Configure Gallery Authentication
Configure the authentication method you want to use to manage Gallery access on the System Settings > Gallery Authentication page.
Start by selecting the authentication method you want to use for your Server. Then, see the setup steps for your selected method.
Select Your Authentication Type
Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.
- Built-in: Users specify an email address and password of their choosing to access the Gallery.
- Integrated Windows authentication: Users access the Gallery with internal network credentials.
- Integrated Windows authentication with Kerberos: Users access the Gallery with internal network credentials using Kerberos authentication protocols. The setup process for both Integrated Windows authentication and Integrated Windows authentication with Kerberos are the same. For more information, go to Complete the Set Up for Your Selected Authentication Type and choose Set Up Integrated Windows Authentication.
- SAML authentication: Users access the Gallery with Identity Provider (IDP) credentials.
Server doesn't support changing the authentication type after configuration. Doing so might compromise Gallery functionality.
The set up for each authentication type varies. Select your selected authentication type for steps to complete the setup.
Step 1. Set a Default Gallery Administrator for Built-in Authentication
After selecting Built-in authentication, create a Default Gallery Administrator at the bottom of the Gallery Authentication page. The Gallery administrator manages users, workflows, and more. For Built-in authentication, enter the administrator's email address.
Step 2. Finish the Gallery Administrator Account Creation
- To complete the creation of the Gallery administrator account, go to the sign-in page of the Gallery. To do so, select the link to the Gallery shown on the System Settings > Status page or enter the URL to the Gallery in your internet browser.
- Select Sign In.
- On the sign-in page, select Don't have an account? Create one now.
- Enter a First Name and Last Name, and select a timezone from the drop-down menu.
- In Email, enter the email address that you provided for the Default Gallery Administrator on the System Settings > Gallery Authentication page.
- In Password, create an account password.
- Select Sign Up.
You are now logged in as the Gallery administrator. The credentials you entered in the sign-up form are saved as your credentials going forward. You are now ready to add Gallery users. See Add Gallery Users.
If you are using AWS with Windows Authentication, the TCP connection has to maintain the same source port to stay authenticated. For this reason, we recommend using either the network or classic load balancer rather than application load balancer.
The difference in setting up the Integrated Windows Authentication and Integrated Windows Authentication with Kerberos is the protocol which is used to authenticate users with Active Directory. The Integrated Windows Authentication option uses NTLM while the Integrated Windows Authentication with Kerberos replaces NTLM with Kerberos.
No special configuration within Server itself is needed but the Kerberos option requires a properly configured Kerberos realm and KDC to be present in the Active Directory domain.
Step 1. Set a Default Gallery Administrator for Windows Authentication
After selecting Integrated Windows authentication, create a Default Gallery Administrator at the bottom of the Gallery Authentication page. The Gallery administrator manages users, workflows, and more. For Integrated Windows authentication, enter the user account in this format: domain\username.
Step 2. Access the Gallery
The default Gallery administrator can now access the Gallery. To do so, select the link to the Gallery shown on the System Settings > Status page or enter the URL to the Gallery in your internet browser. You are now logged in as the Gallery administrator and ready to add Gallery users. See Add Gallery Users.
Server supports multiple domains for Windows authentication. You do not need to configure anything in Server to enable this, but these capabilities and permissions have to be present across the domains.
- The domain the Gallery runs on needs to have the same trust policy as other domain users so Active Directory can resolve and determine user permissions.
- Both domains need to be part of the same forest.
- The Alteryx service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx service runs under the local system account on the server it is installed on. If you define a dedicated service account instead of using the local system, the account has to have permission to read all attributes from both containers to enable authentication for both domains.
To configure SAML authentication for Single Sign On (SSO), your Identity Provider (IDP) has to support SAML.
Before configuring SAML authentication for the Gallery, you have to add Server as a Service Provider in the IDP. The IDP might need...
- the ACS Base URL (for example, http://localhost/aas/Saml2/Acs).
- the SP Entity ID (for example, http://localhost/aas/Saml2).
- The IDP might also require that you map email, firstName, and lastName attribute statements to corresponding fields in the IDP to authenticate users.
- The IDP Signing Certificate should be configured with a signing algorithm of SHA-256 or greater.
Select an option for obtaining metadata required by the IDP. You can configure SAML using an IDP Metadata URL or an X509 certificate and IDP SSO URL.
Complete the SAML IDP Configuration.
- ACS Base URL: The URL for the Assertion Consumer Service that accepts SAML messages to establish a session.
- IDP URL: The URL for the Alteryx application configured in the IDP, also known as, the IDP Entity ID.
- IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
- IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP.
- X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
- Verify IDP: Select to open a browser window, log in, test the IDP configuration, and set the default Gallery administrator.
Set a Default Gallery Administrator for SAML
A Gallery administrator account has to be created to administer the site (manage users, workflows, and more). For SAML authentication, select Verify IDP to test the IDP configuration and populate the field with IDP credentials.
You are now logged in as the Gallery administrator. You are now ready to add Gallery users. See Add Gallery Users.