Skip to main content

Configure Alteryx Server for SCIM with Azure Active Directory

This document provides instructions for administrators who want to integrate Alteryx Server with Azure Active Directory (AD) using System for Cross-domain Identity Management (SCIM). Use this guide to learn how to enable SCIM in Server, configure Azure AD to connect to Server for SCIM provisioning, and provision users and groups in Azure AD. With this integration, you can streamline user and group management, ensuring a synchronized and hassle-free experience between Alteryx Server and Azure AD.

Note

This configuration requires Azure to be able to communicate with the Alteryx Server over an HTTPS (SSL/TLS) connection. Please check with your network and security teams to ensure network, firewall, and routing are appropriately configured to allow this communication. To support this communication, TLS must be enabled for Alteryx Server. For more information on TLS, use Configure Server SSL/TLS.

Enable SCIM Support

  1. SCIM requires that Alteryx Server is configured to support SAML single sign-on.

    For a new environment, follow the steps outlined in Configure Alteryx Server Authentication to set up SAML.

  2. Sign in to Alteryx Server as a Curator (Server admin) and navigate to Admin > Settings > Configuration > SCIM.

  3. Select Edit.

  4. Turn on the switch to enable SCIM.

  5. Select the Token Lifetime based on your needs. Please consult your company's security team for guidance.

  6. Select Save.

  7. Make note of the Base URI and Token as you will need these to configure the connection in Azure.

Alteryx Server SCIM Configuration Example

Configure Azure

  1. Sign in to the Azure Portal.

  2. If you do not already have an Application created for Alteryx Server, select Enterprise applications.

    1. Select +New application.

    2. Select +Create your own application.

    3. In the right-hand panel, enter a name for the application, such as “Alteryx Server”.

    4. Select Integrate any other application you don’t find in the gallery (Non-gallery).

    5. Select Create.

    6. Once the app is created, select Single sign-on and configure the app for SAML. Use Configuring SAML 2.0 on Alteryx Server for Azure AD for details.

  3. Once you have an application created for Alteryx Server, navigate to that application.

  4. Select Provisioning.

    1. Select Automatic for the Provisioning Mode.

    2. For Tenant URL, enter the Base URI you noted in the Enable SCIM Support section (for example, https://host.domain.tld/webapi/scim/v2).

    3. For Secret Token, enter the Token you noted in the Enable SCIM Support section.

    4. Select Test Connection to confirm Azure can connect to Alteryx Server.

      1. If the connection test fails:

        Note

        While SAML sign in might work by default as this involves internal to public communication from a user, this does not mean that your Azure instance has direct line-of-site to your Alteryx Server instance (which requires successful communication from Azure’s public cloud to a private network) required for SCIM to function properly.

        If you get the error "An error occurred while sending the request.", please review the below options to ensure proper communication between these systems.

        • Ensure you have entered the correct URL and Token.

        • Consult your network and security teams to ensure network connectivity between Alteryx Server and Azure is allowed.

        • If you cannot allow Azure to connect directly to Alteryx Server, you might be able to use the Azure's provisioning agent instead of this configuration. Please consult with your Azure administrator and Azure AD on-premises application provisioning to SCIM-enabled apps for details.

          Azure Provisioning Configuration Example

Provisioning Users and Groups

  1. Log in to the Azure Portal.

  2. Navigate to the application you created for Alteryx Server in the Configure Azure section.

  3. Select Users and Groups.

    Azure Users and groups
  4. Select +Add user/group.

  5. In the right-hand panel, use search to find and select the users and groups you want to add.

  6. The selected users and groups appear in the lower section of the panel.

    Azure User Search Panel
  7. To finalize your selection, choose the Select button at the bottom of the panel.

  8. This returns you to the Users and Groups page with a list of the users and groups associated with the application.

  9. Select Provisioning.

  10. Select Start provisioning to enable provisioning. This starts the incremental provisioning cycle with which Azure synchronizes users and groups with Alteryx Server. Any changes to users or groups in Azure are reflected in Server when this sync completes. Azure can take up to 40 minutes to synchronize changes.

    Azure Provisioning Configuration

Confirm Successful Synchronization

  1. Wait at least 40 minutes to ensure Azure goes through a provisioning cycle.

  2. Sign in to Alteryx Server as a Curator (Server admin).

  3. Navigate to Admin > Users.

  4. Confirm that the users and groups provisioned in Azure have been successfully created or updated in Server.