topic Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS in Management & Governance

QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Tue, 02 Jun 2015 19:18:03 GMT

In White paper for QlikView:

SAML / FEDERATED SECURITY / SECURE TOKENS There are a number of different security systems that can make use of secure tokens to sign users into a range of systems. There are several different standards and sets of terminology around this approach such as SAML (Security Assertion Markup Language) and federated security such Active Directory Federation Services. Although each is different the approach from a QlikView perspective is similar. Here is how it typically works… In this approach, due to the level of integration required, a custom login page can be created to use the security API in QlikView. Although this mechanism is relatively simple to use it does require some knowledge of programming and this configuration is not ‘out of the box’. There are examples on how to implement this approach available on the QlikView Community. 3 The advantage of this approach is again to conform to an organization’s standard way for securing services. It again does require that an organization has in place a security system that offers this kind of functionality but QlikView has an approach for integrating with a range of vendors’ solutions. QlikView Server 8. User received QlikView content CLOUD 1. User requests QlikView content Custom Login Page 2. User redirected to Login System 5. Request QlikView content with token 4. Redirect user to QlikView with token 3. Login Against Login System 6. Validate token Login System CUSTOMER SITE/INTERNET 7. Token is OK and provide username/groups QlikView and the Cloud | 13 With Active Directory Federation Services (ADFS) it is possible for users to seamlessly log in to a non-domain cloud server without being prompted to log in as their internal Windows credentials are used during the process of logging in. This gives an excellent user experience and ADFS is often implemented within organizations alongside their regular Active Directory which means there is no requirement for an additional SSO product or set of users.

Has anyone seen this for QlikSense?

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Wed, 05 Aug 2015 22:22:17 GMT

If you are looking for how you can set up Qlik Sense SAML with ADFS, here are some videos I created that go through the process of configuring and implementing Sense SAML with ADFS.

ADFS_SAML

If you are interested in implementing security with Qlik Sense in a similar way to the way it is possible in QlikView, check out this video on the proxy API. You can use ticketing if you want.

QPS.mp4 - Google Drive

Hope this helps.

Jeff G

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

chriscammers — Thu, 10 Sep 2015 13:36:28 GMT

Jeff,

Thank you so much for the videos on SAML with adfs.

I built a prototype based on the videos and it is working well. I'm curious if you could describe any trouble spots when doing this on an existing adfs deployment. I'm sure there is a wide variety of deployment scenarios with this but just describe some common issues.

It occurs to me that your videos use the certificates from the Qlik Sense server. In the case of an existing ADFS deployment do I have to use certificates from the ADFS server on Qlik?

Thanks for whatever insight you can provide

Thanks Chris

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Thu, 10 Sep 2015 15:41:10 GMT

Chris,

I'm a big proponent of using certs from trusted authorities. If you have a cert on ADFS, you may have to issue another for the Qlik server, but then the virtual proxy for SAML is using the updated server cert.

So short answer is you can use either, but if you want to use the certs you have for ADFS that are trusted (not self-signed) you can likely make a go of it.

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

chriscammers — Thu, 24 Sep 2015 19:23:18 GMT

Jeff,

I am now at a client impelmenting ADFS with SAML on Qlik Sense and everything is looking good but I am getting 400 errors from sense.

As I said in my earlier post the ADFS environment is fairly mature all I can tell right now is that the virtual proxy does not like the saml request from the adfs server. I'm curious which of the final power shell tasks were specifically needed to make Sense work as opposed to the ones you were doing to avoid errors with the self signed certs?

One more thing in the Qlik Proxy security audit log I am seeing the following error

Command=Authenticate request;Result=-2147467259;ResultText=Error: The I/O operation has been aborted because of either a thread exit or an application request

Thanks

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Thu, 05 Nov 2015 14:31:40 GMT

just came across this post as i am looking to do ADFS and this has been great information. I was just wondering, what options would be needed to remove the need for the users to enter their username and password? So its streamless once they access the url for the hub

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Thu, 05 Nov 2015 15:27:58 GMT

Jessey,

Are you talking about replacing windows authentication popup when entering Qlik Sense? If not, how do you envision users authenticating (identity verification) before forwarding on to Qlik Sense.

There are lots of ways to make the auth process seamless, but at some point a user credential needs to be passed to Qlik Sense to identify the user who will access the solution. That can happen in code, but requires the credential to come from somewhere.

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

javier_quintela — Fri, 26 Feb 2016 10:00:17 GMT

Jeff,

I am now at a client implementing ADFS with SAML on Qlik Sense and everything is looking good but I am getting 400 errors from sense. My ADFS environment is fairly mature all I can tell right now is that the virtual proxy does not like the saml request from the adfs server. I use the certificates of the ADFS enviroment to sign and decrypt, not the certificate of my QlikSense site.

Here is my virtual proxy configuration:

Can you help me?

Thanks.

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

javier_quintela — Mon, 29 Feb 2016 09:24:26 GMT

Jeff,

Here is my virtual proxy configuration:

Can you help me?

Thanks.

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Thu, 03 Mar 2016 12:40:12 GMT

If you are running into 400 errors it's likely 1 of 3 things.

1. The roledescriptor elements have not been removed from the federation metadata file before uploading to Qlik Sense.

2. Because you are using lower than Qlik Sense 2.0.7 or 2.2 and endpoint is set to use SHA256 signing encryption it's failing.

3. You are attempting Identity Provider initiated flow instead of service provider initiated flow. Qlik sense supports SP initiated flow only.

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

javier_quintela — Fri, 04 Mar 2016 07:19:20 GMT

Thank you very much Jeff, it was a version problem as well you said. I upgraded to version 2.2.3.0 and 400 errors no longer appear!!

Now, the problem is that when accessing the URL through Virtual Proxy of ADFS and enter credentials, I am redirected to the hub URL but it tells me:

"You can not access Qlik Sense because you has not access permission"

Proxy Logs say this: Access to app '__hub' denied, result code 'NoAvailableAccessType'

However, if I access to the url of the hub without going through Virtual Proxy of ADFS I access correctly.

Any ideas?

Thanks

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

Fri, 04 Mar 2016 12:00:46 GMT

‌hi,

now your issue is you haven't provisioned a token for the user logging in to have access.

check out the license and tokens video in this series here:

https://m.youtube.com/playlist?list=PLW1uf5CQ_gSpUIEWu0-0TzzEaNVQo346i

Cheers,

jeff g

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

javier_quintela — Mon, 07 Mar 2016 14:58:06 GMT

Hi,

The problem appears with the userID field. All users in my user directory have as user id the name without the domain suffix. When I access through the virtual ADFS proxy with the userID@domainsuffix will not recognize it and tell me that I haven´t access. In fact, automatically it generates a new user with the username @ domain suffix and adds it to the user list of Qlik. If I allocate the access to this new user, authentication works through the virtual proxy of ADFS, but consuming two licenses for the same user.

In short, is it possible that my users have the user id @ domain suffix format to avoid this problem? What am I doing wrong?

Thanks

Re: QlikSense: SAML / FEDERATED SECURITY / SECURE TOKENS

javier_quintela — Wed, 23 Mar 2016 11:36:03 GMT

Hi,

I know what the problem was: My SAML attribute for User ID was not upn, windows account name was!!!

Regards