Configure SSO for AD-LDAP

The Designer Cloud Powered by Trifacta® platform can be configured to provide single sign-on (SSO) logins with Active Directory/Lightweight Directory Access Protocol (AD/LDAP). These steps allow you to enable auto-provisioning of new users to the platform if they can authenticate through LDAP.

• If auto-provisioning is not desired, after completing the basic configuration, you can disable auto-provisioning using the steps listed in the Advanced Configuration section.
• Single Sign-On (SSO) authentication enables users to authenticate one time to access multiple systems. The SSO platform must translate its authentication into authentication methods executed against each system under SSO control. For more information, see https://en.wikipedia.org/wiki/Single_sign-on. 
• When enabled, SSO also applies to the Wrangler Enterprise desktop application, if it is installed.

Pre-Requisites

1. You have already installed the Designer Cloud Powered by Trifacta platform.
   1. See System Requirements.
   2. See Install Process for On-Premises.
2. Your enterprise uses AD/LDAP for User Identity and Authentication.

3. You have the following required pieces of information available:

   1. The host and port of the AD/LDAP server against which to authenticate
   2. The base DN
   3. The bind DN and password

Verification for SSO

Before you enable SSO, you can use the following steps to verify that the Designer Cloud Powered by Trifacta platform is able to communicate with LDAP with the information provided by your LDAP administrator.

Steps:

1. If you have not done so already, verify that you have the required pieces of LDAP information. See the previous section.

2. To verify the above information, execute the following command:
   

   ldapsearch -H ldaps://<LDAP_SERVER_HOSTNAME>:<PORT> -x -b '<BASE_DN>' -D '<BIND_DN>' -w '<BIND_PASSWORD>' '(objectClass=*)' ['<attribute-name>'] | less

   NOTE: Be sure to use single quotes (') in your command.

   where:

   Parameter	Description
   ldap(s)://<LDAP_SERVER_HOSTNAME>:<PORT>	Hostname and port number of the LDAP server, as provided by your LADP administrator. Please use ldaps as the protocol.
   <BASE_DN>	Base DN value provided by your LDAP administrator
   <BIND_DN>	Bind DN value provided by your LDAP administrator
   <BIND_PASSWORD>	Bind password value provided by your LADP administrator
   (objectClass=*)	Please include this string value.
   <attribute-name>	(Optional) Comma-separated list of attributes to include back from the LDAP server.
   | less	(Optional) Pipes lengthy output to page-by-page display tool.

3. Anonymous binding: In the unlikely event that the LDAP server supports anonymous binding, the BIND_DN and BIND_PASSWORD values are not required, as in the following command:

   ldapsearch -H ldaps://<LDAP_SERVER_HOSTNAME>:<PORT> -x -b '<BASE_DN>' '(objectClass=*)' ['<attribute-name>'] | less

4. Output:
   1. Success: Entire LDAP sub-tree is piped to the less tool for display.
   2. Failure: You have entered incorrect LDAP connection information. Please review the values and contact your LDAP administrator if needed.

Attribute Mapping

To provision users, the Designer Cloud Powered by Trifacta platform requires user profile information from attributes. The default SSO configuration template uses the following mapping:

The following is an example output of ldapsearch:

# jguy, Users, 56bb81bb6782d97b5c37b0cb, example.com
dn: uid=jguy,ou=Users,o=56bb81bb6782d97b5c37b0cb,dc=example,dc=com
sn: Joe
cn: Joe Guy
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/jguy
uid: jguy
gidNumber: 5143
mail: jguy@example.com
givenName: Joe

In the above output, the cn, uid and mail attributes from LDAP are used by the platform. In this case, the sso-principal, email address, and name attribute are correct for Designer Cloud Powered by Trifacta platform use.

Limitations

Configure SSO for the Platform

Steps:

1. Edit the following file:

   /opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf

2. Add values for your LDAP environment for the following settings. For an Active Directory configuration, remove the comment from the first Define line and specify appropriate values for the following:

   ##################################################################################
   # Basic :  LDAP Configuration
   #
   # Active Directory Mode. Uncomment below to enable Active Directory compatibility
   #    Define ACTIVE_DIRECTORY "1"
   Define TF_LDAP_SERVER "ldap://SERVER:PORT"
   Define TF_LDAP_BASE_DN "<BASE_DN>"
   Define TF_LDAP_BIND_DN "<BIND_DN>"
   Define TF_LDAP_BIND_PASSWORD "<BIND_PASSWORD>"

3. By default, SSO access occurs over port 2443. If needed, you can set the port number for user access in the following setting:

   NOTE: This value should not be set to any value that conflicts with other ports in use by the Alteryx Server. For more information, see System Ports.

