Alteryx Server

Share your Server product ideas - we're listening!

Multi-Forest as well as Multi-Domain support for Windows authentication

We have several clients that operate in a Multi-Forest environment due to mergers and acquisitions.  Currently with Alteryx Server the only option we can offer them is to use Built-In authentication.  A lot of corporate and particularly finance institutions prefer a single sign on approach and utilise Windows authentication to do this.

 

Would it be possible to add support for Multi-Forest organisations into Server to support organisations going through mergers and acquisitions?

 

This would really benefit us in selling Server in to organisations with complex structures and reduce friction in publishing or preparing workflows.

8 Comments
Alteryx Certified Partner

Agreed, this would be really helpful for multi-jurisdiction clients with more complex security models (which is becoming more common, sadly).

Alteryx Partner

I have a big financial institution interested in Server.  Data Governance is a high priority for them (should be for everyone!).  Would love to see this suggestion taken very seriously.

5 - Atom

As a global financial player we need this feature to move on with Alteryx!



 

5 - Atom

Hi,

 

Implementing this would be an ideal solution for my company as well. We originally wanted to use windows authentication, however, this created issues amongst our users on a different domain in a different forest. We are now deciding what would be the best course of action in order to resolve this issue while maintaining an appropriate degree of security.  Is this something that the Alteryx team is currently working on, or will be working on in the future? 

6 - Meteoroid

Require support for multiple forests in Federal customer space as well. Thank you.

5 - Atom
As one of the worlds leading Industrial Design and Automation businesses this would be critical to help us provide workspace automation to new mergers and disparate entities each with their own ActiveDir in multiple forests. Following a merger, a parent company often pulls the objects from new companies and merges them into the parent AD, which helps for emails, others layers, especially Windows native interaction, but Alteryx Server doesn't have the capability to configure one, or more, ActiveDir. Instead the original design relies on an nebulous, ill defined 2-way trust model. It'd be *much* more useful if the Alteryx Server had a real LDAP/ActiveDir client that could be configured via XML or other means, to identify, execute, use multiple ActiveDir installs. And no SAML, OAuth, other SSO layers would *not* be the answer. Until this happens, Alteryx Server is/will be a small departmental player.
Alteryx Alumni (Retired)
Status changed to: Not Planned

While I'm very aware of the value of this feature, it is a very heavy lift. This is not on the immediate roadmap. That being said, it is under evaluation for how and when we can implement this. If there was a status of "Planning to put Under Review", we would be marking it as that. We'll be sure to let you know if and when this plans to be addressed.

 

-Tanya

14 - Magnetar
14 - Magnetar

Would like to bring some attention back to this idea, as I believe a significant improvement has been made with 2020.1 that helps to address the multi-forest issue. We have two Domains, separate forests, with full bilateral trust, but with Windows Authentication on 2019.2, we were not able to find a way to grant access to collections (users from the "other" domain could navigate to the site, and a "User" would be created for them, but they couldn't be added to any collections/etc.)...

 

We received a suggestion to try upgrading to 2020.1, however, since there were some changes made to the way authentication works (something about looking globally first, rather than domain first? Maybe?)... at any rate, this solved the problem of getting our "other" domain users access/authenticated - we can now see them on the Users tab and are able to assign them roles. So now they're in the Gallery, they have roles, they can run things on the Home tab, and the cross-forest issue appears to have been resolved, at least from an initial user set up perspective. (SO EXCITING!!)

 

However... this does NOT appear to be how the Collections work when it comes to adding users, because I cannot add my "other" domain users to any of the Collections. Which makes me think that however the Collections are looking up users, they're still doing so domain first, not globally first. 

 

So it appears to be *so close* to being able to properly use multi-domain/forest environments with Windows Authentication, but we just need that last hurdle of getting the Collections to recognize users the same way the Users tab does in the Admin side. I have some (probably not supported) workarounds for the time being, but being that we are so close on this, I am hoping Product Management will consider revisiting this, as the ask will hopefully be a bit smaller now that we're already almost there? 

 

If this should be a new idea, as the environment has changed a bit since the original idea, please let me know, happy to re-submit.

 

Thank you!!

NJ