Azure SSO Setup Guide (OIDC)
Use this guide to enable Single Sign-On (SSO) using the OIDC protocol for an individual Alteryx Analytics Cloud (AAC) workspace using Microsoft Entra (Azure AD).
Required Permissions
To enable SSO with Azure, you must satisfy these requirements:
Be a user on a Professional or Enterprise AACAAC plan.
Have a Workspace Admin role assigned to you.
Have administrative access in the target Azure instance.
Azure AD Setup
Follow these steps to create an Enterprise Application in Azure:
Sign in to your AACAAC workspace.
Go to Profile menu > Workspace Admin > Single Sign-On.
Under Protocol, select OIDC.
Note and copy the prepopulated Callback URL. You will use this later.
Sign in to your Azure Portal as an administrator.
Go to the Applications > App Registration page.
Select New Registration.
In the Name field, enter a name for your app. For example, the name of your AACAAC workspace.
In the Redirect URI dropdown, select
Web
and then enter the Callback URL you copied from AACAAC in the adjacent box.Select Register.
Note and copy your Application (Client) ID. You will use this later.
Go to your application’s Authentication page.
Check the box next to Access Tokens and ID Tokens.
Go to your application’s Add a Certificate > Secrets page.
Select New Client Secret.
In the Description field, enter a description of your app. For example, the name of your AACAAC workspace.
Select Add.
Note and copy your client secret’s Value. You will use this later.
Go to your application’s API Permissions page.
Select Add a permission.
Select Microsoft Graph.
Select Delegated permissions.
Check the box next to email, openid, and profile.
Select Add permissions.
Nota
For more information on Azure OIDC, go to Microsoft's documentation.
AACAAC SSO Setup
Return to your AACAAC workspace and then follow these steps:
Configure SSO
Go to Profile menu > Workspace Admin > Single Sign-On.
Under Protocol, select OIDC.
In the Client ID field, enter the Application (Client) ID you copied from your Azure account.
In the Client Secret field, enter your client secret’s Value you copied from your Azure account.
In the Email Mapping OIDC Attribute field, enter this value:
email
In the Discovery Endpoint field, enter this value if you are using a single tenant:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
Else, enter the following value:
https://login.microsoftonline.com/[YOUR TENANT ID]/v2.0/.well-known/openid-configuration
Next to the Discovery Endpoint field, select Import From URL. The rest of the fields will auto-populate.
Select Save.
Test Connection
Select Test Connection. A dialog then opens, prompting you to sign in to verify the integration.
Enter your Azure credentials. The dialog automatically closes if the integration has been verified.
Enable SSO
Select Enable SSO.
Select Confirm. Once enabled, users can only sign in to the workspace using their Azure credentials.