Welcome to the Alteryx Knowledge Base
Created/Edited -
How to Configure Okta SAML Authentication with Alteryx Server
In this article, we will review how to configure SAML on your Alteryx Server for Okta. To learn more about SAML authentication with Alteryx, please review the following article: Alteryx Architectures - SAML SSO Authentication.
- Alteryx Server
- Version(s) 2018.2+
- Okta Developer Console (Admin)
Add Alteryx to Okta
This entire process starts with the configuration on the Single Sign-On Provider’s side. This is a step-by-step outline of how to add Alteryx as an application in Okta. Note: These instructions are for the Developer's Console UI.
1. In the Developer view of Okta, navigate to Applications and select "Create App Integration".
2. Select SAML 2.0 as the Sign on method.
3. Click "Next".
4. Add an app title. If desired, an app icon can be added.
5. In the Configure SAML Screen, the Single Sign-on URL depends on the Alteryx Server version and whether SSL is enabled on the Alteryx Gallery ("https" is required if SSL is enabled). In Alteryx Server version 2022.3, we are using updated service provider endpoints via the Web API service, replacing "aas" with "webapi". See the 2022.3 Release Notes for more information.
- Pre-2022.3: The Alteryx Gallery/Server UI Base URL (found in Alteryx System Settings > Gallery > General) with /aas/Saml2/Acs appended to the end (no /gallery). Example (where "http(s)://host.domain.com" is a placeholder for the Gallery Base URL):
- http://host.domain.com/aas/Saml2/Acs or https://host.domain.com/aas/Saml2/Acs if SSL is enabled
- 2022.3+: The Server UI Base URL (found in Alteryx System Settings > Gallery > General) with /webapi/Saml2/Acs appended to the end (no /gallery). Example (where "http(s)://host.domain.com" is a placeholder for the Gallery Base URL):
- http://host.domain.com/webapi/Saml2/Acs or https://host.domain.com/webapi/Saml2/Acs if SSL is enabled
6. In the Audience URI textbox, input your Gallery Base URL (no /gallery) and append with the following:
- Pre-2022.3: /aas/Saml2 appended to the end. Example (where http://host.domain.com is a placeholder for the Gallery Base URL):
- 2022.3+: /webapi/Saml2/acs appended to the end. Example (where http://host.domain.com is a placeholder for the Server UI Base URL):
7. Scroll down to the "Attribute Statements" portion. Map the following attributes (case-sensitive):
8. Click "Next" on this page. On the next page, select either "Customer" or "Partner", depending on the Okta relationship. The other survey fields are optional.
9. Then, click "Finish".
10. Once the application has been created, select the "Assignments" tab.
11. Click the "Assign" button, then choose either "Assign to People" or "Assign to Groups".
12. Add administrators (including the user that created the application) and any other necessary users by selecting "Assign". Click "Done" when finished.
13a. IDP Metadata URL option: Click the "Sign On" tab. In the "SAML Signing Certificates" section, select "Actions" > "View IdP Metadata" on the active certificate (SHA-2). This information will help to connect Okta to Alteryx Server.
13b. X509 Certificate option: On the right-hand side of the "Sign On" page, select the "View SAML setup instructions" button. This will bring up a page called "How to Configure SAML 2.0 for [applicationName] Application". This information will help to connect Okta to Alteryx Server.
Configure Alteryx Server for Okta SAML Authentication
2. Add an email address for the "Default Gallery Administrator".
3. Switch the authentication type to SAML.
4. The ACS Base URL should populate with the Gallery Base Address, with /aas appended.
5. Navigate back to the Okta SAML page from either step 13a or 13b of the previous section (metadata option or X509 certificate options).
6. Copy the "entityID" URL in the first line of XML code (example: http://www.okta.com/exk1lbtng37fxZhpT0h8).
7. Paste this value into the "IDP URL" textbox of the Alteryx System Settings.
The following steps will depend on which configuration was option chosen in step 13. If using the metadata option, continue to step 8. If using the X509 certificate, please proceed to step 12.
Metadata Option:
8. Copy the URL of the Okta page, ending in /sso/saml/metadata. This is the link to the metadata information.
9. Paste the value in the "IDP Metadata URL" textbox of the Alteryx System Settings.
10. Click "Verify IDP" and sign in.
11. Proceed all the way through the Alteryx System Settings.
X509 Option:
12. In the Alteryx System Settings, change the radio button from "IDP Metadata URL" to "X509 certificate and IDP SSO URL".
13. Navigate to the Okta "How to Configure SAML 2.0" page. These values can also be obtained from the metadata XML (this view is more readable).
14. Copy the "Identity Provider Single Sign-On URL" (ends in sso/saml).
15. Paste this value into the "IDP SSO URL" textbox of the Alteryx System Settings.
16. Copy the X509 certificate.
17. Paste the X509 certificate into the "X509 certificate" textbox of the Alteryx System Settings.
18. Click "Verify IDP" and sign in.
19. Proceed all the way through the Alteryx System Settings.