This article was written by MarcW and originally appeared on the Alteryx Engine Works blog here: https://community.alteryx.com/t5/Engine-Works/Alteryx-Architectures-SAML-SSO-Authentication/ba-p/895056
SAML SSO authentication in Alteryx Server
Welcome to another article in the Alteryx Architectures blog series. In this installment, we’ll take a look at SAML authentication to enable single sign-on (SSO) within Alteryx Server Gallery. This blog will cover an overview of authentication options in Alteryx Server, and then look at the overall flow of requests when SAML (SSO) authentication is used.
Summary of authentication types
Workflows created with Alteryx Designer are published to Alteryx Server to share and govern analytic workflow processes, models, and data; automate analysis and outcomes; and scale analytics across the organization. The Gallery component within Alteryx Server provides a web-based application for users. The Gallery supports 3 authentication types:
- Built-in: Users enter an email address and password of their choice to access Gallery.
- Integrated Windows authentication: Users access Gallery with their internal network credentials.
- SAML authentication: Users access Gallery with Identity Provider (IDP) credentials.
What is SAML authentication SSO?
Security Assertion Markup Language (SAML) authentication is a mechanism by which the authentication process of an application is offloaded to an Identity Provider (IDP). SAML authentication is supported by Gallery with IDPs that support the SAML 2.0 specification and use a SHA-256 XML signature. Examples include Azure AD, Okta, PingOne and others. The use of SAML authentication allows users to authenticate with the IDP and then automatically be signed into the Gallery.
SAML authentication flow
The SAML authentication flow steps are:
- The user selects the “Sign In” button on the Gallery page.
- The Gallery redirects the user to the IDP to authenticate. This is the SAML Request.
- Upon successful authentication, the IDP returns a signed XML document with user information. This is the SAML Assertion.
- The Gallery then validates the response against a pre-configured certificate. The Gallery sends a security token to the browser to attach to the web page request.
- The Gallery web page is requested, and the user is automatically signed into the Gallery application.
Note: All communication between the Gallery and IDP is through the browser.
SAML Configuration Summary
Configuring the Gallery for SAML authentication consists of the following steps:
- Select SAML authentication type within the Alteryx Server Systems Settings application.
- Copy the “Entity ID” and Assertion Consumer Service (ACS) URL from System Settings and use these within the IDP configuration for the application.
- Add required, case-sensitive user attributes (claims) for “firstName”, “lastName”, and “email” to the IDP configuration.
- Copy the IDP URL and IDP Metadata URL and paste these fields in Alteryx Server System Settings.
- Select “Verify IDP” within System Settings to test the configuration.
- Complete the System Settings setup, navigate to the Gallery URL, and select Sign In.
Note: Configuring Gallery for SSL/TLS is recommended and, in most cases, required by the IDP. For more detailed information, please see the Configure Gallery Authentication documentation.
Multi-factor Authentication (MFA) can be used by the Gallery when provided by the IDP. For example, MFA can be configured with Azure AD for the Gallery application and the user can be required to approve the sign-in request using the Microsoft Authenticator mobile app. MFA can only be used with the SAML SSO authentication option, and only if supported/configured by the IDP.
The following Alteryx Community articles provide detailed SAML authentication setup steps for Gallery using various IDPs.
- Configuring SAML 2.0 on Alteryx Server for Azure AD
- Configuring SAML on Alteryx Server for Okta
- Configuring SAML on Alteryx Server for PingOne
- Configuring SAML on Alteryx Server for OneLogin
In this blog we have introduced SAML authentication to enable single sign-on within Alteryx Server Gallery. In subsequent blog entries in this series, we will look at a number of other topics ranging from scalability, high availability, cloud deployments, and more. If you have any topics you would specifically like to see discussed, please leave a comment below.