Set Up Gallery Authentication

Version:
Current
Last modified: September 24, 2020

Configure the authentication method you want to use to manage Gallery access on the System SettingsGallery Authentication page.

Start by selecting the authentication method you want to use for your Server. Then, see the setup steps for your selected method.

Select Your Authentication Type

Server supports built-in authentication, integrated Windows authentication with or without Kerberos support, and SAML authentication.

  • Built-in: Allows users to access the Gallery using an email address and password.
  • Integrated Windows authentication: Allows users to access the Gallery with internal network credentials.
  • Integrated Windows authentication with Kerberos: Allows users to access the Gallery with internal network credentials using Kerberos authentication protocols.
  • SAML authentication: Allows users to access the Gallery with Identity Provider (IDP) credentials.
    Screenshot of Authentication Type on System Settings > Gallery Authentication screen

Server doesn't support changing the authentication type after configuration. Doing so might compromise Gallery functionality.

Complete the Set Up for Your Selected Authentication Type

The set up for each authentication type varies. Select your selected authentication type for steps to complete the setup.

Set Up Built-in Authentication

Step 1. Set a Default Gallery Administrator for Built-in Authentication

After selecting Built-in authentication, create a Default Gallery Administrator at the bottom of the Gallery Authentication page. The Gallery administrator manages users, workflows, and more. For Built-in authentication, enter the administrator's email address.

 

Complete the remaining screens in System Settings (see Gallery and Engine for more info on these screens), and select Finish.

Step 2. Finish the Gallery Administrator Account Creation

  1. To complete the creation of the Gallery administrator account, go to the sign-in page of the Gallery. To do so, select the link to the Gallery shown on the System Settings > Status page or enter the URL to the Gallery in your internet browser.
  2. Select Sign In.
  3. On the sign-in page, select Don't have an account? Create one now.
  4. Enter a First Name and Last Name, and select a timezone from the drop-down menu.
  5. In Email, enter the email address that you provided for the Default Gallery Administrator on the System SettingsGallery Authentication page. 
  6. In Password, create an account password. 
  7. Select Sign Up.

You are now logged in as the Gallery administrator. The credentials you entered in the sign-up form are saved as your credentials going forward. You are now ready to add Gallery users. See Add Gallery Users

Set Up Integrated Windows Authentication

Step 1. Set a Default Gallery Administrator for Built-in Authentication

After selecting Integrated Windows authentication, create a Default Gallery Administrator at the bottom of the Gallery Authentication page. The Gallery administrator manages users, workflows, and more. For Integrated Windows authentication, enter the user account in this format: domain\username.

Complete the remaining screens in System Settings (see Gallery and Engine for more info on these screens), and select Finish.

Step 2. Access the Gallery

The default Gallery administrator can now access the Gallery. To do so, select the link to the Gallery shown on the System Settings > Status page or enter the URL to the Gallery in your internet browser. You are now logged in as the Gallery administrator and ready to add Gallery users. See Add Gallery Users

Multi-domain support

Server supports multiple domains for Windows authentication. You do not need to configure anything in Server to enable this, but these capabilities and permissions have to be present across the domains.

  • The domain the Gallery runs on needs to have the same trust policy as other domain users so Active Directory can resolve and determine user permissions.
  • Both domains need to be part of the same forest.
  • The Alteryx service needs to be able to read all attributes from CN=Users and CN=Computers containers for both domains. The Alteryx service runs under the local system account on the server it is installed on. If you define a dedicated service account instead of using the local system. The account needs permission to read all attributes from both containers to enable authentication for both domains.
Set Up SAML Authentication

To configure SAML authentication for Single Sign On (SSO), your Identity Provider (IDP) has to support SAML.

Before configuring SAML authentication for the Gallery, you have to add Server as a Service Provider in the IDP. The IDP might need...

  • the ACS Base URL (for example, http://localhost/aas/Saml2/Acs).
  • the SP Entity ID (for example, http://localhost/aas/Saml2).
  • The IDP might also require that you map email, firstName, and lastName attribute statements to corresponding fields in the IDP to authenticate users.
  1. Select an option for obtaining metadata required by the IDP. You can configure SAML using an IDP Metadata URL or an X509 certificate and IDP SSO URL.

  2. Complete the SAML IDP Configuration.

    • ACS Base URL: The URL for the Assertion Consumer Service that accepts SAML messages to establish a session.
    • IDP URL: The URL for the Alteryx application configured in the IDP, also known as, the IDP Entity ID.
    • IDP Metadata URL: The URL provided by the IDP that includes the IDP SSO URL and the X509 certificate for configuring the Alteryx Authentication Service.
    • IDP SSO URL: The SSO URL, provided by the IDP, that the Alteryx Authentication Service uses to log into the IDP.
    • X509 certificate: The public certificate provided by the IDP for secure communication with the Alteryx Authentication Service.
    • Verify IDP: Select to open a browser window, log in, test the IDP configuration, and set the default Gallery administrator.

Set a Default Gallery Administrator for SAML

A Gallery administrator account has to be created to administer the site (manage users, workflows, and more). For SAML authentication, select Verify IDP to test the IDP configuration and populate the field with IDP credentials.

 

You are now logged in as the Gallery administrator. You are now ready to add Gallery users. See Add Gallery Users. . 

Was This Helpful?

Running into problems or issues with your Alteryx product? Visit the Alteryx Community or contact support.