Last modified: May 27, 2020

Configure the gallery component on the Gallery screens in System Settings.  You can configure the gallery component if the local machine is configured as a gallery. 

The gallery is a cloud-based application for publishing, sharing, and executing workflows. It communicates with the Alteryx Service for the management and execution of the workflows and utilizes a MongoDB persistence layer for all state maintenance. This allows the gallery to be deployed across multiple servers behind a load balancer (not provided as part of the architecture) to support horizontal scalability.

Alteryx offers a Public Gallery (, where users can sign up and share workflows, apps, and macros, and a Private Gallery, which allows companies to offer the gallery to internal users hosted on their own server infrastructure.


The General screen includes configuration options such as where you want to store temporary files and log files.

  • Gallery Workspace: The workspace is the location where the Gallery stores temporary files. By default it is a folder within the global workspace folder. This path should point to a location that is safe to store large amounts of files.
  • Logging Directory: This is the location where you want to store log messages specific to the Gallery services. See Log Files.
  • Base Address: This is the URL that users use to go to the gallery. This URL is used in areas such as email content when links to workflows are made available.
  • Enable SSL: Enabling this changes the URL in the Base Address field to https. If you enable SSL and your certificate is set to a port other than the default 443, include the port in the URL (for example, https://localhost:445/gallery/). See Enable Gallery SSL.
  • Default Run Mode: Determines the level that workflows are permitted to run in the gallery. You may want to block workflows that contain certain tools or access. If a user has a workflow that uses one of the prohibited tools in a safe manner, they may request an exemption from the gallery admin. Exemptions are managed on the Workflows page in the gallery. See Workflows.

    Safe and Semi-safe options can only be used if the Run As setting is enabled in System Settings on the Worker Run As screen. See Worker.

    • Unrestricted: Any workflow can be run.
    • Semi-safe: Block workflows that read or write data that is not located within the directory or a sub-directory of the workflow staging directory (workspace) from running.  
    • Safe: Block workflows that read or write data that is not located within the directory or sub-directory of the workflow staging directory (workspace) from running. Workflows using certain tools and events are also blocked from running. The tools and events include: Run Command tool, Download tool, Email tool, R tool, Python tool, Run Command event, and Send Email event.


The Authentication screen includes configuration options for the type of authentication you want to use to access the Gallery.

  • Authentication Type: Alteryx Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.
    • Built-in: Allows users to access the Gallery using an email address and password.
    • Integrated Windows authentication: Allows users to access the Gallery with internal network credentials.

Multi-domain support

Alteryx Server supports multiple domains for Windows authentication. There is no configuration needed within Alteryx Server to enable this, but the following capabilities and permissions must be present across the domains.

  • The domain the Gallery is running on needs the same trust policy as other domains users are working on so Active Directory can resolve and determine user permissions.
  • Both domains need to be part of the same forest.
  • The Alteryx Service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx Service runs under the Local System account on the server it is installed on. If a dedicated service account is defined instead of using Local System, the account needs permissions to read all attributes from both containers to enable authentication for both domains.
  • Integrated Windows authentication with Kerberos: Allows users to access the Gallery with internal network credentials using Kerberos authentication protocols.
  • SAML authentication: Allows users to access the Gallery with Identity Provider (IDP) credentials.

Changing authentication type is not supported. Doing so may compromise Gallery functionality.

  • Select an option for obtaining metadata required by the IDP: Alteryx provides support for configuring SAML using an IDP Metadata URL, or an X509 certificate and IDP SSO URL.
  • SAML IDP Configuration: To configure SAML authentication for Single Sign On (SSO), you must have an account with an Identity Provider (IDP) that supports SAML.

Before configuring SAML authentication for the Gallery, you must add Alteryx Server as a Service Provider application within the IDP. The IDP may require the ACS Base URL (for example: http://localhost/aas/Saml2/Acs) and SP Entity ID (for example: http://localhost/aas/Saml2). The IDP may also require email, firstName, and lastName attribute statements to be mapped to corresponding fields in the IDP so users can be authenticated.

