This document describes how to setup authentication with Qlik Sense using Azure AD with SAML over an Application Proxy (External Access). SAML can be setup with a single Azure Enterprise Application if the target URL is resolvable, i.e. you’re on VPN, it’s public-facing, etc. If Qlik Sense is installed on-premise or is not reachable outside of the network, you can leverage an Azure Application Proxy, which is one of Azure’s methods of reverse proxying into a server. Enterprise Applications that are using Application Proxies don’t yet support SAML, however a standard Enterprise Application that is not using an Application Proxy does. The workaround is to use two separate Enterprise Applications: one acting as an entry point over an Application Proxy using passthrough authentication, with a secondary Enterprise Application configured for SAML which points to the first Enterprise Application.