Azure AD Single Sign-on: SAML Over an Application Proxy (External Access)

         This document describes how to setup authentication with Qlik Sense using Azure AD with SAML over an Application Proxy (External Access). SAML can be setup with a single Azure Enterprise Application if the target URL is resolvable, i.e. you’re on VPN, it’s public-facing, etc. If Qlik Sense is installed on-premise or is not reachable outside of the network, you can leverage an Azure Application Proxy, which is one of Azure’s methods of reverse proxying into a server. Enterprise Applications that are using Application Proxies don’t yet support SAML, however a standard Enterprise Application that is not using an Application Proxy does. The workaround is to use two separate Enterprise Applications: one acting as an entry point over an Application Proxy using passthrough authentication, with a secondary Enterprise Application configured for SAML which points to the first Enterprise Application.