The Gallery is a cloud-based application for publishing, sharing, and executing workflows. It communicates with the service to manage and execute workflows. Gallery uses a MongoDB persistence layer for state maintenance. This allows you to deploy the Gallery across multiple servers behind a load balancer (not provided as part of the architecture) to support horizontal scalability.
The Gallery is a private website, hosted on your server infrastructure that allows internal users to share workflows, apps, and macros. Alteryx also offers a Public Gallery (https://gallery.alteryx.com/) where users can sign up and share workflows, apps, and macros.
Configure the Gallery component on the Gallery screens in System Settings. The Gallery screens are available for configuration if you've selected 1 of these options on the Environment > Setup Type screen:
- Complete Alteryx Server
- Custom > Enable Gallery
The Gallery General screen has configuration options, such as where you want to store temporary files and log files.
The Gallery Workspace is the location where the Gallery stores temporary files. By default, it is a folder within the global workspace folder. This path should point to a location that is safe to store large amounts of files.
- Logging Directory: This is the location where you want to store Gallery log messages. See Log Files.
- Base Address: This is the URL that users use to go to the Gallery.
- Enable SSL: Enabling SSL changes the URL in the Base Address field to https. If your certificate is set to a port other than the default 443, include the port in the URL (for example, https://localhost:445/gallery/). See Enable Gallery SSL.
- Default Run Mode: Run Mode determines the workflows that Gallery users can run. Use Default Run Mode to block workflows with specific tools or directory access from running in the Gallery.
Semi-safe and Safe are only available if you have enabled the Run As setting in System Settings on the Worker > Run As screen or if you have specified Run As. See Worker and Credentials for more information.
If your Default Run Mode is Safe or Semi-safe, Gallery admins can change the run mode in each workflow on the Workflows page in the Gallery Admin interface. See Workflows.
- Unrestricted: Gallery users can run any workflow.
- Semi-safe: Block Gallery users from running workflows that read data from or write data to a location that is not within the workflow staging directory (workspace).
- Safe: Block Gallery users from running workflows that read data from or write data to a location that is not within the workflow staging directory (workspace). Gallery users are also blocked from running workflows that use specific tools, events, and data connectors. See
Safe and Semi-safe Run Modes: Blocked Tools, Events, and Data Connectors.
The Gallery Authentication screen has configuration options for the type of authentication you want to use to access the Gallery.
Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.
Server doesn't support changing the authentication type after configuration. Doing so might compromise Gallery functionality. If you want to change the authentication type, contact support to create a plan.
- Built-in: Allows users to access the Gallery using an email address and password.
- Integrated Windows authentication: Allows users to access the Gallery with internal network credentials.
Server supports multiple domains for Windows authentication. You do not need to configure anything in Server to enable this, but these capabilities and permissions have to be present across the domains.
- The domain the Gallery runs on needs to have the same trust policy as other domain users so Active Directory can resolve and determine user permissions.
- Both domains need to be part of the same forest.
- The Alteryx service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx service runs under the local system account on the server it is installed on. If you define a dedicated service account instead of using the local system, the account needs permission to read all attributes from both containers to enable authentication for both domains.
- Integrated Windows authentication with Kerberos: Allows users to access the Gallery with internal network credentials using Kerberos authentication protocols.
- SAML authentication: Allows users to access the Gallery with Identity Provider (IDP) credentials.
Select an option for obtaining metadata required by the IDP
You can configure SAML using an IDP Metadata URL or an X509 certificate and IDP SSO URL.
SAML IDP Configuration
To configure SAML authentication for Single Sign On (SSO), you have to have an account with an Identity Provider (IDP) that supports SAML.
Before configuring SAML authentication for the Gallery, you have to add Server as a Service Provider within the IDP. The IDP may require the ACS Base URL (for example, http://localhost/aas/Saml2/Acs) and SP Entity ID (for example, http://localhost/aas/Saml2). The IDP may also require that you map email, firstName, and lastName attribute statements to corresponding fields in the IDP to authenticate users.
- ACS Base URL: The URL for the Assertion Consumer Service that accepts SAML messages to establish a session.
- IDP URL: The URL for the Alteryx application configured in the IDP. It might also be referred to as the IDP Entity ID.
- IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
- IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP.
- X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
- Verify IDP: Select this button to open a browser window, log in, test the IDP configuration, and set the default Gallery administrator.
Default Gallery Administrator
A Gallery administrator account has to be created to administer the site (manage users, workflows, and more). The Default Gallery Administrator is a required field.
- If you use Built-in, enter the administrator's email address. Note, this user needs to complete their account creation. To do so, go to the Gallery sign-in page, and select the Don't have an account? Create one now to create he Gallery account and password.
- If you use Integrated Windows authentication, enter the user account in this format: domain\username.
- If you use SAML authentication, select Verify IDP to test the IDP configuration and populate the field with IDP credentials.
Gallery SMTP Configuration
The SMTP screen has configuration options for enabling SMTP. The information on the SMTP page is required for Server to send email notifications for various events, such as registering your Gallery account, changing your password, or sharing a workflow.
- Enter the email address from which you want emails to be sent in From Email.
- Enter the email service hostname in Host.
- Enter a username and password in Username and Password, if the SMTP server configuration requires it.
- Select Test to send a test email to the email address in From Email.
- The port default is 25 as this is standard for SMTP. You can customize this port if necessary.
- If the SMTP server is set up to use SSL, select the Use SSL checkbox.
Deselect Enable SMTP to complete the Server setup without enabling SMTP. Email notifications from the Gallery are disabled until SMTP settings are configured.
Use Controller Persistence Settings: The Gallery stores information for users, collections, etc. in MongoDB. Select this option (which is on by default) for the Gallery to use the persistence options set on the Controller > Persistence screen. See Controller. If you would like the Gallery to use a different MongoDB connection than the Controller, specify the host, user name, and password information.
Same settings as Web Persistence: Indices for search functionality within the Gallery are also stored on Mongo. Select this option (which is on by default) for the Search indices to be persisted using the same options as the Web Persistence. If you would like the search indices to use a different MongoDB connection than the Web Persistence, specify the host, user name, and password information.