topic Re: Multi-Node SAML with SSL - Isolate users to Engine nodes in Management & Governance

Multi-Node SAML with SSL - Isolate users to Engine nodes

balexbyrd — Wed, 25 Oct 2017 04:10:37 GMT

Hello!

Some details first:

We have a multi-node site on Qlik Sense September 2017 consisting of 1 central node and 1 engine node in shared persistence.
We are using auth0 SSO SAML for Authentication using a virtual proxy that's linked to the central node.
The Auth0 callback is pointing to https://<dns>:443/<proxy>/samlauthn/
The Virtual Proxy SAML Host URI and entity ID are both the DNS name.
We have our SSL certificate and DNS configured and pointed towards the central node.
The Central Node host is the DNS name (not the machine name or IP address).

Ideally we would send users to only the Engine node after authentication through the virtual proxy (not load balancing with the central), currently they are only using the Central node and nobody has ever hit the Engine.

When I link the virtual proxy to the Central node, and load balance with only the Engine, I get the auth0 login which is great. I then log in and get 'The service did not respond or could not process the request'. This error does NOT occur when I load balance with the Central node only.

Reading Configuring load balancing to isolate development nodes ‒ Qlik Sense‌ makes me believe we can have the Virtual Proxy linked to the Central node but how in the world do I send users to only the Engine?

I can't figure it out! Do I do this with load balancing rules?

Any help?

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

balexbyrd — Thu, 26 Oct 2017 01:26:57 GMT

Looks like I'm getting a 500 error (internal server error) at /api/hub/about

I've removed IPV6 from the engine node

I've fully uninstalled the Engine node, removing the certificates and relinking.

I've restarted the services

I've made sure the ports are open between the Central & Engine.

What else is left?!

Found other users in similar situations

Qlik Sense Multi-nodes site guidance

Qlik Sense and Webseal - header authentication

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

balexbyrd — Tue, 31 Oct 2017 01:01:36 GMT

I've tested this with Ticket > Windows Authentication and get the same result

I've tested this with Google Chrome and Internet Explorer and get the same result

I've test this with all of the services running on the Engine node and get the same result.

This has to be bug

Logged a ticket with support.

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

Anonymous — Tue, 07 Nov 2017 22:25:37 GMT

Hi Alex,

I am pretty interested on how you set up Qlik with Auth0. I have been trying to do something similar, but I am getting a "SAML attribute not present, userID" error constantly. I guess that I am not mapping the userID value from Auth0 correctly. In the SAML configuration I have tried to do something like the following:

"recipient" : https://..............

"destination" : https://...............

"mappings" : {

"userID" : "http://schemas.auth0.com/nickname"

}

How did you get this Qlik-Auth0 connection to work? I will really appreciate if you can share some hints about the process you followed

Thanks

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

balexbyrd — Fri, 10 Nov 2017 16:59:21 GMT

Hey Carlos,

We're using auth0 with an email . So in the virtual proxy > SAML attribute for user id we have 'uid'

Here's a snip from our settings

"mappings": {

"email": "uid"

}

Qlik

In Auth0

Does this help?

Re: Multi-Node SAML with SSL - Isolate users to Engine nodes

Anonymous — Fri, 10 Nov 2017 19:30:54 GMT

Hey Alex

Definitely it helped, the mappings I was using were wrong, it was much more simpler!

Thanks