Configure SSO for SAML

The Designer Cloud Powered by Trifacta® platform can be configured to provide single sign-on (SSO) logins with Active Directory/Lightweight Directory Access Protocol (AD/LDAP). These steps allow you to enable auto-provisioning of new users to the platform if they can authenticate through LDAP.

• If auto-provisioning is not desired, after completing the basic configuration, you can disable auto-provisioning using the steps listed in the Advanced Configuration section.
• Single Sign-On (SSO) authentication enables users to authenticate one time to access multiple systems. The SSO platform must translate its authentication into authentication methods executed against each system under SSO control. For more information, see https://en.wikipedia.org/wiki/Single_sign-on.

Do not use this configuration for the following:

• Enterprise LDAP-AD: See Configure SSO for AD-LDAP.
• Azure deployments: See Configure SSO for Azure AD.

Limitations

• SAML 2.0 only. SAML 1.1 is not supported. 

• By default, our SP uses transient NameID format. Not all SAML providers will accept transient. You may have to change the metadata file to use something like the following:

  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

Prep

(Optional) Enable HTTPS

If you prefer to have users connect to the platform over HTTPS, you should enable it before completing the SAML setup. For more information, see Install SSL Certificate.

Encryption key requirements

To enable secure auth using SAML, you must deploy the following keys to the Alteryx node. 

Acquire IDP metadata file

From your identity provider, please acquire the public metadata file and transfer it to the Alteryx node.

Notes:

• This file must be hosted on the node.
• If there are changes to the source of this file, a new version of the file must be transferred to the Alteryx node.

Please store the file in the following location:

/opt/trifacta/conf/idp-metadata.xml

After the file is transferred to the Alteryx node, the platform must be made aware of it. These steps are covered below.

Acquire SAML claims from your identity provider

Check the following SAML claims in your identify provider. Verify that it is sending the following pieces of information. Below are the default attributes that are expected by the platform:

<saml: Attribute Name="

Configure SAML for the platform

Please complete the following steps to configure the platform to use your enterprise SAML authentication:

Steps:

1. The following script must be run as the root user.

2. On the Alteryx node, navigate to the following directory:

   cd /opt/trifacta/webapp/bin

3. Execute the following script:

   $ ./saml-sp-metadata-generator.js <hostname>

   where <hostname> is the host value for your Alteryx node. Do not include the protocol identifier (e.g. http://) or the port number as part of this value.

4. The above script outputs the following:

   Tip: The objects, paths, and filenames generated by this script are automatically in place for use by the platform. To use other objects, you must configure the paths in the platform, as described later in this section.

   Item	Description	How to Use
   Signing Private key	Path to generated private key for signing	If the path is the default one and no asset exists there, then the setup script generates the asset for you.
   Signing Certificate	Path to generated certificate for signing	See previous.
   Encryption Private key	Path to generated private key for encryption	See previous.
   Encryption Certificate	Path to generated certificate for encryption	See previous.
   Metadata	Metadata file saml-sp-metadata.xml for your identity provider	See next step.

5. The saml-sp-metadata.xml file in the same directory where you executed the script can be uploaded to your identity provider.
6. Administrators can apply this configuration change through the Admin Settings Page in the application. If the application is not available, the settings are available in trifacta-conf.json. For more information, see Platform Configuration Methods.

7. Configure the following settings:

   Setting	Description	Value
   "webapp.sso.enable"	Enables use of SSO by the Designer Cloud application.	Set this value to false.
   "webapp.sso.disableAuthGateway"	When SSO is enabled, this value should be set to true to disable the use of the reverse proxy server, which is not used in SAML authentication.	Set this value to true.
   "webapp.sso.enableAutoRegistration"	Enables users to auto-register an account with the platform when they connect to the login page.	To enable automatic access with SSO-authenticated users, set this value to true. To require administrator provisioning of user accounts, set this value to false. For more information, see Manage Users under SSO.

8. Enable use of SAML by the Designer Cloud application:

   trifacta-conf.json setting	Description
   "webapp.saml.enabled"	Set this value to true.
   "webapp.saml.server.entityId"	Set this value to the URI of the enterprise SAML server.

