Welcome to the Alteryx Knowledge Base

Configuring SAML on Alteryx Server for Okta
user

Created/Edited - 4/21/2026 by Sydney Firmin | Alteryx

How To

How to Configure Okta SAML Authentication with Alteryx Server


In this article, we will review how to configure SAML on your Alteryx Server for Okta. To learn more about SAML authentication with Alteryx, please review the following article: Alteryx Architectures - SAML SSO Authentication.

Prerequisites
  • Alteryx Server 
    • Version(s) 2018.2+
  • Okta Developer Console (Admin) 
Procedure

Add Alteryx to Okta

 

This entire process starts with the configuration on the Single Sign-On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in Okta. Note: These instructions are for the Developer's Console UI. 
 

1. In the Developer view of Okta, navigate to Applications and select "Create App Integration".

image.png


2. Select SAML 2.0 as the Sign on method.

image.png


3. Click "Next". 

4. Add an app title. If desired, an app icon can be added.

image.png


5. In the Configure SAML Screen, the Single Sign-on URL depends on the Alteryx Server version and whether SSL is enabled on the Alteryx Gallery ("https" is required if SSL is enabled). In Alteryx Server version 2022.3, we are using updated service provider endpoints via the Web API service, replacing "aas" with "webapi". See the 2022.3 Release Notes for more information.


6. In the Audience URI textbox, input your Gallery Base URL (no /gallery) and append with the following:

image.png
image.png

 

7. Scroll down to the "Attribute Statements" portion. Map the following attributes (case-sensitive):

Attribute Name: email                Value: user.email
Attribute Name: firstName         Value: user.firstName 
Attribute Name: lastName          Value: user.lastName

image.png
 

8. Click "Next" on this page. On the next page, select either "Customer" or "Partner", depending on the Okta relationship. The other survey fields are optional.

9. Then, click "Finish".

10. Once the application has been created, select the "Assignments" tab.

11. Click the "Assign" button, then choose either "Assign to People" or "Assign to Groups". 

image.png


12. Add administrators (including the user that created the application) and any other necessary users by selecting "Assign". Click "Done" when finished. 

13a. IDP Metadata URL option: Click the "Sign On" tab. In the "SAML Signing Certificates" section, select "Actions" > "View IdP Metadata" on the active certificate (SHA-2). This information will help to connect Okta to Alteryx Server. 

image.png


13b. X509 Certificate option: On the right-hand side of the "Sign On" page, select the "View SAML setup instructions" button. This will bring up a page called "How to Configure SAML 2.0 for [applicationName] Application". This information will help to connect Okta to Alteryx Server. 

image.png

 

Configure Alteryx Server for Okta SAML Authentication

 
1. Open the Alteryx System Settings and press "Next" until the Gallery > Authentication page is reached. 

2. Add an email address for the "Default Gallery Administrator".

3. Switch the authentication type to SAML.

4. The ACS Base URL should populate with the Gallery Base Address, with /aas appended.
Note: If your Server version is 2022.3+, the ACS Base URL should have /webapi appended to the Gallery Base Address. If SSL is enabled in Gallery > General, the ACS Base URL should have "https" rather than "http".

5. Navigate back to the Okta SAML page from either step 13a or 13b of the previous section (metadata option or X509 certificate options).

6. Copy the "entityID" URL in the first line of XML code (example: http://www.okta.com/exk1lbtng37fxZhpT0h8).

7. Paste this value into the "IDP URL" textbox of the Alteryx System Settings. 

The following steps will depend on which configuration was option chosen in step 13. If using the metadata option, continue to step 8. If using the X509 certificate, please proceed to step 12.

Metadata Option:
8. Copy the URL of the Okta page, ending in /sso/saml/metadata. This is the link to the metadata information.

9. Paste the value in the "IDP Metadata URL" textbox of the Alteryx System Settings. 
Note: This screenshot is a pre-2022.3 configuration. A 2022.3+ configuration should have /webapi rather than /aas.
image.png

10. Click "Verify IDP" and sign in. 

11. Proceed all the way through the Alteryx System Settings. 

X509 Option:
12. In the Alteryx System Settings, change the radio button from "IDP Metadata URL" to "X509 certificate and IDP SSO URL".

13. Navigate to the Okta "How to Configure SAML 2.0" page. These values can also be obtained from the metadata XML (this view is more readable). 

14. Copy the "Identity Provider Single Sign-On URL" (ends in sso/saml). 

15. Paste this value into the "IDP SSO URL" textbox of the Alteryx System Settings. 

16. Copy the X509 certificate.

17. Paste the X509 certificate into the "X509 certificate" textbox of the Alteryx System Settings. 
Note: This screenshot is a pre-2022.3 configuration. A 2022.3+ configuration should have /webapi rather than /aas.

This image shows an example of the X509 certificate and IDP SSO URL configuration under the SAML authentication type in Alteryx System Settings.

18. Click "Verify IDP" and sign in. 

19. Proceed all the way through the Alteryx System Settings. 
 
Additional Information
​​​​​​AAS (Alteryx Authentication Service) or SSO logs show detailed information on how the assertion is being sent. These logs may have more verbose messaging should an issue arise. Location: %ProgramData%\Alteryx\Logs (ProgramData is a hidden folder. Enable it by selecting "View" > check "Hidden Items" in File Explorer).
Was this article helpful?