    • ACS Base URL: The URL for the Assertion Consumer Service, that accepts SAML messages for the purpose of establishing a session. 
    • IDP URL: The URL for the Alteryx application configured in the IDP. It may also be referred to as the IDP Entity ID.
    • IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
    • IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP. 
    • X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
    • Verify IDP: Click this button to open a browser window, log in, test the IDP configuration, and set the Default Gallery Administrator.
    • Default Gallery Administrator: A Gallery Administrator account must be created to administer the site (manage users, workflows, and more). If the Gallery is enabled in the System Settings > Environment > Set Up screen, the Default Gallery Administrator is a required field. See Environment.
      • If using Built-in, enter the administrator's email address (ex.
      • If using Integrated Windows authentication, enter the user account (ex. Domain\Username).
      • If using SAML authentication, click Verify IDP to test the IDP configuration and populate the field with IDP credentials.


    The SMTP screen includes configuration options for enabling SMTP. If the Gallery is enabled on the Setup screen, the information on the SMTP page is required so that the server can send email notifications for various events such as registering your Gallery account, changing your password, or sharing a workflow.

    1. In From Email, type the email address from which emails are to be sent.
    2. Type the email service host name in Host.
    3. Type a username and password in Username and Password, if the SMTP server configuration requires it.
    4. Click Test. If the test is successful, an email is sent to the email address in From Email.

    Deselect Enable SMTP to complete the Server setup without enabling SMTP. Email notifications from the Gallery will be disabled until SMTP settings are configured.

    If the SMTP server is setup to use SSL, select the Use SSL checkbox.


    The gallery stores information for users, collections, etc. in MongoDB. Specify where you want gallery information stored on the Persistence screen. 

    Advanced Database Connection

    Select Advanced User-Managed Mongo DB if you do not want to use the same location as specified for the controller (specified for the controller on the Controller > Persistence screen) and you require support for...

    • TLS/SSL
    • Replica Sets
    • Sharding
    • MongoDB Atlas

    If you were using replica sets before the availability of the connection string option (2019.4 release or previous), you have to change to a connection string.

    When you have selected this option, the Web Persistence and Search Persistence sections display a Connection field for you to specify your MongoDB connection string.

    Screenshot of gallery persistence settings with Used Advanced Connections option selected

    Connection String Tips and Examples

    • Supported connection string parameters are driver dependent. Parameters must be supported by all below listed supported drivers to be used in a connection string. Supported driver versions include...
      • c 1.15 (mongoc)
      • c++ 3.4.1 (mongocss)
      • c# 2.7.2 (mongoc#)
    • Special characters in usernames, passwords, or parameter values must be URL encoded.

    Web Persistence Examples

    • On-premise, single-node example with SSL/TLS:


    • On-premise, replica set, example with SSL/TLS:


    • Atlas example:


    Search Persistence Examples

    • On-premise, single-node example with SSL/TLS:


    • On-premise, replica set, example with SSL/TLS:


    • Atlas example:


    See the MongoDB Connection String documentation for help formatting your connection string.

    Web Persistence

    Select Use Controller Persistence Settings to use the same location as specified for the controller on the Controller > Persistence screen. This is the default option for gallery web persistence. See Controller.

    If you would like the gallery to use a different MongoDB connection than the controller chose one of these:


    • Uncheck Use Controller Persistence Settings and specify the Host, Username, and Password.

    Search Persistence

    Indices for search functionality within the gallery are also stored in the MongoDB. 

    Select Same settings as Web Persistence to use the same location as specified for web persistence. This is the default option for gallery search persistence.

    If you would like the search indices to use a different MongoDB connection than that used for web persistence chose one of these:


    • Uncheck Same settings as Web Persistence and specify the Host, Username, and Password.

    What's Next?

    Configure Engine.

    Was This Helpful?

    Running into problems or issues with your Alteryx product? Visit the Alteryx Community or contact support.