9. If your identity provider is sending attribute values that differ from the values expected by the platform, please configure those values in the following properties:

   trifacta-conf.json setting	Description	SAML attribute
   "webapp.saml.mapping.ssoPrincipal"	SAML profile attribute that defines a user's SSO principal. Spaces are not supported.	userPrincipalName
   "webapp.saml.mapping.name"	SAML profile attribute that defines a user's name.	name
   "webapp.saml.mapping.hadoopPrincipal"	SAML profile attribute that defines a user's Hadoop principal. Spaces are not supported.	userPrincipalName
   "webapp.saml.mapping.email"	SAML profile attribute that defines a user's email.	mail

10. Configure the path to IDP metadata file, which you should have already downloaded to the Alteryx node. 

    Tip: Unless you wish to move the file to a different directory, this value does not need to be changed.

    trifacta-conf.json setting	Description
    "webapp.saml.idpMetaDataPath"	Path to the IDP metadata file that you downloaded to the Alteryx node. NOTE: This value is required and should already be specified to the default location previously listed.

11. Configure SAML call back URLs, if needed. These values do not require modifying in most cases.

    trifacta-conf.json setting	Description
    "webapp.saml.server.logoutCallbackUrl"	URL to which user is redirected after logout. This value must end with /saml/logout/callback.
    "webapp.saml.server.callbackUrl"	URL to which user is redirected after authentication. This value must end with /saml/login/callback?redirect_to=/.

12. Configure paths to security certificates. Modify only if you have stored your keys in non-default locations or filenames: 

    trifacta-conf.json setting	Description	Default path
    "webapp.saml.security.signingCertPath"	This signing certificate must be a public certificate that matches the private key.	/opt/trifacta/conf/.key/saml-signing-public-key.cert
    "webapp.saml.security.privateCertPath"	This private key must match the public signing certificate. Authentication requests can be signed using RSA-SHA1. The private key must be in PEM format. Authentication requests can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format.	/opt/trifacta/conf/.key/saml-signing-private-key.key
    "webapp.saml.security.decryptionPvkPath"	This private key is used for decrypting any encrypted assertions received by the platform.	/opt/trifacta/conf/.key/saml-decryption-private-key.key
    "webapp.saml.security.decryptionCertPath"	This public certificate must match the private key for decryption.	/opt/trifacta/conf/.key/saml-decryption-public-key.cert

13. (optional) By default, the Designer Cloud application applies the sha1 algorithm to transactions with the SAML identity provider. If needed, you can apply the following configuration changes to use a different supported algorithm:

    Tip: Although it's not required, these values should match.

    
    

    trifacta-conf.json setting	Description	Default value
    "webapp.saml.security.signatureAlgorithm"	This algorithm is used for signing SAML requests. Supported algorithms: sha1 sha256 sha512	sha1
    "webapp.saml.security.digestAlgorithm"	This algorithm is used for provided a digest of the signed data object retrieved from the identity provider. Supported algorithms: sha1 sha256 sha512	sha1

14. (optional) In some SAML environments, such as Active Directory Federation Services (AD FS), the SAML Identity Provider makes its own choice for what authentication factors to use when authenticating a user. In these environments, you may wish to disable a request for the authentication context with the identity provider. Users may encounter an error similar to the following:

    "Authentication method 'X509, MultiFactor, MultiFactorFederated' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'"

    trifacta-conf.json setting

    Description

    "webapp.saml.disableRequestedAuthnContext"

    When set to true, the Designer Cloud application does not include a request for a specific authentication context, which is unnecessary because the identity provider has already determined the authentication method. (default) When set to false, the Designer Cloud application requests the authentication context from the identity provider. Tip: In most environments, this setting should be false, which is the default.

15. Save the file.

Managing Principal Case

As needed, you can configure the Designer Cloud Powered by Trifacta platform to force captured principal values to lowercase.  This standardization is applied throughout the platform, which may prevent connectivity or impersonation issues due to case mismatches.

Steps:

1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

2. Locate the following parameters, which govern case conversion in the platform of the SSO and Hadoop principals for SAML SSO:

   "webapp.saml.mapping.ssoPrincipalToLowerCase": false,
   "webapp.saml.mapping.hadoopPrincipalToLowerCase": true,

3. To force conversion to lowercase, set these values to true.
4. Save changes and restart the platform.

Configure Session Expiration Page

By default under SSO, manual logout and session expiration logout redirect to different pages. Manual logout directs you to SAML sign out, and session expiry produces a session expired page.

If desired, you can redirect the user to a different URL on session expiry:

Steps:

1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

2. Specify the URL of the page to which you wish to redirect users after a session has timed out:
   
   

   "webapp.session.redirectUriOnExpiry": "<myPreferredSessionExpiryURL>",

3. Save your changes and restart the platform.

User Management

For more information, see Manage Users under SSO.