   <VirtualHost *:2443>

   NOTE: To complete the configuration to change the listening port, additional configuration is required after you complete this section. Instructions are in the following section.

4. Save the file.

5. Administrators can apply this configuration change through the Admin Settings Page in the application. If the application is not available, the settings are available in trifacta-conf.json. For more information, see Platform Configuration Methods.

6. Set the following parameter:
   

   "webapp.sso.enable": true,

   
   

7. Create an admin account. You can either:

   1. Connect to the application using an AD-linked ID. The first AD account to connect to the application is auto-registered as an admin account.

   2. Define an admin user under SSO. For more information, see Create Admin Account.

8. Save your changes.

9. Save the file and restart the platform. See Start and Stop the Platform.

Change Listening Port for SSO

By default, SSO access uses port number 2443. If you need to change that listening port, please complete the following steps.

Steps:

1. If you have not done so already, in trifacta.conf, please set the VirtualHost value to the appropriate port number. See previous instructions.

2. Edit the following file:

   /opt/trifacta/pkg3p/tripache/conf/conf.d/httpd.conf

3. Locate the following entries:

   #Listen 12.34.56.78:80
   Listen 2443

4. Change the value for 2443 to be the value you set in trifacta.conf. 

5. Save the file.

6. Perform any other necessary configuration before restarting the platform.

User Management

Configure auto-registration

How users are managed depends on whether auto-registration is enabled:

• If auto-registration is enabled, after users provide their credentials, the account is automatically created for them.
• If auto-registration is disabled, a Alteryx administrator must still provision a user account before it is available. See below. 

Enabled:

After SSO with auto-registration has been enabled, you can still manage users through the Admin Settings page, with the following provisions:

• The Designer Cloud Powered by Trifacta platform does not recheck for attribute values on each login. If attribute values change in LDAP, they must be updated in the User Management page, or the user must be deleted and recreated through auto-provisioning.
• If the user has been removed from AD, the user cannot sign in to the platform.
• If you need to remove a user from the platform, you should consider just disabling the user through the User Management area.

For more information, see Manage Users. 

Disabled:

To disable auto-provisioning in the platform, please verify the following property:

1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

2. Set the following property:

   "webapp.sso.enableAutoRegistration" : false,

3. Save your changes and restart the platform.
4. New users of the Designer Cloud Powered by Trifacta platform must be provisioned by a Alteryx administrator. See below. 

SSO user management through the CLI

You can manage user accounts for SSO environments through the Alteryx command line interface. For more information, see CLI for User Admin.

Provision new users under SSO without auto-registration

If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:

https://<hostname>:<sso_port_number>/register

where:

• <ostname> is the host of the Alteryx Server
• <sso_port_number> is the port number that you defined in the trifacta.conf file to use for access to the proxy server on the Alteryx Server. By default, this value is 2443.

The user's password is unnecessary in an SSO environment. You must provide the SSO principal value, which is typically the Active Directory login for the user.

• If you are connected to a Hadoop cluster, you must provision the Hadoop principal value.

• See Create User Account. 

Advanced Configuration 

Customize authentication form

When SSO is enabled, the default presented to users who are authenticating is very plain. If desired, you can customize the form using the following steps.

Steps:

1. Modify the following file on the Alteryx node to suit your style for the login screen:

   /opt/trifacta/pkg3p/tripache/htdocs/login.html

   NOTE: Do not modify the names of the form fields or the form action.

2. Edit the following file:

   /opt/trifacta/pkg3p/tripache/conf/conf.d/trifacta.conf 

3. Uncomment the line that contains the following:

   Define FORM_AUTH "1"

4. Restart the platform.
5. Test the login page.

LDAP filtering

User access can be limited based on AD/LDAP attributes. Typical scenarios restrict access based on membership of a group or value of an attribute. 

• The SSO template configuration contains example filters, which are commented out by default. 
• For more information, see https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#requiredirectives.

User Access

Users access the application through the Alteryx Server using the standard hostname and the port that you specified in the proxy server configuration. By default, the port number is 2443:

https://<hostname>:<sso_port_number>