Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Feb 1, 2017 12:49:10 PM
Feb 1, 2017 12:49:10 PM
I have configured the SAML as suggested in the documentation. And when i tried to access the Qlik Sense URL with SAML as suggested in the documentation
the URL is getting redirected to the windows authentication like this https://server:port/windows_authentication/?targetId=11234
and prompting for windows authentication. And it works fine.
(a) How to validate it is authenticated through SAML. Is there any logs associated with it ? Is it expected to prompt for windows authentication and validated through SAML.
Is there any specific setting has to be changed or additional coding required apart from the QMC settings
Brind,
No, you shouldn't be redirected to a windows auth through the browser. How are you configuring SAML? Put another way, what identity management solution are you using as an identity provider?
Can you send a screen shot of your virtual proxy configuration?
jg
It is ping federate
Virtual proxy configuration as follows
Identification
Description: SSO integration
Prefix : SSO
Session inactivity Timeout(Minutes) :30
Session Cookie header name : X-SSO-Session
Authentication
Anonymous access mode: Allow anonymous user
Authentication method: SAML
SAML host URI : https://a1234d.abc.com.
(--------------https://a1234d.abc.com/qmc/ and https://a1234d.abc.com/hub---------------)
SAML entitity Id : ssoqliksense
SAML Medtadata Idp : uploaded the metadata
SAML attribute for userid : {id }
SAML attribute for user active-directory:{id}
And linked to default proxy. Let me know if you need any additional information
Ok, have you configured a virtual proxy in Qlik Sense to talk to PingFederate with PFs idp metadata and then performed similar configuration on PF with Qlik Sense SP metadata?
For example, here is a screenshot of my SAML config for Salesforce on my Qlik Sense server.
See the SAML Metadata IdP? Have you uploaded the PF metadata there?
For config examples, here is a set of videos for Salesforce and ADFS
I wonder if Allow anonymous user is tripping it up. What happens if you set to no anonymous users? In addition, have you set up PF with the SP metadata from Qlik Sense?
And to clarify, the userid attribute should be the attribute name or the schema reference url, and the user directory if static uses square brackets and not curly braces.
jg
Thanks Jg
Do i need do the same for the SAML attribute mapping. Brackets for both SAML and QlikSense attributes
SAML Attribute mapping
SAML attribute QlikSense Attribute
[id] [id]
If they are static (meaning that you aren't using an OID or schema definition) you need the brackets. The SAML attribute and the Qlik Sense attribute do not need to have the same name.
jg
Thanks jg
When i try the url servername/hub/saml .it redirects to windows authentication. If i try with servername/prefix i am getting the error as No available qliksense engine was found refresh your browser or contact your administrator.
Is there any port has to changed or any log files. how to look for request and response flow. I tried with fiddler didnt get anything.
ok, so with all virtual proxies (ticketing, header, session, or SAML) the prefix is mandatory or you are going to go the central proxy virtual proxy which is going to pop up windows authentication. So you do need to do this:
https://servername/virtualProxyprefix/hub
As for ports, no ports should have to change.
Logs are located in c:\programdata\qlik\sense\logs\proxy\trace and the audit proxy log.
servername/hub/saml is not valid.
Try the servername/virtualproxy/hub and see if you get redirected to PF. Check the logs and if you want attach them here and I can take a look.
jg
Is there any way i can send the log only to you?
Hi,
I am trying to SAML-authenticate Qlik Sense with Google as my identity provider and have followed the instructional video and your instructions from this thread. The error I am getting is "The user cannot be authenticated by the SAML response through the following proxy: QlikSense"
QlikSense is my virtual proxy. Here's the configuration
Identification
Description: SSSO authentication with Google
Prefix : sso
Session inactivity Timeout(Minutes) :30
Session Cookie header name : X-Qlik-Session-SSO
Authentication
Anonymous access mode: No anonymous user
Authentication method: SAML
SAML host URI : https://testdashboard.irri.org
SAML entitity Id : sso
SAML Medtadata Idp : uploaded the metadata in QMC
SAML attribute for userid : email
SAML attribute for user active-directory: [GOOGLE]
have linked to default proxy Central.
The link https://testdashboard.irri.org/sso produce the error i mentioned above. The Google part seemed to be working as it passes through Google authentication:
Google login window:
2 factor authentication
then the error in Qlik
Any idea where to look at to fix this?
Thanks!
Eric
I figured it out and it's working like a charm!
Anyone who wants to implement the same in their organization, send me an email.
Cheers
eric
Hi All,
I have integrated SAML with 1 proxy node for PF IDP which works fine. Now I have added one more proxy node and I have linked the same node in SAML virtual proxy. When I try to access https://localhost/saml/hub I get below error.
Do I need to anything on top of this?
Thanks for your help in advance.
Please help!!
Immediately after seeing this error, look at the log file ????_audit_proxy.txt (found under
c:\programdata\qlik\sense\logs\proxy\trace\) and check the last few entries.
The log file will tell you why the authentication is failing. It could be your ID provider rejecting the request. Find out if something was changed in your ID provider side. If you have changed/updated your security certificate recently, you may have to send your metadata again to the ID provider and get it imported there.
This document was generated from the following discussion: QlikSense SAML
what if this error happens intermittently for some users?