Skip to main content

Azure SSO Setup Guide (OIDC)

Use this guide to enable Single Sign-On (SSO) using the OIDC protocol for an individual Alteryx Analytics Cloud (AAC) workspace using Microsoft Entra (Azure AD).

Required Permissions

To enable SSO with Azure, you must satisfy these requirements:

  • Be a user on a Professional or Enterprise AAC plan.

  • Have a Workspace Admin role assigned to you.

  • Have administrative access in the target Azure instance.

Azure AD Setup

Follow these steps to create an Enterprise Application in Azure:

  1. Sign in to your AAC workspace.

  2. Go to Profile menu > Workspace Admin > Single Sign-On.

  3. Under Protocol, select OIDC.

  4. Note and copy the prepopulated Callback URL. You will use this later.

  5. Sign in to your Azure Portal as an administrator.

  6. Go to the Applications > App Registration page.

  7. Select New Registration.

  8. In the Name field, enter a name for your app. For example, the name of your AAC workspace.

  9. In the Redirect URI dropdown, select Web and then enter the Callback URL you copied from AAC in the adjacent box.

  10. Select Register.

  11. Note and copy your Application (Client) ID. You will use this later.

  12. Go to your application’s Authentication page.

  13. Check the box next to Access Tokens and ID Tokens.

  14. Go to your application’s Add a Certificate > Secrets page.

  15. Select New Client Secret.

  16. In the Description field, enter a description of your app. For example, the name of your AAC workspace.

  17. Select Add.

  18. Note and copy your client secret’s Value. You will use this later.

  19. Go to your application’s API Permissions page.

  20. Select Add a permission.

  21. Select Microsoft Graph.

  22. Select Delegated permissions.

  23. Check the box next to email, openid, and profile.

  24. Select Add permissions.

Note

For more information on Azure OIDC, go to Microsoft's documentation.

AAC SSO Setup

Return to your AAC workspace and then follow these steps:

Configure SSO

  1. Go to Profile menu > Workspace Admin > Single Sign-On.

  2. Under Protocol, select OIDC.

  3. In the Client ID field, enter the Application (Client) ID you copied from your Azure account.

  4. In the Client Secret field, enter your client secret’s Value you copied from your Azure account.

  5. In the Email Mapping OIDC Attribute field, enter this value:

    email
  6. In the Discovery Endpoint field, enter this value if you are using a single tenant:

    https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

    Else, enter the following value:

    https://login.microsoftonline.com/[YOUR TENANT ID]/v2.0/.well-known/openid-configuration
  7. Next to the Discovery Endpoint field, select Import From URL. The rest of the fields will auto-populate.

  8. Select Save.

Test Connection

  1. Select Test Connection. A dialog then opens, prompting you to sign in to verify the integration.

  2. Enter your Azure credentials. The dialog automatically closes if the integration has been verified.

Enable SSO

  1. Select Enable SSO.

  2. Select Confirm. Once enabled, users can only sign in to the workspace using their Azure credentials.