Inspire EMEA 2022 On-Demand is live! Watch now, and be sure to save the date for Inspire 2023 in Las Vegas next May.

Engine Works

Under the hood of Alteryx: tips, tricks and how-tos.
MarcW
Alteryx
Alteryx

Alteryx Architectures_Banner_999x240-02.png


Alteryx Architectures - Introduction

Alteryx Architectures - Starter Architectures

Alteryx Architectures - SAML SSO Authentication (you are here)

Alteryx Architectures - Workload Management

Alteryx Architectures - Resiliency and High Availability


SAML SSO authentication in Alteryx Server

 

Welcome to another article in the Alteryx Architectures blog series In this installment, we’ll take a look at SAML authentication to enable single sign-on (SSO) within Alteryx Server Gallery.  This blog will cover an overview of authentication options in Alteryx Server, and then look at the overall flow of requests when SAML (SSO) authentication is used. 

 

Summary of authentication types

 

Workflows created with Alteryx Designer are published to Alteryx Server to share and govern analytic workflow processes, models, and data; automate analysis and outcomes; and scale analytics across the organization. The Gallery component within Alteryx Server provides a web-based application for users. The Gallery supports 3 authentication types:

  1. Built-in: Users enter an email address and password of their choice to access Gallery.
  2. Integrated Windows authentication: Users access Gallery with their internal network credentials.
  3. SAML authentication: Users access Gallery with Identity Provider (IDP) credentials.

 

What is SAML authentication SSO?

 

Security Assertion Markup Language (SAML) authentication is a mechanism by which the authentication process of an application is offloaded to an Identity Provider (IDP).  SAML authentication is supported by Gallery with IDPs that support the SAML 2.0 specification and use a SHA-256 XML signature. Examples include Azure AD, Okta, PingOne and others. The use of SAML authentication allows users to authenticate with the IDP and then automatically be signed into the Gallery.

 

SAML authentication flow

SAML_flow.png

The SAML authentication flow steps are:

  1. The user selects the “Sign In” button on the Gallery page.
  2. The Gallery redirects the user to the IDP to authenticate. This is the SAML Request.
  3. Upon successful authentication, the IDP returns a signed XML document with user information. This is the SAML Assertion.
  4. The Gallery then validates the response against a pre-configured certificate. The Gallery sends a security token to the browser to attach to the web page request.
  5. The Gallery web page is requested, and the user is automatically signed into the Gallery application.

 

Note: All communication between the Gallery and IDP is through the browser.

 

SAML Configuration Summary

 

Configuring the Gallery for SAML authentication consists of the following steps:

  1. Select SAML authentication type within the Alteryx Server Systems Settings application.
  2. Copy the “Entity ID” and Assertion Consumer Service (ACS) URL from System Settings and use these within the IDP configuration for the application.
  3. Add required, case-sensitive user attributes (claims) for “firstName”, “lastName”, and “email” to the IDP configuration.
  4. Copy the IDP URL and IDP Metadata URL and paste these fields in Alteryx Server System Settings.
  5. Select “Verify IDP” within System Settings to test the configuration.
  6. Complete the System Settings setup, navigate to the Gallery URL, and select Sign In.

 

Note: Configuring Gallery for SSL/TLS is recommended and, in most cases, required by the IDP. For more detailed information, please see the Configure Gallery Authentication documentation.

 

MFA

 

Multi-factor Authentication (MFA) can be used by the Gallery when provided by the IDP. For example, MFA can be configured with Azure AD for the Gallery application and the user can be required to approve the sign-in request using the Microsoft Authenticator mobile app.  MFA can only be used with the SAML SSO authentication option, and only if supported/configured by the IDP.

 

Additional Information

 

The following Alteryx Community articles provide detailed SAML authentication setup steps for Gallery using various IDPs.

 

Summary

 

In this blog we have introduced SAML authentication to enable single sign-on within Alteryx Server Gallery.  In subsequent blog entries in this series, we will look at a number of other topics ranging from scalability, high availability, cloud deployments, and more.  If you have any topics you would specifically like to see discussed, please leave a comment below.