-06/FederationMetadata.xml Note: If you are not positive on the value for this, ask your ADFS administrator.
Click Verify IDP. If all goes well, you should receive a message similar to the following: Note: See the Common Issues section below for tips on troubleshooting!
Click Next through the remainder of the System Settings dialogs, then click Finish.
(Optional) Return to Step 17 if you have additional Gallery node(s) to configure.
Once all Gallery node(s) are configured, attempt to access your private Alteryx Gallery and log in with your fresh new SAML configuration!
AlteryxAuthorizationService.exe has stopped working or there is a failure to set the Default Gallery Administrator -Turn off IE Enhanced Security Configuration on the Alteryx Server if you have crash errors while verifying the IDP information. This feature can be turned back on once you have the configuration in a functional state. https://www.limestonenetworks.com/support/knowledge-center/17/70/how_do_i_disable_internet_explorer_enhanced_security.html -Verify that the values in the SAML IDP Configuration are correct for your ADFS server. -Verify that the ADFS server was configured with the correct claim attributes. -Check the AlteryxAuthorizatonService.exe logging directory (%PROGRAMDATA%\Alteryx\Logs) for any clues. -Open Event Viewer within Windows and look for errors that may be of use in the Application log. -If still stuck, reach out to our Support team. I'd suggest providing the following: 1. Values set in the Alteryx System Settings application for SAML 2. AAS log files (found in %PROGRAMDATA%\Alteryx\Logs\) 3. Configuration screenshots for ADFS
SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for PingOne.
SAML (Security Assertion Markup Language) is a standardized way for exchanging authentication and authorization credentials between different parties. The most common use for SAML is in web browser single sign ons. Starting in 2018.2, Alteryx Server supports SAML. So far, SAML in Alteryx Server has been specifically validated on two providers; Ping One and Okta. In this article we will review how to configure SAML on your Alteryx Server for Okta.