topic /samlauthn 403 untrusted http origin header scheme is not allowed error in Management & Governance

/samlauthn 403 untrusted http origin header scheme is not allowed error

Daniel11 — Tue, 18 Apr 2023 12:33:26 GMT

Hello!

In february 2023 qlik sense enterprise version, saml don`t work. After authorization on idp, browser redirect to host/virtualproxy/samlauthn and 403 untrusted http origin header scheme is not allowed error in network console. In november 2022 same settings to vp and idp work well.

Has anyone encountered such a problem?

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

Daniel11 — Wed, 19 Apr 2023 09:40:49 GMT

If you copy the Proxy folder from the November 2022 version and replace the February 2023 one with it, then everything works.

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

nvankorlaar — Mon, 19 Jun 2023 13:06:49 GMT

Hi, i am encountering the same issue here. Client is using ForgeRock OpenAM with SAML2.0. The May 2022 version had no issues at all, after upgrading to May 2023 it stopped working with this error. So far we checked everything, and im seeing the following changes that can possible have effect on this.

QB-14622	Qlik Sense: Header injection redirects into non-existing subdomain	The "Host allow list" in Virtual Proxy settings trusted all subdomains of the given entry. This has been fixed by adding an option for strict validation that only allows the given entry. The new proxy configuration setting "StrictValidateWhitelist" allows switching between the behaviors. The default is set to false (all subdomains trusted). If you need strict validation, enable the setting and restart the proxy.
QB-14363	Qlik Sense: Unencrypted origin trusted by default	Fixed a problem that allowed unencrypted HTTP origin header in Qlik Sense for HTTPS protocol requests.

I don't think it is pefrerable to replace the proxy folder with an older version and get possible compatibility issues due to that.

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

Daniel11 — Tue, 20 Jun 2023 07:19:56 GMT

Hi.
Thanks for the info.
QB-14363 - most likely caused the error
QB-14622 - does not help to solve the problem. I tried it on the February version earlier and just tried it on the May version with patch 1.

Replacing the folder is only a debug of the problem, but not a solution to it, of course.

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

Albert_Candelario — Wed, 21 Jun 2023 07:30:38 GMT

Hello all,

Thanks for posting.

This seems related to a known defect - QB-19046 that will be fixed in the incoming August 2023 release.

The issue arises, if is indeed the same issue, when the Origin is "null".

I hope this helps.

Cheers,

Albert

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

atiwari — Tue, 27 Feb 2024 12:52:02 GMT

I have the same issue on august 2023 Patch 11. I still see the errror message.

403

Forbidden

Untrusted http origin header scheme is not allowed.

I'm able to login using NTLM, But sso is still not working

Any Suggestion.

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

atiwari — Mon, 24 Jun 2024 09:16:36 GMT

@Albert_Candelario I upgraded Qlik Sense to Feb 2024 Version and Still encounter the 403 Forbidden Untrusted http origin header scheme is not allowed.

Is it still a bug in Feb 2024 Version. Applied Feb 2024 patch 6 , still the same issue.

Re: /samlauthn 403 untrusted http origin header scheme is not allowed error

atiwari — Thu, 27 Jun 2024 11:09:39 GMT

Okay, so After Troubleshooting I found the Issue is with HTTP communication. I found in feb 2024 SSO is not working if your IDP is having HTTP. The same is working in August 2022 Version.

@Albert_Candelario @Daniel11 Is there any official announcement from Qlik to close the http communication in newer version?

Any workaround how we can use the http in feb 2024 version.

Note: I have http enabled in proxy.