Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2016-06-22 04:04 PM

Qlik Sense SAML Issue

We are trying to integrate Qlik Sense with Oracle Access Manager (OAM) for SAML SSO. Qlik Sense is the SP and OAM is IDP.

We have followed the documentation for SAML configuration. While testing the qlik sense, we are getting the below error.

Error 400 - Bad request

Contact your Qlik Sense administrator. The user cannot be authenticated by the SAML response through the following virtual proxy: SAML

There are no errors logged in OAM (IDP) logs. Here is the SAML response generated.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

  xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"

  xmlns:enc="http://www.w3.org/2001/04/xmlenc#"

  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

  xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

  Destination="https://qlik.company.com:443/saml/samlauthn/"

  ID="id-nx5QbHnpTnhU9kIZb6XFk-N6LMm-h1Q4-fqxK-FZ"

  InResponseTo="_a81cdcd1-6a08-4edb-afc7-70e4f7425459"

  IssueInstant="2016-06-22T20:00:29Z"

  Version="2.0"

  >

  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.company.com/oamfed</saml:Issuer>

  <dsig:Signature>

  <dsig:SignedInfo>

  <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

  <dsig:Reference URI="#id-nx5QbHnpTnhU9kIZb6XFk-N6LMm-h1Q4-fqxK-FZ">

  <dsig:Transforms>

  <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

  <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

  </dsig:Transforms>

  <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

  <dsig:DigestValue>lqWyIV+BRIp8ym3bLZCp8TU5P6s=</dsig:DigestValue>

  </dsig:Reference>

  </dsig:SignedInfo>

  <dsig:SignatureValue>YE+1WRtkmfQZbHS1LCA954RKtsMTJQEYuXlPCcqKw1kuh/TVDSyYFBgfRUj2OeNqutXuib5/Iolole4oi4wjtSaeCLoI32Fh45nlC1wzR9MKNeJnFsxsLMbApWUawk76WCRDaHKaXo3P/vCif6rhbvTJtUHNrSOvADJkIQ/lMO91pd5hTyWyua13tUrCvR2DgzzGAB/uxVp1yLDzEokWw9mZDei0n5/5MK/tlbNERtzgRvle1U4EX6552BVyJtdccbvWL4bL/dUi2YNpL0jBHarauJQwoLxtWtJ2v1PolInLkVaQzMJHBvZgOD5Fp4ja2GHiMGZdNsPLf4ui0WwHGg==</dsig:SignatureValue>

  </dsig:Signature>

  <samlp:Status>

  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">

  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />

  </samlp:StatusCode>

  <samlp:StatusMessage>User is not authorized to perform Federation SSO</samlp:StatusMessage>

  </samlp:Status>

</samlp:Response>

I have also found that SAML Authentication request did not have AssertionConsumerServiceURL, NameIDPolicy and ProviderName parameters. The SAML Response contains status code RequestDenied which means IDP denied the request because of insufficient data in SP request.

Please suggest if this is configuration issue in Qlik Sense or a bug.

Thanks
Mahendra.

12,282 Views
0 Likes
1 Solution

Accepted Solutions
Not applicable
‎2016-06-28 03:15 PM
Author

Hi All,

The issue has been resolved. First, the IDP has authorization problem and once it it fixed it is able to send successful SAML token. Second issue is that userid sent from IDP in NameID value is not matching in Qlik Sense user attribute provided in virtual proxy.

In IDP, I have specified uid as Name ID value and sending couple of attributes such as email etc., In Qlik Sense specify the user attribute name such that name ID value matches that attribute value.

Please get back to me if you need any more details.

Thanks
Mahendra.

View solution in original post

10,323 Views
0 Likes
5 Replies
Not applicable
‎2016-06-28 03:15 PM
Author

Hi All,

The issue has been resolved. First, the IDP has authorization problem and once it it fixed it is able to send successful SAML token. Second issue is that userid sent from IDP in NameID value is not matching in Qlik Sense user attribute provided in virtual proxy.

In IDP, I have specified uid as Name ID value and sending couple of attributes such as email etc., In Qlik Sense specify the user attribute name such that name ID value matches that attribute value.

Please get back to me if you need any more details.

Thanks
Mahendra.

10,324 Views
0 Likes
miskin_m
Partner - Creator
Partner - Creator
‎2018-07-04 08:48 AM

hi Mahendra,

How will I identify the IDP authorization problem and SAML token. Also what if I don't have any attribute mapping in qliksense.

Thanks and Regards

Miskin M

10,323 Views
0 Likes
Anonymous
Not applicable
‎2018-11-21 08:37 PM
Author

In response to

Could you please provide your  SAML reponse xml and qlik sense saml configuration ?

I am encounted qlik sense error in proxy audit error:SAML assertion was not signed 

10,303 Views
0 Likes
Ken_T
Specialist
Specialist
‎2020-07-28 01:30 PM

In response to Anonymous

Please share the details.
were you able to get multiple values for memberof using OAM and SAML?

8,281 Views
0 Likes
heosupplink
Contributor II
Contributor II
‎2020-10-19 02:34 PM

In response to miskin_m

Setting up attribute mappings are not neccesary

7,981 Views
0 Likes