Skip to main content

Configure SSO for Azure AD

When the Designer Cloud Powered by Trifacta platform is deployed on Azure, it can be configured to provide single sign-on (SSO) with Azure AD (Active Directory) authentication management. Use this section to enable auto-logins for Azure users.

  • If auto-provisioning is not desired, after completing the basic configuration, you can disable auto-provisioning using the steps listed in the Advanced Configuration section.

  • Single Sign-On (SSO) authentication enables users to authenticate one time to access multiple systems. The SSO platform must translate its authentication into authentication methods executed against each system under SSO control. For more information, see https://en.wikipedia.org/wiki/Single_sign-on.

Supported authentication models:

Users can authenticate with the Designer Cloud Powered by Trifacta platform using Azure AD accounts in the following scenarios:

  • Azure AD is the identity provider,

  • Azure AD is federated through a trust setup with a supported external identity provider,

  • Azure AD is federated with on-premises Active Directory and Active Directory Federation Services (ADFS).

Azure Data Lake Store: Users can obtain OAuth access and refresh tokens from AzureAD and use the tokens to access.

Azure Databricks Clusters: If you have integrated with an Azure Databricks cluster, please complete this configuration to enable SSO authentication for Azure. No additional configuration is required to enable SSO for Azure Databricks.

Prerequisites

  1. You have installed the Designer Cloud Powered by Trifacta platform on Microsoft Azure. See Install for Azure.

  2. You have performed the basic configuration for Azure integration. See Configure for Azure.

  3. Your enterprise uses Azure SSO for User Identity and Authentication.

  4. The Designer Cloud Powered by Trifacta platform must be registered as a Service Provider in your Azure AD tenant.

  5. Please acquire the following Service Provider properties:

    1. The Service Provider Application ID (Client ID) and Key (Secret) are used for user authentication to the Azure Key Vault, Azure AD, and Azure Data Lake Store (if connected). These properties are specified in the Designer Cloud Powered by Trifacta platform as part of the basic Azure configuration.

      Note

      The Designer Cloud Powered by Trifacta platform must be assigned the Reader role for the Azure Key Vault. Other permissions are also required. See the Azure Key Vault Permissions section below.

    2. The Service Provider Reply URL provides the redirect URL after the user has authenticated with Azure AD.

    3. The Service Provider should be granted Delegated permissions to the Windows Azure Service Management API so it can access Azure Service Management as organization users.

Limitations

Scheduled jobs are run under the access keys for the user who initially created the schedule. They continue to run as scheduled until those keys are explicitly revoked by an admin.

Note

With Azure SSO enabled, use of custom dictionaries is not supported.

Configure Azure AD for Designer Cloud Powered by Trifacta platform

Please verify or perform the following configurations through Azure.

Azure Key Vault Permissions

For the Azure Key Vault:

  • The Alteryx application must be assigned the Reader permission to the key vault.

  • For the Key Vault Secrets, the application must be assigned the Set, Get, and Delete permissions.

Configure Designer Cloud Powered by Trifacta platform for Azure AD

Azure AD Properties

Please configure the following properties.

You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

Property

Description

azure.sso.enabled

Set this value to true to enable Azure AD Single Sign-On. The Designer Cloud Powered by Trifacta platform authenticates users through enterprise Azure AD.

azure.sso.redirectUrl

Set this value to the redirect URL callback configured for this Azure AD application in the Azure portal. The URL is in the following format:

https://<trifacta-app-host>/sign-in/azureCallback

azure.sso.allowHttpForRedirectUrl

When true, the redirectUrl can be specified as an insecure, non-HTTPS value. Default is false.

azure.sso.enableAutoRegistration

Set this value to true to enable SSO users to automatically register and login to the Alteryx application when they connect.

azure.resourceURL

This value defines the Azure AD resource for which to obtain an access token.

Note

By default, this value ishttps://graph.windows.net/. You can select other values from the drop-down in the Admin Settings page.

When using Azure Data Lake:

  1. In the Azure Portal, grant to the Alteryx application ID the Azure Data Lake API permission.

  2. Set this value to https://datalake.azure.net/ .

  3. Sign out of the Trifacta Application and sign in again.

Configure Azure Active Directory endpoint and authority

By default, the Designer Cloud Powered by Trifacta platform uses the public Azure AD endpoint for brokering single sign-on requests. As needed, you can configure the platform to submit these requests to a different authority., such as Azure Gov Cloud.

You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

Property

Description

azure.AADEndpoint

Azure Active Directory endpoint and authority.

  • Defaults to the Azure public commercial endpoint: login.microsoftonline.com.

  • Value must include a hostname with no protocol, port, or path.

  • Do not include any slashes.

Configure session timeout page

By default under SSO, manual logout and session expiration logout redirect to different pages. Manual logout directs you to SAML sign out, and session expiry produces a session expired page.

If desired, you can redirect the user to a different URL on session expiry:

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Specify the URL of the page to which you wish to redirect users after a session has timed out:

    "webapp.session.redirectUriOnExpiry": "<myPreferredSessionExpiryURL>",

  3. Save your changes and restart the platform.

User Management

Tip

After SSO is enabled, the first AD user to connect to the platform is automatically registered as an admin user.

Configure auto-registration

Enabling auto-registration:

Auto-registration must be enabled for the Designer Cloud Powered by Trifacta platform and for Azure AD SSO specifically.

You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

Property

Description

webapp.sso.enableAutoRegistration

This property enables or disables auto-registration in the Designer Cloud Powered by Trifacta platform. Set this value to true.

azure.sso.enableAutoRegistration

Set this value to true. For more information, see Azure AD Properties above.

How users are managed depends on whether auto-registration is enabled:

  • If auto-registration is enabled, after users provide their credentials, the account is automatically created for them.

  • If auto-registration is disabled, a Alteryx administrator must still provision a user account before it is available. See below.

Enabled:

After SSO with auto-registration has been enabled, you can still manage users through the Users page, with the following provisions:

  • The Designer Cloud Powered by Trifacta platform does not recheck for attribute values on each login. If attribute values change in LDAP, they must be updated in the Trifacta Application, or the user must be deleted and recreated through auto-provisioning.

  • If the user has been removed from AD, the user cannot sign in to the platform.

  • If you need to remove a user from the platform, you should consider just disabling the user.

For more information, see Users Page.

Disabled:

To disable auto-provisioning in the platform, please verify the following property:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Set the following property:

    "webapp.sso.enableAutoRegistration" : false,

  3. Save your changes and restart the platform.

  4. New users of the Designer Cloud Powered by Trifacta platform must be provisioned by a Alteryx administrator. See below.

Provision new users under SSO without auto-registration

If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:

https://<hostname>/register
http://<host_name>:<port_number>/register

  • The user's password is unnecessary in an SSO environment. You must provide the SSO principal value, which is typically the Active Directory login for the user.

  • If you are connected to a Hadoop cluster, you must provision the Hadoop principal value.

  • See Create User Account.

  • Admin accounts can be created through the application. See Create Admin Account.

Disable user

Warning

If a user has been disabled in Azure AD, a Alteryx administrator must disable the user in the Trifacta Application. Otherwise, the user can still access the Trifacta Application until the user's access token expires.

For more information on disabling user accounts, see Users Page.

User Access

Users access the application through the Alteryx login page:

https://<hostname>

SSO Relational Connections

For more information, see Enable SSO for Azure Relational Connections.

In this section: