Configure Gallery Authentication

Version:
2021.2
Last modified: July 23, 2021

Configure the authentication method you want to use to manage Gallery access on the System SettingsGallery Authentication page.

Start by selecting the authentication method you want to use for your Server. Then, go to the setup steps for your selected method.

Select Your Authentication Type

Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.

  • Built-in: Users specify an email address and password of their choosing to access the Gallery.
  • Integrated Windows authentication: Users access the Gallery with internal network credentials.
  • Integrated Windows authentication with Kerberos: Users access the Gallery with internal network credentials using Kerberos authentication protocols.
  • SAML authentication: Users access the Gallery with Identity Provider (IDP) credentials.
    Screenshot of Authentication Type on System Settings > Gallery Authentication screen

Server doesn't support changing the authentication type after configuration. Doing so might compromise Gallery functionality. If you want to change the authentication type, contact support to create a plan.

Complete the Set Up for Your Selected Authentication Type

The set up for each authentication type varies. Select your selected authentication type for steps to complete the setup.

Set Up Built-in Authentication

Step 1. Set a Default Gallery Administrator for Built-in Authentication

After selecting Built-in authentication, create a Default Gallery Administrator at the bottom of the Gallery Authentication page. The Gallery administrator manages users, workflows, and more. For Built-in authentication, enter the administrator's email address.

 

Complete the remaining screens in System Settings (go to the Gallery and Engine help pages for more info on these screens), and select Finish.

Step 2. Finish the Gallery Administrator Account Creation

  1. To complete the creation of the Gallery administrator account, go to the sign-in page of the Gallery. To do so, select the link to the Gallery shown on the System Settings > Status page or enter the URL to the Gallery in your internet browser.
  2. Select Sign In.
  3. On the sign-in page, select Don't have an account? Create one now.
  4. Enter a First Name and Last Name, and select a timezone from the drop-down menu.
  5. In Email, enter the email address that you provided for the Default Gallery Administrator on the System SettingsGallery Authentication page. 
  6. In Password, create an account password. 
  7. Select Sign Up.

You are now logged in as the Gallery administrator. The credentials you entered in the sign-up form are saved as your credentials going forward. You are now ready to add Gallery users. Go to Add Gallery Users

Set Up Integrated Windows Authentication

If you are using AWS with Windows Authentication, the TCP connection has to maintain the same source port to stay authenticated. For this reason, we recommend using either the network or classic load balancer rather than application load balancer.

Step 1. Set a Default Gallery Administrator for Windows Authentication

After selecting Integrated Windows authentication, create a Default Gallery Administrator at the bottom of the Gallery Authentication page. The Gallery administrator manages users, workflows, and more. For Integrated Windows authentication, enter the user account in this format: domain\username.

Complete the remaining screens in System Settings (go to the Gallery and Engine help pages for more info on these screens), and select Finish.

Step 2. Access the Gallery

The default Gallery administrator can now access the Gallery. To do so, select the link to the Gallery shown on the System Settings > Status page or enter the URL to the Gallery in your internet browser. You are now logged in as the Gallery administrator and ready to add Gallery users. Go to Add Gallery Users

Multi-domain support

Server supports multiple domains for Windows authentication. You don't need to configure anything in Server to enable this, but these capabilities and permissions have to be present across the domains.

  • The domain the Gallery runs on needs to have the same trust policy as other domain users so Active Directory can resolve and determine user permissions.
  • Both domains need to be part of the same forest.
  • The Alteryx service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx service runs under the local system account on the server it is installed on. If you define a dedicated service account instead of using the local system, the account has to have permission to read all attributes from both containers to enable authentication for both domains.
Set Up SAML Authentication

To configure SAML authentication for Single Sign On (SSO), your Identity Provider (IDP) has to support SAML.

Before configuring SAML authentication for the Gallery, you have to add Server as a Service Provider in the IDP. The IDP might need...

  • the ACS Base URL (for example, http://localhost/aas/Saml2/Acs).
  • the SP Entity ID (for example, http://localhost/aas/Saml2).
  • The IDP might also require that you map email, firstName, and lastName attribute statements to corresponding fields in the IDP to authenticate users.
  • The IDP Signing Certificate should be configured with a signing algorithm of SHA-256 or greater.
  1. Select an option for obtaining metadata required by the IDP. You can configure SAML using an IDP Metadata URL or an X509 certificate and IDP SSO URL.

  2. Complete the SAML IDP Configuration.

    • ACS Base URL: The URL for the Assertion Consumer Service that accepts SAML messages to establish a session.
    • IDP URL: The URL for the Alteryx application configured in the IDP, also known as, the IDP Entity ID.
    • IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
    • IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP.
    • X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
    • Verify IDP: Select to open a browser window, log in, test the IDP configuration, and set the default Gallery administrator.

Set a Default Gallery Administrator for SAML

A Gallery administrator account has to be created to administer the site (manage users, workflows, and more). For SAML authentication, select Verify IDP to test the IDP configuration and populate the field with IDP credentials.

 

You are now logged in as the Gallery administrator. You are now ready to add Gallery users. Go to Add Gallery Users.

Was This Page Helpful?

Running into problems or issues with your Alteryx product? Visit the Alteryx Community or contact support. Can't submit this form? Email us.